c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
Size

6.4MB
MD5

b716debc940eb6715fd31231a14301d2
SHA1

87bd40b0d6db79f6aca6659796b9a1098429f04f
SHA256

c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4
SHA512

2d5faa8cf99e6075b8f17ecaf7e1d132ca9344aee3d03a36d1f9f92f433a498b8e313762d88f196700ad8bf7687d7d52ba79ba9fc011275e55ee29c97c37fc04
SSDEEP

196608:c3F6n80W6uG9RwR9WQzyhEJ/4kB9CpEB/xq9tTPS4:YFRELS9dzyjkB9eEVSTv

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/files/0x0038000000015d28-3.dat	UPX
behavioral1/memory/2088-18-0x0000000000400000-0x00000000007CB000-memory.dmp	UPX
behavioral1/memory/2088-109-0x0000000000400000-0x00000000007CB000-memory.dmp	UPX

Executes dropped EXE 7 IoCs

pid	Process
2088	irsetup.exe
2752	capi.exe
2540	MediaPlay.exe
2512	faket.exe
1728	faket.tmp
2740	cubesta.exe
1916	XVD.exe

Loads dropped DLL 16 IoCs

pid	Process
848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
2088	irsetup.exe
2088	irsetup.exe
2088	irsetup.exe
2088	irsetup.exe
2088	irsetup.exe
2512	faket.exe
1728	faket.tmp
1728	faket.tmp
1728	faket.tmp
2088	irsetup.exe
2088	irsetup.exe
2088	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0038000000015d28-3.dat	upx
behavioral1/memory/2088-18-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/848-14-0x0000000003230000-0x00000000035FB000-memory.dmp	upx
behavioral1/memory/2088-109-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2088	irsetup.exe
2088	irsetup.exe
2752	capi.exe
2740	cubesta.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 848 wrote to memory of 2088	848	c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe	28
PID 2088 wrote to memory of 2752	2088	irsetup.exe	29
PID 2088 wrote to memory of 2752	2088	irsetup.exe	29
PID 2088 wrote to memory of 2752	2088	irsetup.exe	29
PID 2088 wrote to memory of 2752	2088	irsetup.exe	29
PID 2088 wrote to memory of 2540	2088	irsetup.exe	30
PID 2088 wrote to memory of 2540	2088	irsetup.exe	30
PID 2088 wrote to memory of 2540	2088	irsetup.exe	30
PID 2088 wrote to memory of 2540	2088	irsetup.exe	30
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2088 wrote to memory of 2512	2088	irsetup.exe	31
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2512 wrote to memory of 1728	2512	faket.exe	32
PID 2088 wrote to memory of 2740	2088	irsetup.exe	33
PID 2088 wrote to memory of 2740	2088	irsetup.exe	33
PID 2088 wrote to memory of 2740	2088	irsetup.exe	33
PID 2088 wrote to memory of 2740	2088	irsetup.exe	33
PID 2088 wrote to memory of 1916	2088	irsetup.exe	34
PID 2088 wrote to memory of 1916	2088	irsetup.exe	34
PID 2088 wrote to memory of 1916	2088	irsetup.exe	34
PID 2088 wrote to memory of 1916	2088	irsetup.exe	34

C:\Users\Admin\AppData\Local\Temp\c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe
"C:\Users\Admin\AppData\Local\Temp\c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1741682 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\c0f5f5dab89405194ab1a80d08e2f1ead30a8d91a18785d4ef4a261b863c64e4.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-268080393-3149932598-1824759070-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\capi.exe
    C:\Users\Admin\AppData\Local\Temp\capi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\MediaPlay.exe
    C:\Users\Admin\AppData\Local\Temp\MediaPlay.exe
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\faket.exe
    C:\Users\Admin\AppData\Local\Temp\faket.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\is-HJORE.tmp\faket.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HJORE.tmp\faket.tmp" /SL5="$5016C,297656,214528,C:\Users\Admin\AppData\Local\Temp\faket.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\cubesta.exe
    C:\Users\Admin\AppData\Local\Temp\cubesta.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\XVD.exe
    C:\Users\Admin\AppData\Local\Temp\XVD.exe
    3⤵
    - Executes dropped EXE
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\capi.exe

