b2219ac093f3723ffa1f7bf6954a6cd235b669a4aadbfe95775473c4d77d5276

General

Target

StartIsBackPlusPlus_setup.exe
Size

1.5MB
MD5

cd4690969fcb565a0c443e179dfc74e3
SHA1

3fd85892fc4d8d6ea4b6df9b67bd8d59af41017a
SHA256

b2219ac093f3723ffa1f7bf6954a6cd235b669a4aadbfe95775473c4d77d5276
SHA512

73e4070054d0b2260e80d2c478e81c4f3533821228b2e67f3d1379cea8c272ac6e6a75ed64f33ae5f6d5b7faaca2841762b499f4c6c224db9312c61416bf8948
SSDEEP

24576:+YOLK+xhW2vw7m+CHJ8FoKSkXvgC19Px6Mzk7Iq1Z/NLq5bJ+TOAwUEy+P1iHEMi:+YOLK+P/J8FoXg9PTxq1Z/N+58TQUEBP

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	StartIsBackCfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	StartIsBackPlusPlus_setup.exe

Executes dropped EXE 3 IoCs

pid	Process
4120	StartIsBackCfg.exe
1256	StartIsBackCfg.exe
4124	StartIsBackCfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4120	StartIsBackCfg.exe
1256	StartIsBackCfg.exe
4124	StartIsBackCfg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4120	3140	StartIsBackPlusPlus_setup.exe	80
PID 3140 wrote to memory of 4120	3140	StartIsBackPlusPlus_setup.exe	80
PID 3140 wrote to memory of 4120	3140	StartIsBackPlusPlus_setup.exe	80
PID 4120 wrote to memory of 4124	4120	StartIsBackCfg.exe	91
PID 4120 wrote to memory of 4124	4120	StartIsBackCfg.exe	91
PID 4120 wrote to memory of 4124	4120	StartIsBackCfg.exe	91
PID 4120 wrote to memory of 1256	4120	StartIsBackCfg.exe	90
PID 4120 wrote to memory of 1256	4120	StartIsBackCfg.exe	90
PID 4120 wrote to memory of 1256	4120	StartIsBackCfg.exe	90

C:\Users\Admin\AppData\Local\Temp\StartIsBackPlusPlus_setup.exe
"C:\Users\Admin\AppData\Local\Temp\StartIsBackPlusPlus_setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe
  "C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe" /install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe
    "C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe" /install /elevated
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe
    "C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe" /install /elevated
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4ee28dd602d338e860e847bd407cddf

SHA1
2739f71845d5310d35696df9c5d0bc0c96466e9a

SHA256
0855cc1eeae863b215df9e532eb73ec87d3120e1163c1b21e332ddc3c9b67700

SHA512
01d427c1a8c791227597e44f1a5cf783a7e1457ad6c1cacb8439a7e074e6e961f39050c0a8b58aeb5124ca682e7fb92887dad3b41e9d01edaa1bf68152412ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4ee28dd602d338e860e847bd407cddf

SHA1
2739f71845d5310d35696df9c5d0bc0c96466e9a

SHA256
0855cc1eeae863b215df9e532eb73ec87d3120e1163c1b21e332ddc3c9b67700

SHA512
01d427c1a8c791227597e44f1a5cf783a7e1457ad6c1cacb8439a7e074e6e961f39050c0a8b58aeb5124ca682e7fb92887dad3b41e9d01edaa1bf68152412ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4ee28dd602d338e860e847bd407cddf

SHA1
2739f71845d5310d35696df9c5d0bc0c96466e9a

SHA256
0855cc1eeae863b215df9e532eb73ec87d3120e1163c1b21e332ddc3c9b67700

SHA512
01d427c1a8c791227597e44f1a5cf783a7e1457ad6c1cacb8439a7e074e6e961f39050c0a8b58aeb5124ca682e7fb92887dad3b41e9d01edaa1bf68152412ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4ee28dd602d338e860e847bd407cddf

SHA1
2739f71845d5310d35696df9c5d0bc0c96466e9a

SHA256
0855cc1eeae863b215df9e532eb73ec87d3120e1163c1b21e332ddc3c9b67700

SHA512
01d427c1a8c791227597e44f1a5cf783a7e1457ad6c1cacb8439a7e074e6e961f39050c0a8b58aeb5124ca682e7fb92887dad3b41e9d01edaa1bf68152412ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.65CEDC44\StartIsBackCfg.exe

Filesize
2.3MB

MD5
c4ee28dd602d338e860e847bd407cddf

SHA1
2739f71845d5310d35696df9c5d0bc0c96466e9a

SHA256
0855cc1eeae863b215df9e532eb73ec87d3120e1163c1b21e332ddc3c9b67700

SHA512
01d427c1a8c791227597e44f1a5cf783a7e1457ad6c1cacb8439a7e074e6e961f39050c0a8b58aeb5124ca682e7fb92887dad3b41e9d01edaa1bf68152412ac6

Download Submit
memory/1256-158-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1256-162-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/4120-153-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4120-154-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/4120-160-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/4124-159-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4124-161-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing