df07f5c894dc5b6ccc61c42603d97d2011d24fa33164d6c0e717e937cc70e86c

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2022 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FenixZone Downloader Global.exe
Size

2.2MB
MD5

f4acc9bd9e1c3b1bcdde1420d72880ef
SHA1

280027cc243533d7c45abe3f4ac580075ff265af
SHA256

df07f5c894dc5b6ccc61c42603d97d2011d24fa33164d6c0e717e937cc70e86c
SHA512

88212d1c47d8a572d67765e6bd8e97ae9bc16a78fea47935e96f20743ae42c57e0a53be321c23f798d802cf61dd54c6f383d4fbf31f029fc01772689b230188e
SSDEEP

24576:sahCKYyreWEELzQeRV4eCKNLeTThbx9RwY62yB1IUYUBsjkbeAvmTKXqsL074byN:PvreNELzQdOQYu9ypweOQYu9ypFLzQ

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
460	VC_redist.x86.exe
2352	DXSETUP.exe
4140	VC_redist.x86.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	FenixZone Downloader Global.exe

Loads dropped DLL 4 IoCs

pid	Process
2352	DXSETUP.exe
2352	DXSETUP.exe
2352	DXSETUP.exe
4140	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe
3424	FenixZone Downloader Global.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	FenixZone Downloader Global.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 460	3424	FenixZone Downloader Global.exe	89
PID 3424 wrote to memory of 460	3424	FenixZone Downloader Global.exe	89
PID 3424 wrote to memory of 460	3424	FenixZone Downloader Global.exe	89
PID 3424 wrote to memory of 2352	3424	FenixZone Downloader Global.exe	90
PID 3424 wrote to memory of 2352	3424	FenixZone Downloader Global.exe	90
PID 3424 wrote to memory of 2352	3424	FenixZone Downloader Global.exe	90
PID 460 wrote to memory of 4140	460	VC_redist.x86.exe	91
PID 460 wrote to memory of 4140	460	VC_redist.x86.exe	91
PID 460 wrote to memory of 4140	460	VC_redist.x86.exe	91

C:\Users\Admin\AppData\Local\Temp\FenixZone Downloader Global.exe
"C:\Users\Admin\AppData\Local\Temp\FenixZone Downloader Global.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\Documents\GTA SA\VC_redist.x86.exe
  "C:\Users\Admin\Documents\GTA SA\VC_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\Temp\{3DB952FA-AA6E-4988-BE32-23344F2FAB26}\.cr\VC_redist.x86.exe
    "C:\Windows\Temp\{3DB952FA-AA6E-4988-BE32-23344F2FAB26}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Documents\GTA SA\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4140
- C:\Users\Admin\Documents\GTA SA\DirectX\DXSETUP.exe
  "C:\Users\Admin\Documents\GTA SA\DirectX\DXSETUP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\GTA SA\DirectX\DSETUP.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\DSETUP.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\DSETUP32.DLL

Filesize
1.5MB

MD5
d8fa7bb4fe10251a239ed75055dd6f73

SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8

SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\DXSETUP.exe

Filesize
505KB

MD5
bf3f290275c21bdd3951955c9c3cf32c

SHA1
9fd00f3bb8a870112dae464f555fcd5e7f9200c0

SHA256
8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

SHA512
d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\DXSETUP.exe

Filesize
505KB

MD5
bf3f290275c21bdd3951955c9c3cf32c

SHA1
9fd00f3bb8a870112dae464f555fcd5e7f9200c0

SHA256
8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

SHA512
d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\dsetup.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
C:\Users\Admin\Documents\GTA SA\DirectX\dsetup32.dll

Filesize
1.5MB

MD5
d8fa7bb4fe10251a239ed75055dd6f73

SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8

SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

Download Submit
C:\Users\Admin\Documents\GTA SA\VC_redist.x86.exe

Filesize
13.1MB

MD5
44b4932dad3cbb8ce7af149a3c155ef9

SHA1
0a16910fd763eed7fc89bfa329ad2ffc317431e8

SHA256
80c7969f4e05002a0cd820b746e0acb7406d4b85e52ef096707315b390927824

SHA512
ca71e2024336136ee4e0a4cdf03ab9a035e9276f5f2eeb45349b3e78bbd5c1185e5cbf4e8e1872ed7495e0ae5941be0bb635cfeb0b2b0f0108225938bbb111be

Download Submit
C:\Users\Admin\Documents\GTA SA\VC_redist.x86.exe

Filesize
13.1MB

MD5
44b4932dad3cbb8ce7af149a3c155ef9

SHA1
0a16910fd763eed7fc89bfa329ad2ffc317431e8

SHA256
80c7969f4e05002a0cd820b746e0acb7406d4b85e52ef096707315b390927824

SHA512
ca71e2024336136ee4e0a4cdf03ab9a035e9276f5f2eeb45349b3e78bbd5c1185e5cbf4e8e1872ed7495e0ae5941be0bb635cfeb0b2b0f0108225938bbb111be

Download Submit
C:\Windows\Temp\{3DB952FA-AA6E-4988-BE32-23344F2FAB26}\.cr\VC_redist.x86.exe

Filesize
632KB

MD5
7e212a2f2562a1298132e291923a1e89

SHA1
c0f57264a66998164270b741e3c6f842652bdad7

SHA256
a0b8aabc7e5e2b1ac791b869ec8ba074c2ffe27d8c715fc8d7aa4c522cd1ee7c

SHA512
1f461bbd32e2ede80f7da13eed744581d5f7b2d63b252e7ebbc5bcb1e5139ed9000f110dcae711ba8d22ea66d8e2b6739258b6b8edc960e04a804bdd99568adb

Download Submit
C:\Windows\Temp\{3DB952FA-AA6E-4988-BE32-23344F2FAB26}\.cr\VC_redist.x86.exe

Filesize
632KB

MD5
7e212a2f2562a1298132e291923a1e89

SHA1
c0f57264a66998164270b741e3c6f842652bdad7

SHA256
a0b8aabc7e5e2b1ac791b869ec8ba074c2ffe27d8c715fc8d7aa4c522cd1ee7c

SHA512
1f461bbd32e2ede80f7da13eed744581d5f7b2d63b252e7ebbc5bcb1e5139ed9000f110dcae711ba8d22ea66d8e2b6739258b6b8edc960e04a804bdd99568adb

Download Submit
C:\Windows\Temp\{8375B1D1-0559-469D-925B-019C68B424C6}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/3424-132-0x0000000000B20000-0x0000000000D64000-memory.dmp

Filesize
2.3MB

Download
memory/3424-139-0x0000000001510000-0x0000000001522000-memory.dmp

Filesize
72KB

Download
memory/3424-138-0x0000000001250000-0x000000000125A000-memory.dmp

Filesize
40KB

Download
memory/3424-137-0x0000000005B60000-0x0000000005BB6000-memory.dmp

Filesize
344KB

Download
memory/3424-136-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/3424-135-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3424-134-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/3424-133-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download