Filesize
16KB

MD5
1d97b15f85f9b6d84d196fb53474fe4c

SHA1
706af6b1a6a24e8a3f0fe0f09bb49bb2d02e4801

SHA256
1e6a003d7edda3219d3d99a85bf64a56ce53d94a97bb76aeeb1fcc99b933bf1f

SHA512
eb714c6a742ba08dbe62ef3e4ab7a84077f37923419e1a513c66def1809367b049d5ca8a4e5d26464b9bc21b14e6b8afa10aeda411635e2af14d05be2adab853

Download Submit
\Users\Admin\AppData\Local\Temp\MediaPlay.exe

Filesize
2.8MB

MD5
0ad66ee94c963b98d9867051c237e104

SHA1
9cb4053a5e4f126b4d5af1abae110425a10340f0

SHA256
0ed67baab5ae148a954b557351452a3b8d5ff0317da947f3b36e5ab2b4c08914

SHA512
d5ce56cc422712d453a89c56ff3ff811773e8a96ed80723209c91c9dec0a2f5e506f8ac5d649960ca19facb4abab3c84192c99fd4c228692a94be626e52ea86e

Download Submit
\Users\Admin\AppData\Local\Temp\XVD.exe

Filesize
2.7MB

MD5
8f8cce25bbddcf47c092c06e92472ab2

SHA1
643d143a5d7f9382f9a956a1e920297780471f94

SHA256
4777d0943504682740e39cc8ec16163589637538caf7248f495c4c3be0e194a5

SHA512
eabc31bc8418eb8470d6d2d5cb10d5dde5c39ae720e38ea0d314598c629a057023936991c98775bbcf966ac0c0c0b8e0da576cbd71d753e1cc0babab4d4737ca

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
\Users\Admin\AppData\Local\Temp\cubesta.exe

Filesize
20KB

MD5
92325e5a62fca059da0df3064c032400

SHA1
21a91b4d32116909c69cf9bfaaeb9a0f764d2ee5

SHA256
9a357f7e9cbd36d4907f3118f29eb4966411b5e0f5f1aba72bbe11a5bd7229f3

SHA512
88e1b54944d4b2d43764ee97b36e4ada2457994520237577cc7302ba9647ce5be7e4ab740cda69b9dc2ddfa1433fb7bc29fc7bf78477aeee80398a65fbc654b0

Download Submit
\Users\Admin\AppData\Local\Temp\faket.exe

Filesize
564KB

MD5
177abdb4c3b25579fd17744383d86f0e

SHA1
9786264abe657acaebcb64508c7c339c5a24f328

SHA256
a0d69e001de793d48d428f3a69d2a401234f25e21aaa34a499b30fd7354e57a7

SHA512
16fdd4850ace84daf2bf03e9ac52c01e176c0ebe7487c56949d5ad1851fdd2e6c84864a10807dc8e9941fa78ab65f3c627d3730eabc6c1a925f1f3fd5806a85a

Download Submit
\Users\Admin\AppData\Local\Temp\is-HJORE.tmp\faket.tmp

Filesize
848KB

MD5
3ce8ae464108b6667834b839c8fd70fa

SHA1
c62d55be10b009d5ae0d8f418fd0c39249774db4

SHA256
551dff03f42af3a1fb3a49946a943233a6900b3bbd8e403f7d617fcf0a93c413

SHA512
825e3c10245a9465e6ab018e681e46023c060478bcdc730189098472de87082bf15e6044902e53c6ffd62b050c105417845b10912a4f042efb31ec18ca1c09be

Download Submit
\Users\Admin\AppData\Local\Temp\is-U6CUJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U6CUJ.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/848-14-0x0000000003230000-0x00000000035FB000-memory.dmp

Filesize
3.8MB

Download
memory/848-15-0x0000000003230000-0x00000000035FB000-memory.dmp

Filesize
3.8MB

Download
memory/848-16-0x0000000003230000-0x00000000035FB000-memory.dmp

Filesize
3.8MB

Download
memory/1728-81-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1728-74-0x0000000001F50000-0x0000000001F8C000-memory.dmp

Filesize
240KB

Download
memory/2088-18-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2088-109-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2512-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2540-50-0x0000000002020000-0x00000000020EA000-memory.dmp

Filesize
808KB

Download