841f53fc09a19fc5edd5e18ef724432e14abadbd3aa040c248b2daeb84c98ab5

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xone.crack.rar
Size

1.7MB
MD5

2296fb98f59c1838a2d0be321d48d75a
SHA1

dfd35f27d572c07d55bef988dc2e039d47315f47
SHA256

841f53fc09a19fc5edd5e18ef724432e14abadbd3aa040c248b2daeb84c98ab5
SHA512

1bd577a3340281bed1c1cde6ee65eae31f11994e67fa7a594fecef6d31e36589ff495d46a8daff41ae15f185fbefd88c49d8042ca8ed0d536f4bd868bef8ebf6
SSDEEP

49152:UWm6d5sOY8JFCXBqKkcKdJKG900cMfx3J48HTWronskPZ:06rsECXmcysGGUfJ6QT1R

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 3684 7zFM.exe
Token: 35 3684 7zFM.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zFM.exe

pid process

3684 7zFM.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4776 wrote to memory of 3684 4776 cmd.exe 7zFM.exe
PID 4776 wrote to memory of 3684 4776 cmd.exe 7zFM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeRestorePrivilege	3684	7zFM.exe
Token: 35	3684	7zFM.exe

pid	process
3684	7zFM.exe

description	pid	process	target process
PID 4776 wrote to memory of 3684	4776	cmd.exe	7zFM.exe
PID 4776 wrote to memory of 3684	4776	cmd.exe	7zFM.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xone.crack.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\xone.crack.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads