Analysis
-
max time kernel
97s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 19:54
Static task
static1
Behavioral task
behavioral1
Sample
og_simfphys_pack.rar
Resource
win10v2004-20231215-en
General
-
Target
og_simfphys_pack.rar
-
Size
163.1MB
-
MD5
e41d388bb2858fec17682c0970bd3de6
-
SHA1
4d27bee065daa9ef82d2bd2f364b554edaf2d09e
-
SHA256
b34dc9d792b2d12b9de8e6d859df0c339952d7f4c70900e76c1baedd25c24f6f
-
SHA512
a2b06f29b33a649a0f404c6f7bbca47995e95a64460316edfb0818daf7556c6e0cc4537cb6327158f517652b18bdb263326545200bd3042c1dc663259ec6a733
-
SSDEEP
3145728:fGAtED+2L1clZ0qzIRYrBpYg/UlvgOqbdtxlE61KUDvIi6BveffXBR1o+Dd0zxRa:fJSVXq0AHD/UlvgOqbdCUDvIgfx8zba
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exe7zFM.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7zFM.exepid process 3120 7zFM.exe 3120 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 3120 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 3120 7zFM.exe Token: 35 3120 7zFM.exe Token: SeSecurityPrivilege 3120 7zFM.exe Token: SeSecurityPrivilege 3120 7zFM.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
7zFM.exepid process 3120 7zFM.exe 3120 7zFM.exe 3120 7zFM.exe 3120 7zFM.exe 3120 7zFM.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exe7zFM.exedescription pid process target process PID 3644 wrote to memory of 3120 3644 cmd.exe 7zFM.exe PID 3644 wrote to memory of 3120 3644 cmd.exe 7zFM.exe PID 3120 wrote to memory of 368 3120 7zFM.exe NOTEPAD.EXE PID 3120 wrote to memory of 368 3120 7zFM.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\og_simfphys_pack.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\og_simfphys_pack.rar"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO03C3D1F8\functions whatever.txt3⤵PID:368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD55d517f963259ec5a5f4131577388c05c
SHA1eec79cd1dcf72aae664c8927eadcbc96077b933f
SHA2569b8f7521ceda82d5648fa1a41c08e8be287074d0229c396e4f25e6ab70075fca
SHA512be1cd6e393bca51b2da371b9617bc0730a4b9e5d66b3303dff4ec5ed020e7e802a7e304423a6d35f57697f69180c4c72f9ab6b0eff205f693ad3fedd48470886