b34dc9d792b2d12b9de8e6d859df0c339952d7f4c70900e76c1baedd25c24f6f

Analysis

max time kernel
97s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

og_simfphys_pack.rar
Size

163.1MB
MD5

e41d388bb2858fec17682c0970bd3de6
SHA1

4d27bee065daa9ef82d2bd2f364b554edaf2d09e
SHA256

b34dc9d792b2d12b9de8e6d859df0c339952d7f4c70900e76c1baedd25c24f6f
SHA512

a2b06f29b33a649a0f404c6f7bbca47995e95a64460316edfb0818daf7556c6e0cc4537cb6327158f517652b18bdb263326545200bd3042c1dc663259ec6a733
SSDEEP

3145728:fGAtED+2L1clZ0qzIRYrBpYg/UlvgOqbdtxlE61KUDvIi6BveffXBR1o+Dd0zxRa:fJSVXq0AHD/UlvgOqbdCUDvIgfx8zba

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies registry class 2 IoCs

Processes:

cmd.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid process

3120 7zFM.exe
3120 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3120 7zFM.exe

pid	process
3120	7zFM.exe
3120	7zFM.exe

pid	process
3120	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	3120	7zFM.exe
Token: 35	3120	7zFM.exe
Token: SeSecurityPrivilege	3120	7zFM.exe
Token: SeSecurityPrivilege	3120	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exe

pid process

3120 7zFM.exe
3120 7zFM.exe
3120 7zFM.exe
3120 7zFM.exe
3120 7zFM.exe

pid	process
3120	7zFM.exe
3120	7zFM.exe
3120	7zFM.exe
3120	7zFM.exe
3120	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe7zFM.exe

description	pid	process	target process
PID 3644 wrote to memory of 3120	3644	cmd.exe	7zFM.exe
PID 3644 wrote to memory of 3120	3644	cmd.exe	7zFM.exe
PID 3120 wrote to memory of 368	3120	7zFM.exe	NOTEPAD.EXE
PID 3120 wrote to memory of 368	3120	7zFM.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\og_simfphys_pack.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\og_simfphys_pack.rar"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO03C3D1F8\functions whatever.txt
3⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO03C3D1F8\functions whatever.txt

Filesize
5KB

MD5
5d517f963259ec5a5f4131577388c05c

SHA1
eec79cd1dcf72aae664c8927eadcbc96077b933f

SHA256
9b8f7521ceda82d5648fa1a41c08e8be287074d0229c396e4f25e6ab70075fca

SHA512
be1cd6e393bca51b2da371b9617bc0730a4b9e5d66b3303dff4ec5ed020e7e802a7e304423a6d35f57697f69180c4c72f9ab6b0eff205f693ad3fedd48470886

Download Submit