48cb26764e09d08a2303a2b72f02400c4c45d336ce286e1030b6f4ac9d686702

General

Target

Start11v2-setup.exe
Size

50.9MB
MD5

3ca5689b6b4ffb7972893da753141494
SHA1

d6b793cc07a16985eca137675de0e665fa1c0825
SHA256

48cb26764e09d08a2303a2b72f02400c4c45d336ce286e1030b6f4ac9d686702
SHA512

6986960ee3ba9036d553785d89d2e65aa8cad26ac402bf7f3b7ef65cbd741c983ea2e54aeeee306d734ed01bcc938f8f034e95ba9fee4a6226c53d28250e9d38
SSDEEP

786432:LP4KRzzbDAb89drMj4UtY4doZrDxfmv57bbhtU5tbbhJbsOuPB3Y3:VzzIoHrMj1Po1DhW7bs5tbbsOuPB6

Score

5^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Start11v2-setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234ac-5.dat	upx
behavioral2/memory/2416-12-0x0000000000310000-0x00000000006F8000-memory.dmp	upx
behavioral2/memory/2416-93-0x0000000000310000-0x00000000006F8000-memory.dmp	upx
behavioral2/memory/2416-97-0x0000000000310000-0x00000000006F8000-memory.dmp	upx

Executes dropped EXE 2 IoCs

pid	Process
2416	irsetup.exe
1380	GetMachineSID.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	irsetup.exe
2416	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetMachineSID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start11v2-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2416	irsetup.exe
2416	irsetup.exe
2416	irsetup.exe
1380	GetMachineSID.exe
2416	irsetup.exe
2416	irsetup.exe
2416	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2416	5028	Start11v2-setup.exe	82
PID 5028 wrote to memory of 2416	5028	Start11v2-setup.exe	82
PID 5028 wrote to memory of 2416	5028	Start11v2-setup.exe	82
PID 2416 wrote to memory of 3140	2416	irsetup.exe	84
PID 2416 wrote to memory of 3140	2416	irsetup.exe	84
PID 2416 wrote to memory of 3140	2416	irsetup.exe	84
PID 2416 wrote to memory of 1380	2416	irsetup.exe	86
PID 2416 wrote to memory of 1380	2416	irsetup.exe	86
PID 2416 wrote to memory of 1380	2416	irsetup.exe	86

C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1936418 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Start11v2-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2718105630-359604950-2820636825-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REGA42F.tmp

Filesize
474B

MD5
c6247e9f51d328f2d7d1bcf2dde15ae9

SHA1
66428b3d3a9789b980c7a820fb72ffb31e200f8b

SHA256
8540a5e828472342d208efce8a59cb130f735331eaaac4dda3a5ba8b4dbc17fd

SHA512
e093d2d3c1826afcac9158e9b5c98faa03c3a1d5642ea4f97cd93a8755d3f5be594651f3c9fbddd4df07850c13158fc84bc7541ebb84a501086f3916244523fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
0d2d3b1d170a1ae425277de0e2221922

SHA1
b422c9ea471364bc586d715f37bee827d2799579

SHA256
56faebc23074c64863aa5f0162d337a9e7c15348d65591d1f9fed1ed7bd90073

SHA512
1ba6c46df6ebc19a0f69ad359f2eba65a7afc982afb90a84314577b6b8932c64c5faa93784e136a29be63da74e108b073a5cd7c7a24e3b47f60ba7649bb280c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/2416-46-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2416-12-0x0000000000310000-0x00000000006F8000-memory.dmp

Filesize
3.9MB

Download
memory/2416-47-0x00000000069C0000-0x00000000069C3000-memory.dmp

Filesize
12KB

Download
memory/2416-93-0x0000000000310000-0x00000000006F8000-memory.dmp

Filesize
3.9MB

Download
memory/2416-95-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2416-96-0x00000000069C0000-0x00000000069C3000-memory.dmp

Filesize
12KB

Download
memory/2416-97-0x0000000000310000-0x00000000006F8000-memory.dmp

Filesize
3.9MB

Download
memory/2416-102-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing