7982a8dd7cbafc7dc7bb0987276aa883c347ff496d9dfb5ec0852bc49d03b8bc

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

76.6MB
MD5

3349f183031e408184911fa550771202
SHA1

b59a234cfeadc20d8e1d9fe8c6c08e518cdb9599
SHA256

ac68264aa576605b946549045c022233fce1f76dda231ba5154e7090f7ac826d
SHA512

0311913b18e2efd0c24e65368a635309ef22cdb38fb73feeef7a200c226b26a6c331289b0e6a8c93cceac7825bf82681a98e7ec8ef7312809cebbbd9a8fa0805
SSDEEP

1572864:e5A5A5A5A5A5A58BbWABbWABbWABbWABbWABbWc5A5A5A5IcjHxln8FRFePNxQN:e5A5A5A5A5A5A585Z5Z5Z5Z5Z5p5A5Ap

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2900	irsetup.exe
1156	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2164	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2900	irsetup.exe
2900	irsetup.exe
2900	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2900	2164	1.exe	31
PID 2164 wrote to memory of 2900	2164	1.exe	31
PID 2164 wrote to memory of 2900	2164	1.exe	31

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5617698 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4177215427-74451935-3209572229-1000"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
350KB

MD5
c916c7815286c5233a49deac81f8543e

SHA1
cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

SHA256
3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

SHA512
0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit