7982a8dd7cbafc7dc7bb0987276aa883c347ff496d9dfb5ec0852bc49d03b8bc

Analysis

max time kernel
121s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

76.4MB
MD5

86cf5d2cab3f8464e27c418a51da8f3e
SHA1

3f63c9a67879c669ad4fd445c4cdb0a349150864
SHA256

90893fccb8931dab642099386133d9308fcb20248414508357b07610180121e1
SHA512

2b8453cdcde7bef68ce4c01fef25f3215cd881c6366bcc7e44b263f155f1a4813d729d2ed792c3180e6af18b6654c93324b437d7f7328fd3588309b52563171a
SSDEEP

1572864:wwKKKKKKdamamamamamaFKKKzerFmDB7uENQecB01mQO2:w6dddddnWFmhQe82

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	irsetup.exe
1268	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
288	2.exe
1444	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1444	irsetup.exe
1444	irsetup.exe
1444	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1444	288	2.exe	30
PID 288 wrote to memory of 1444	288	2.exe	30
PID 288 wrote to memory of 1444	288	2.exe	30

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5818402 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-4177215427-74451935-3209572229-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
350KB

MD5
c916c7815286c5233a49deac81f8543e

SHA1
cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

SHA256
3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

SHA512
0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit