1bd7e4389963e3abed253ee9314e4039470a77ba863e35883770046d307a8f03

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcordx64.exe
Size

202.5MB
MD5

2495dc6c5aef5d0c31e2907e956a244f
SHA1

7c75bea4c0448ec937df522facf866a2e4619f96
SHA256

1bd7e4389963e3abed253ee9314e4039470a77ba863e35883770046d307a8f03
SHA512

07d5ce56797e33eea4bc8cca29fe5cda8c847770ea4396928dcdf081a0d6ef93fc0889c2c82773128e456f7857ecef71a3868a7c274b1b309bacac50b135a56c
SSDEEP

6291456:n9ug4T7Y8OFAWOJv+ju37gv3gnVaJZoFAjPB0s1Ok3KMw6iX:994T7YZsJWjjyeIAj9Ok6M8

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2080	dcordx64.exe
2080	dcordx64.exe
2080	dcordx64.exe
2080	dcordx64.exe
1712	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000001227d-3.dat	upx
behavioral1/memory/2080-6-0x0000000002BA0000-0x0000000002F88000-memory.dmp	upx
behavioral1/memory/1712-17-0x0000000000CA0000-0x0000000001088000-memory.dmp	upx
behavioral1/memory/1712-34-0x0000000000CA0000-0x0000000001088000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1712	irsetup.exe
1712	irsetup.exe
1712	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28
PID 2080 wrote to memory of 1712	2080	dcordx64.exe	28

C:\Users\Admin\AppData\Local\Temp\dcordx64.exe
"C:\Users\Admin\AppData\Local\Temp\dcordx64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:2079778 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\dcordx64.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-2610426812-2871295383-373749122-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
memory/1712-17-0x0000000000CA0000-0x0000000001088000-memory.dmp

Filesize
3.9MB

Download
memory/1712-34-0x0000000000CA0000-0x0000000001088000-memory.dmp

Filesize
3.9MB

Download
memory/2080-6-0x0000000002BA0000-0x0000000002F88000-memory.dmp

Filesize
3.9MB

Download