4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Analysis

max time kernel
613s
max time network
398s
platform
windows10-2004_x64
resource
win10v2004-20230915-ja
resource tags

arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-10-2023 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recuva 1.53.1087 Pro & Portable/Recuva_Portable.exe
Size

2.9MB
MD5

68057fa2ef68e7f290c0672e0cc9e308
SHA1

84a20015b826c76f183818e158e863537d185983
SHA256

de23b5fa4913b9c81ae719acea754e3d6fa7e7440ad6020b215c43f25d16aec0
SHA512

8da2641b90605a33240b7110951fc16a7cbabcf00fa25e40202cbe7c173a68c4743295f482ef3ec7d2f81a0f0e61d6f833ea9e356a4f988519a346562231053a
SSDEEP

49152:qF4QAuRc7ogh7PoxFKj6dCry8y9tqvcxHdjOsapgWXlRxMNZu+rBFkKU:G4oRcnstdCW+kxHNMGW6eIFkKU

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	Recuva_Portable.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	RePack.exe
4124	RePack.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral16/memory/4608-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral16/memory/4608-36-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4608	Recuva_Portable.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1184	4608	Recuva_Portable.exe	82
PID 4608 wrote to memory of 1184	4608	Recuva_Portable.exe	82
PID 4608 wrote to memory of 1184	4608	Recuva_Portable.exe	82
PID 1184 wrote to memory of 4124	1184	RePack.exe	83
PID 1184 wrote to memory of 4124	1184	RePack.exe	83
PID 1184 wrote to memory of 4124	1184	RePack.exe	83

C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\Recuva_Portable.exe
"C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\Recuva_Portable.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe
  "C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\is-F4G5U.tmp\RePack.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-F4G5U.tmp\RePack.tmp" /SL5="$B0172,204482,133120,C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe"
    3⤵
    - Executes dropped EXE
    PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe

Filesize
596KB

MD5
e868e2244903313ca4197f06b140209a

SHA1
5ba1d800f9dcfcf53ecb96e8bfe2585817093554

SHA256
d315901cc5a07ce18a281163c40ad164baeabf654f7c7e58a578fe2f8c962105

SHA512
f1e09dd7abecbb42009bd0937f6ec7caf56715053789077eca0c2705c16f007133fc9f36a47545247e322b613c81204a43f2150e24ef870e7e522af4a73ad475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe

Filesize
596KB

MD5
e868e2244903313ca4197f06b140209a

SHA1
5ba1d800f9dcfcf53ecb96e8bfe2585817093554

SHA256
d315901cc5a07ce18a281163c40ad164baeabf654f7c7e58a578fe2f8c962105

SHA512
f1e09dd7abecbb42009bd0937f6ec7caf56715053789077eca0c2705c16f007133fc9f36a47545247e322b613c81204a43f2150e24ef870e7e522af4a73ad475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recuva 1.53.1087 Pro & Portable\RecuvaRePackTEMPfiles\RePack.exe

Filesize
596KB

MD5
e868e2244903313ca4197f06b140209a

SHA1
5ba1d800f9dcfcf53ecb96e8bfe2585817093554

SHA256
d315901cc5a07ce18a281163c40ad164baeabf654f7c7e58a578fe2f8c962105

SHA512
f1e09dd7abecbb42009bd0937f6ec7caf56715053789077eca0c2705c16f007133fc9f36a47545247e322b613c81204a43f2150e24ef870e7e522af4a73ad475

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F4G5U.tmp\RePack.tmp

Filesize
1.1MB

MD5
3fa023d15a40df7a93ea51be86a84658

SHA1
6fa37e21dd8b30254cf77416134daba15a8b0d6b

SHA256
10825ca684dad54f34d9baa0fd8bc57007c81325301b8ecce043023206776064

SHA512
8e2f1034c827872605126edc7416b2611a83705529c22650e040a8abd36b4197f7f4b7b1bc2d7e4134b6fbe4a96c76ece1a8668dcaa169b034137036e0077245

Download Submit
memory/1184-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1184-52-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4124-46-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4124-54-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4124-55-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4608-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download