48cb26764e09d08a2303a2b72f02400c4c45d336ce286e1030b6f4ac9d686702

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Start11v2-setup.exe
Size

50.9MB
MD5

3ca5689b6b4ffb7972893da753141494
SHA1

d6b793cc07a16985eca137675de0e665fa1c0825
SHA256

48cb26764e09d08a2303a2b72f02400c4c45d336ce286e1030b6f4ac9d686702
SHA512

6986960ee3ba9036d553785d89d2e65aa8cad26ac402bf7f3b7ef65cbd741c983ea2e54aeeee306d734ed01bcc938f8f034e95ba9fee4a6226c53d28250e9d38
SSDEEP

786432:LP4KRzzbDAb89drMj4UtY4doZrDxfmv57bbhtU5tbbhJbsOuPB3Y3:VzzIoHrMj1Po1DhW7bs5tbbsOuPB6

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015ce4-3.dat	upx
behavioral1/memory/2192-19-0x0000000001080000-0x0000000001468000-memory.dmp	upx
behavioral1/memory/2368-17-0x0000000003500000-0x00000000038E8000-memory.dmp	upx
behavioral1/memory/2192-50-0x0000000001080000-0x0000000001468000-memory.dmp	upx

Executes dropped EXE 1 IoCs

pid	Process
2192	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	Start11v2-setup.exe
2368	Start11v2-setup.exe
2368	Start11v2-setup.exe
2368	Start11v2-setup.exe
2192	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11v2-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2192	irsetup.exe
2192	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30
PID 2368 wrote to memory of 2192	2368	Start11v2-setup.exe	30

C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1936418 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2872745919-2748461613-2989606286-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\eula.txt

Filesize
22KB

MD5
1f286ee31c288e8aae5200acc5b519b4

SHA1
fe76c325ca8a55e5354021b416ffe3b78c625fd9

SHA256
2896108090c277cbdb24b5fa6c87e6aa77bf4ed986f4b3ae4da0720c8de61ed2

SHA512
45062a327efcd0fe051940b950388ff58f5363a128c43b85fac3c9352b918707accaafa346292d62fe6f02be6d0366eade2954fb867fa48b3a50b510d72c12c0

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/2192-19-0x0000000001080000-0x0000000001468000-memory.dmp

Filesize
3.9MB

Download
memory/2192-50-0x0000000001080000-0x0000000001468000-memory.dmp

Filesize
3.9MB

Download
memory/2368-18-0x0000000003500000-0x00000000038E8000-memory.dmp

Filesize
3.9MB

Download
memory/2368-20-0x0000000003500000-0x00000000038E8000-memory.dmp

Filesize
3.9MB

Download
memory/2368-17-0x0000000003500000-0x00000000038E8000-memory.dmp

Filesize
3.9MB

Download
memory/2368-49-0x0000000003500000-0x00000000038E8000-memory.dmp

Filesize
3.9MB

Download