6078d554f9b00bf8c5f8c7ed3bcf57c61d9b8c89c08c304ec938e1a450011ffe

Analysis

max time kernel
158s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

simplearchive.scr
Size

712KB
MD5

5e63fa00340326fecc1b3c7f942ccff1
SHA1

eaf739f71b25517bffc37966dd19cb256c7c93fe
SHA256

21fe1a80e75c3392f448b3ad41935c5d6b55bc4366532a0a6eee46c1b4684491
SHA512

1ace52b425a2a9e0d102ffc6d67469b87d640f758d35b7c999763faba6888dfec0a491786bd9e70837280542bd59cc8ccb3df4e0c64e6fcc8a77d770d489d85e
SSDEEP

12288:SXmwRo+mv8QD4+0N469AoUleMoGlHNImbu7IT/4zp1nBgxmF+Jf9v189lS:SX48QE+U7AoxMowHNImbu7AAF1BgxmFO

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	simplearchive.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 4 IoCs

pid	Process
4016	service.exe
2520	service.exe
3376	service.exe
4636	service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\service.exe"	service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 2520	4016	service.exe	100
PID 3376 set thread context of 4636	3376	service.exe	104

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxManifest.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	service.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	service.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	service.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	service.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	service.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Concrete.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg	service.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\BuildInfo.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\RemoveRevoke.M2V	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\31.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\3DViewerProductDescription-universal.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinOnboardingCommands.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	service.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	service.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a.jpg	service.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	service.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	service.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	service.exe
2520	service.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4016	1320	simplearchive.scr	91
PID 1320 wrote to memory of 4016	1320	simplearchive.scr	91
PID 1320 wrote to memory of 4016	1320	simplearchive.scr	91
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 4016 wrote to memory of 2520	4016	service.exe	100
PID 2520 wrote to memory of 3376	2520	service.exe	102
PID 2520 wrote to memory of 3376	2520	service.exe	102
PID 2520 wrote to memory of 3376	2520	service.exe	102
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104
PID 3376 wrote to memory of 4636	3376	service.exe	104

C:\Users\Admin\AppData\Local\Temp\simplearchive.scr
"C:\Users\Admin\AppData\Local\Temp\simplearchive.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files (x86)\-\PDF Archiver\service.exe
  "C:\Program Files (x86)\-\PDF Archiver\service.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Program Files (x86)\-\PDF Archiver\service.exe
    "C:\Program Files (x86)\-\PDF Archiver\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\-\PDF Archiver\service.exe

Filesize
514KB

MD5
c99f9e727a31cffd7f0a2ca86c32e9cf

SHA1
3758a79b77f9c0f797d997d7561e784f853c46bf

SHA256
3f1498d0b647303a904c9f929b060911d15442cfde169d87cf967b6d57484d69

SHA512
c6fac95122d5d7fa5de271b3916e1534972d735fa308fc93db3429361f2992090b247eaab8f2ebd96b3c203bbfa51f1cb47222cd1396eb2d18ff3d8ba77286c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe

Filesize
153KB

MD5
0835b8636f24ead3f5c1be36455c44c8

SHA1
32e5f814babc9b13ed8fb8cb2d7855f3058e87e2

SHA256
10eab6b45de109f66e07c0a53c85b34a58dd88e6d132d98d027bf51db4a2cc9c

SHA512
ef621c2994bc846a466d5b0817bd6be6a39b9c97bb22f758720c4331caccee1d93174c69f634182c38e4b9b62b80ea200b61ff740955f85ce35a7ca510a49139

Download Submit
memory/1320-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-30-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/2520-31-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2520-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2520-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2520-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2520-47-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3376-45-0x0000000000C60000-0x0000000000CE8000-memory.dmp

Filesize
544KB

Download
memory/3376-51-0x0000000000C60000-0x0000000000CE8000-memory.dmp

Filesize
544KB

Download
memory/4016-32-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/4016-27-0x0000000000C10000-0x0000000000C98000-memory.dmp

Filesize
544KB

Download
memory/4636-53-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4636-57-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download