Overview

overview

7

Static

static

1

True_Iron_...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    68s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    True_Iron_1.3.3_Setup.exe

  • Size

    92.7MB

  • MD5

    54d20866e766b98563a35e5c3cd975d5

  • SHA1

    363715e81337e43683657979590b0fc1c12b6786

  • SHA256

    3640fec744dac2a93b4329665e4a74bd922ca337a7c4e3a6bddced670bae6478

  • SHA512

    ac372813ec0a07009a215b890a4b5755c5401c2505c3d1fe2c3a9bd4feb414bae4c82c750e73f6ab3f19eb03efdcf24cc9a96f4aad9ee5aea13690b606a96c6f

  • SSDEEP

    1572864:NU2YQ51drrmYJH/HcjYdy+Pg5PgXTrmWXvZ0M2D0Vsdf7ayCVWytBDv:NfAYBcklPCgf9fonf7YUyTDv

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 50 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\True_Iron_1.3.3_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\True_Iron_1.3.3_Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Users\Admin\AppData\Local\Temp\is-BCQKT.tmp\True_Iron_1.3.3_Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BCQKT.tmp\True_Iron_1.3.3_Setup.tmp" /SL5="$D00E8,96517713,799744,C:\Users\Admin\AppData\Local\Temp\True_Iron_1.3.3_Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\is-9OAS8.tmp\vc_redist.x64.exe
        "C:\Users\Admin\AppData\Local\Temp\is-9OAS8.tmp\vc_redist.x64.exe" /passive /norestart
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\Temp\{46BA8E71-2080-4176-AEB2-4CDFEFAE8337}\.cr\vc_redist.x64.exe
          "C:\Windows\Temp\{46BA8E71-2080-4176-AEB2-4CDFEFAE8337}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-9OAS8.tmp\vc_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /passive /norestart
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4176
          • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\.be\VC_redist.x64.exe
            "C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{41C5AB53-DFC9-48D2-A5F1-E168395D26D5} {747F8D70-A953-433E-AB79-E9D210F9BA42} 4176
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
              "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=1140 -burn.embedded BurnPipe.{9B89DCE2-CF34-4AC0-9102-6056B7CE3549} {2BD8816A-FD48-4D22-A77F-AF2E8D87E121} 1644
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={3746f21b-c990-4045-bb33-1cf98cff7a68} -burn.filehandle.self=1140 -burn.embedded BurnPipe.{9B89DCE2-CF34-4AC0-9102-6056B7CE3549} {2BD8816A-FD48-4D22-A77F-AF2E8D87E121} 1644
                7⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3424
                • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                  "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9C8750E6-EFDE-42C4-83EF-4A5C7BC1D21A} {A253AA85-FA2B-45DD-B909-94211C0A7D49} 3424
                  8⤵
                  • Modifies registry class
                  PID:1364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:920
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
      PID:3932
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e579ea6.rbs
      Filesize

      19KB

      MD5

      35b9d1bca6d25096b6532d9db62b0859

      SHA1

      e3795370f8f9b55821ab8de7a0497800497dd43a

      SHA256

      0fce1cbcb0f3bd8aa6b8c36cc133cb2e39b19631dfdc14dccc8f0df91c047f36

      SHA512

      8d967847fc3bcdec597fb4b00b341cd5babeb0d72d34f0fb51165fc59527d98b4422888b2a4be1492ef6b6f77f7d630e7fdfc95bc02f897b5b3713c4a3675c19

      Download Submit

    • C:\Config.Msi\e579eb2.rbs
      Filesize

      19KB

      MD5

      80271129d0d9d6299f3b288d06eb8d1e

      SHA1

      d16a5b7380f30d34fe5c9c73b710a1c35ce8a199

      SHA256

      446048a840245d162c9c050151e7085e13148da72db773112ff3a958fe1910bd

      SHA512

      7883c1304273bcffb2af3b18d4318a753c31a96358f1ba752783736375f44e66a4cf49bf389fe3559ec27e134e1630825644fd73f451aebdbd3b57b222bfe1f7

      Download Submit

    • C:\Config.Msi\e579eb9.rbs
      Filesize

      21KB

      MD5

      7ef8451d5dd168e5918fdf500ff4f5b5

      SHA1

      24aa67076b00c54470e01fd1aba4a89e29c3a481

      SHA256

      a56f264227c66a93ede53bf7262a2bd0cc640b0c4543e9f5e40e1c0e58198fa3

      SHA512

      d1354d25e8cf65a6156411616e18e3c5682a826b4c4c609884ef9e60c9cd8f1b84e14f5c0430262c194147c99eb710600561e3e3c11877a6bd4151abb824225f

      Download Submit

    • C:\Config.Msi\e579ec8.rbs
      Filesize

      21KB

      MD5

      dcc866ec68cfd48f4af749bcb70d17b7

      SHA1

      b0c575a3bd7e68a46e467e744e0a91309d01527b

      SHA256

      5f24f04af826a978f70d1e3a2790febf41e010f9e1ae27a8a3a4da5a7278cece

      SHA512

      2f43cd2b02832177be126333f21b705f1e1b9627a258a382499cfce0eaebe9546185cbd7792358a510db738d468f8c8ea67bb5190bfba28ede2dcae560ef70b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240602111150_000_vcRuntimeMinimum_x64.log
      Filesize

      2KB

      MD5

      4b65fdeb155eb5f8ae6a3d0033dc4aff

      SHA1

      b60f9924a00d553e0675f394e5eb39c992516815

      SHA256

      2df23c26a0ca3779fbac3bbb61a8a9d5ee973097c2b38541a96f5ee8d38eb6d3

      SHA512

      e298f66dd44191a98d8334f9bdf6e18d26062de8e58bd0e59811625dbd8ccf03d9160632d4b7984cca8f6b088977ec7993cb41cad995104a6b5768c28b26d36d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240602111150_001_vcRuntimeAdditional_x64.log
      Filesize

      2KB

      MD5

      7d4438264473ba87e7cf81ca38aa0bef

      SHA1

      bfec8edbed742913f543ccffb4cf494410f9635d

      SHA256

      7e37e0b7474ccee5a44b28571375892d2a6ec832765df30d4afedfe347198d0c

      SHA512

      bbc7cfea119cb1dd20438c86c52c8175e5aaeb76096d1bdb0105374a79fdbf275d5cd4ec302a8ef82ee032f85233a6af8f7b78c2ee62856a24fe6d9a9c207824

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-9OAS8.tmp\VC_redist.x64.exe
      Filesize

      24.1MB

      MD5

      cdce5d5ee259d8071fa82f522c5c7d6e

      SHA1

      d4f9181e70e3f1aa6c8edffcc15b3c3d4babe36b

      SHA256

      ce6593a1520591e7dea2b93fd03116e3fc3b3821a0525322b0a430faa6b3c0b4

      SHA512

      8f86693bf9fb4ee0ba021b826663028158d580a0424417a30d8f95ef8853fcd224b5a213beba5d99b48be0607a0a6870158bf1899fe1445da9ca19a208608527

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-BCQKT.tmp\True_Iron_1.3.3_Setup.tmp
      Filesize

      2.5MB

      MD5

      d7c5572cb60a32aad36f072a43c8a8f2

      SHA1

      576cddce03b4e05666d23b6ed8c98cc44bd80b19

      SHA256

      af6a2b17e21896d98911b92d73765b95be81330b4155fc0bb3125beebec07bfd

      SHA512

      c46baf4840c99acdb171a9bd3f77c3cfe24474c27c8c68eb7f2bc6e8c4d288b8e36831d5b2454078fdade2ded6818049640d475775443ce746f20b931b3ee41c

      Download Submit

    • C:\Windows\Temp\{46BA8E71-2080-4176-AEB2-4CDFEFAE8337}\.cr\vc_redist.x64.exe
      Filesize

      635KB

      MD5

      d940ea062ed6e99f6d873c2f5f09d1c9

      SHA1

      6abec3341d3bca045542c7b812947b55ddaf6b64

      SHA256

      a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202

      SHA512

      e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
      Filesize

      5.4MB

      MD5

      be501f118803c6b283e5743cb94d4f44

      SHA1

      a9530c227fb73f98d137e6c178f48c4fcb78a1da

      SHA256

      008ca0b47d627692050c2b7fd16bc670c2ea2a7541ed4cad9abd1675a481b6c5

      SHA512

      ddb3f7913f45e9d9c757cbc7b75b7a65c3eb9bf429c97ad73e9b321849427617ea4a1fdc15ca5166a5417345552046c6ba043a8d14ff4fc61d58a1f38f288356

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\cab5046A8AB272BF37297BB7928664C9503
      Filesize

      883KB

      MD5

      c1f40b16e6dfd6c841c1f97524ac53f6

      SHA1

      7eaf1a916ac8498253a310ef30d6e2198f2c0555

      SHA256

      a05b0138d3c22af4593feb5b4a3a55f92e4d958246bc4a87754eee73e5e52600

      SHA512

      b5aba56c88d9375157954996cae73e1d55faaf956181a2ef8c1f62612da91356454ad367ae5a5eb370d5c96cc27bf2b7d359f874a191c8913cfc3723b166ee6e

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\vcRuntimeAdditional_x64
      Filesize

      180KB

      MD5

      049e4621dbd5337ae926e067b6b442b5

      SHA1

      6dae8d1d8106021c21b47b06765849e93f8e3359

      SHA256

      f76e2807b845c49e15d8a41e3191716eac9931467bfdd8366b60900b1fef4235

      SHA512

      46788a3c050508ac0868d8fc312a62724ae44d9f04f456075413d5a364b7152faab1027659435e39163952bb216b629ae77ab2f6a6b4318e8a8bb33f7d6413d3

      Download Submit

    • C:\Windows\Temp\{57340C75-9C5F-4BE0-97AE-62F73E27C156}\vcRuntimeMinimum_x64
      Filesize

      180KB

      MD5

      61f974cf8f47f9a47760c3fb21a2ce3f

      SHA1

      16ba7bd668619f8e284bd7cbce08fad3ce97fcb9

      SHA256

      78f2a39485d7b48733bc4767619baa34310cf8f9dedc120d054d0842eb4201ea

      SHA512

      152a520fb24857ab0a834f1c94e0f7a21c1b998c71861843e37d55a2364a6730fae2f3a02507941ff593a9c1c9f57018d9912bd0d80ab0b87d7b4158194b927c

      Download Submit

    • memory/1364-227-0x0000000000290000-0x0000000000307000-memory.dmp

      Filesize

      476KB

      Download

    • memory/2004-14-0x0000000000400000-0x0000000000687000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2004-6-0x0000000000400000-0x0000000000687000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2004-86-0x0000000000400000-0x0000000000687000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2004-306-0x0000000000400000-0x0000000000687000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2004-314-0x0000000000400000-0x0000000000687000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2724-265-0x0000000000290000-0x0000000000307000-memory.dmp

      Filesize

      476KB

      Download

    • memory/3424-264-0x0000000000290000-0x0000000000307000-memory.dmp

      Filesize

      476KB

      Download

    • memory/3732-8-0x0000000000400000-0x00000000004D1000-memory.dmp

      Filesize

      836KB

      Download

    • memory/3732-0-0x0000000000400000-0x00000000004D1000-memory.dmp

      Filesize

      836KB

      Download

    • memory/3732-2-0x0000000000401000-0x00000000004B7000-memory.dmp

      Filesize

      728KB

      Download

    • memory/3732-315-0x0000000000400000-0x00000000004D1000-memory.dmp

      Filesize

      836KB

      Download