349da7fa08f06b6110d7186d8a785007ab4a912eb5131328da03520c4cf575cd

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3988aa410afa6a937ffb2aeebbe1632.exe
Size

5.8MB
MD5

c3988aa410afa6a937ffb2aeebbe1632
SHA1

20a8f1174e0e490e9d608c6f2df14cd7870c0584
SHA256

349da7fa08f06b6110d7186d8a785007ab4a912eb5131328da03520c4cf575cd
SHA512

dec05be2ca051db3d8ae934651c32a107b6a75b64fb8e816e7a419621f1c48de3a40a4f0dd638466257c1a5435b455ff8d1b485ffd79a0b34c6cbfe3ba2a4a0c
SSDEEP

98304:wZr3u3dutXJF5L76b9IkJKaeZeGH7gakAa54KFupWNpsf3hs2nOs4Ma2h5gPUJ:wZ3u3wR5Sb9IkJK1Z7gXJ57upWcf3hsO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1856	irsetup.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	c3988aa410afa6a937ffb2aeebbe1632.exe
1856	irsetup.exe
1856	irsetup.exe
1856	irsetup.exe
1856	irsetup.exe
1856	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001227d-1.dat	upx
behavioral1/memory/1856-6-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral1/memory/1856-11-0x0000000000990000-0x0000000000AB7000-memory.dmp	upx
behavioral1/memory/1856-35-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\×ã²Ê´óÊ¦ TOTO Master Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1856	irsetup.exe
1856	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28
PID 2208 wrote to memory of 1856	2208	c3988aa410afa6a937ffb2aeebbe1632.exe	28

C:\Users\Admin\AppData\Local\Temp\c3988aa410afa6a937ffb2aeebbe1632.exe
"C:\Users\Admin\AppData\Local\Temp\c3988aa410afa6a937ffb2aeebbe1632.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
  __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\c3988aa410afa6a937ffb2aeebbe1632.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\Clipboard.lmd

Filesize
156KB

MD5
7990a6ba19f834c74b25749070c9d410

SHA1
0363d3dd9421976668b48783a4873719dd1318a8

SHA256
c2c5c931d5405edfb3e8253f853a99cfc91fb5aebf1b081c11f740652b5b8a71

SHA512
4361307ef033d17e1ee21cf23789b7addac7e02000dfaf1d3c8a5e26d874a51130a1c05a36a3c45f524d78f3b25380a9a89bb48bddf9600367f0a4877b0939dc

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\IRZip.lmd

Filesize
336KB

MD5
fbd5e13e297a81a2196286c5d1cfcda4

SHA1
405b9c3087a642c866b5a34c49e08082b80a9909

SHA256
206d058ba985cebe31f9389d2047eb4eb5b1802a37cdca4fce52a339ad436dfc

SHA512
869f2321cc5b98aae5e482b80f3bdff5b16fc4cfbd2b3d471e5c92e681a1a4060bb1d63e4299ddb3c41747fd06521b9fa94d3b8541a243c0c5998ab7d313cf0f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/1856-6-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1856-11-0x0000000000990000-0x0000000000AB7000-memory.dmp

Filesize
1.2MB

Download
memory/1856-12-0x0000000000990000-0x0000000000AB7000-memory.dmp

Filesize
1.2MB

Download
memory/1856-25-0x0000000002050000-0x00000000020B4000-memory.dmp

Filesize
400KB

Download
memory/1856-35-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1856-36-0x0000000000990000-0x0000000000AB7000-memory.dmp

Filesize
1.2MB

Download
memory/2208-5-0x0000000002320000-0x0000000002447000-memory.dmp

Filesize
1.2MB

Download