d4606a6f0bdc3051221026f7fc816ac8abb60b3cdfca7533df4739544c8e8b36

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe
Size

9.5MB
MD5

236bc00019b937d2adcdd5eeb0a21801
SHA1

ee5ddc14cc10e555a5331335288a9b47ef3d7e55
SHA256

2ec918cd3e82b6391f0060165aac2aafa782aeb69d8d1d68f737e0d7172bf771
SHA512

d48a12d29733f54f3dba2d747ced7a58ce87016bd119bf063c6a6360e478a0711c559d6464d9d67cb8c54b783c05cf116a937e860f49561b5866f6fa4b0312e8
SSDEEP

196608:XJuIk+H2KOpYpSZ4XWRl0hB891AaDN/26CUt8Jq:XJuIPWKK3ay1bDNTuc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1156	2180	SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe	90
PID 2180 wrote to memory of 1156	2180	SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe	90
PID 2180 wrote to memory of 1156	2180	SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe	90
PID 1156 wrote to memory of 1396	1156	cmd.exe	93
PID 1156 wrote to memory of 1396	1156	cmd.exe	93
PID 1156 wrote to memory of 1396	1156	cmd.exe	93
PID 1396 wrote to memory of 2220	1396	cmd.exe	92
PID 1396 wrote to memory of 2220	1396	cmd.exe	92
PID 1396 wrote to memory of 2220	1396	cmd.exe	92
PID 1396 wrote to memory of 1580	1396	cmd.exe	95
PID 1396 wrote to memory of 1580	1396	cmd.exe	95
PID 1396 wrote to memory of 1580	1396	cmd.exe	95
PID 1156 wrote to memory of 1588	1156	cmd.exe	94
PID 1156 wrote to memory of 1588	1156	cmd.exe	94
PID 1156 wrote to memory of 1588	1156	cmd.exe	94
PID 1588 wrote to memory of 4988	1588	cmd.exe	97
PID 1588 wrote to memory of 4988	1588	cmd.exe	97
PID 1588 wrote to memory of 4988	1588	cmd.exe	97
PID 1588 wrote to memory of 3656	1588	cmd.exe	96
PID 1588 wrote to memory of 3656	1588	cmd.exe	96
PID 1588 wrote to memory of 3656	1588	cmd.exe	96
PID 1156 wrote to memory of 4964	1156	cmd.exe	98
PID 1156 wrote to memory of 4964	1156	cmd.exe	98
PID 1156 wrote to memory of 4964	1156	cmd.exe	98
PID 4964 wrote to memory of 2124	4964	cmd.exe	99
PID 4964 wrote to memory of 2124	4964	cmd.exe	99
PID 4964 wrote to memory of 2124	4964	cmd.exe	99
PID 4964 wrote to memory of 4972	4964	cmd.exe	106
PID 4964 wrote to memory of 4972	4964	cmd.exe	106
PID 4964 wrote to memory of 4972	4964	cmd.exe	106
PID 1156 wrote to memory of 1644	1156	cmd.exe	100
PID 1156 wrote to memory of 1644	1156	cmd.exe	100
PID 1156 wrote to memory of 1644	1156	cmd.exe	100
PID 1644 wrote to memory of 2200	1644	cmd.exe	105
PID 1644 wrote to memory of 2200	1644	cmd.exe	105
PID 1644 wrote to memory of 2200	1644	cmd.exe	105
PID 1644 wrote to memory of 1192	1644	cmd.exe	104
PID 1644 wrote to memory of 1192	1644	cmd.exe	104
PID 1644 wrote to memory of 1192	1644	cmd.exe	104
PID 1156 wrote to memory of 2108	1156	cmd.exe	103
PID 1156 wrote to memory of 2108	1156	cmd.exe	103
PID 1156 wrote to memory of 2108	1156	cmd.exe	103
PID 2108 wrote to memory of 2768	2108	cmd.exe	102
PID 2108 wrote to memory of 2768	2108	cmd.exe	102
PID 2108 wrote to memory of 2768	2108	cmd.exe	102
PID 2108 wrote to memory of 1284	2108	cmd.exe	101
PID 2108 wrote to memory of 1284	2108	cmd.exe	101
PID 2108 wrote to memory of 1284	2108	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe
"C:\Users\Admin\AppData\Local\Temp\SP_Flash_Tool_Driver_Auto_Installer_v1.1236.00.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver|find "5.0."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\find.exe
      find "5.0."
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver|find "5.1."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\find.exe
      find "5.1."
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver"
      4⤵
      PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver|find "5.2."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver"
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\find.exe
      find "5.2."
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver|find "6.0."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\find.exe
      find "6.0."
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver"
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver|find "6.1."
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
1⤵
PID:2220

C:\Windows\SysWOW64\find.exe
find "6.1."
1⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.bat

Filesize
1KB

MD5
4d1eb2f3f3417a0bcf1121e8b67a12df

SHA1
26579eac1583a26da95629792c6a2ff48d98909b

SHA256
b7f512c61afd09a35db7a5e6ccdadd50f69073e67650b27e0652969123b5cfe6

SHA512
fe7cb9e817015b9858f0acfbc66ac5e91ceda928d3b9f791b577fed5b6443f47ec7c469bb1a6ed16b66d835c727dfe8f2f02f34db17cf67550acb248963164f4

Download Submit