9ce9530a0de2061b4edaeeac366665867449b8755199002dfb75d88c1d119378

Analysis

max time kernel
1791s
max time network
1154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.0MB
MD5

e255ee9eccb6e2b9cc8d8084f0af4fac
SHA1

d3762bb2d3eed8b4744f80d13481d1053732fc5f
SHA256

9ce9530a0de2061b4edaeeac366665867449b8755199002dfb75d88c1d119378
SHA512

1c4af74e38243d63e65f7c31c0786a1a414cc3e477ae11590323fa535ae1b82acccf172c3cd52cf319253302691aefdaf497dad32b46e828506dfed197704c3e
SSDEEP

24576:esSzlEqF+hVcOD/pf5fz19poadAQiM+az/fimj:wl8eOFBmQvXJj

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

4092 irsetup.exe

pid	process
4092	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
behavioral2/memory/4092-4-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral2/memory/4092-14-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

irsetup.exe

description ioc process

File opened for modification C:\Windows\MSRX Setup Log.txt irsetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

4092 irsetup.exe
4092 irsetup.exe

description	ioc	process
File opened for modification	C:\Windows\MSRX Setup Log.txt	irsetup.exe

pid	process
4092	irsetup.exe
4092	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1552 wrote to memory of 4092	1552	setup.exe	irsetup.exe
PID 1552 wrote to memory of 4092	1552	setup.exe	irsetup.exe
PID 1552 wrote to memory of 4092	1552	setup.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/4092-4-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4092-14-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download