Analysis
-
max time kernel
1791s -
max time network
1154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:28
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240426-en
General
-
Target
setup.exe
-
Size
1.0MB
-
MD5
e255ee9eccb6e2b9cc8d8084f0af4fac
-
SHA1
d3762bb2d3eed8b4744f80d13481d1053732fc5f
-
SHA256
9ce9530a0de2061b4edaeeac366665867449b8755199002dfb75d88c1d119378
-
SHA512
1c4af74e38243d63e65f7c31c0786a1a414cc3e477ae11590323fa535ae1b82acccf172c3cd52cf319253302691aefdaf497dad32b46e828506dfed197704c3e
-
SSDEEP
24576:esSzlEqF+hVcOD/pf5fz19poadAQiM+az/fimj:wl8eOFBmQvXJj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
irsetup.exepid process 4092 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe upx behavioral2/memory/4092-4-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral2/memory/4092-14-0x0000000000400000-0x0000000000527000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Windows\MSRX Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
irsetup.exepid process 4092 irsetup.exe 4092 irsetup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
setup.exedescription pid process target process PID 1552 wrote to memory of 4092 1552 setup.exe irsetup.exe PID 1552 wrote to memory of 4092 1552 setup.exe irsetup.exe PID 1552 wrote to memory of 4092 1552 setup.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeFilesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
memory/4092-4-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB
-
memory/4092-14-0x0000000000400000-0x0000000000527000-memory.dmpFilesize
1.2MB