3ed46144735c63a90aa11123cbcfd11c778564c6f0e38c1100f15dd227a5d05c

Analysis

max time kernel
132s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SFVIP-Player-x64/Updater.exe
Size

205KB
MD5

1167f37e5bc323f8bb2dcdb565ed9d9c
SHA1

3952d65679abaa500c2cd71b68a79f68bc1de024
SHA256

96703fa2c46d73ee8c3d4e907804f2e747d3241a8c3e14ec75d08b6b66a7a5dc
SHA512

4f99dda54dcb481e19852b30d5c9c68b5ae499bbbb1be59b06184b48a8ef901d5965da97424779a3af2c94cf59fe77b08f7c5948a5f7128b02b851af1efc8fdf
SSDEEP

3072:EDPzfc126+ToKe7WSA7hqToKe7WSAphS:xkoKe2WoKeQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Updater.exe

Executes dropped EXE 3 IoCs

pid	Process
2120	Updater.exe
3536	Updater.exe
3084	sfvip player.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	Updater.exe
Token: SeDebugPrivilege	3084	sfvip player.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2120	5024	Updater.exe	83
PID 5024 wrote to memory of 2120	5024	Updater.exe	83
PID 2120 wrote to memory of 3536	2120	Updater.exe	84
PID 2120 wrote to memory of 3536	2120	Updater.exe	84
PID 3536 wrote to memory of 3084	3536	Updater.exe	87
PID 3536 wrote to memory of 3084	3536	Updater.exe	87

C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Updater.exe" -Update "C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe" -Clean
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\sfvip player.exe
      "C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\sfvip player.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Updater.exe.log

Filesize
2KB

MD5
ae98bd2d43b819841abe713a8b803ecb

SHA1
1f7711ff263159cac9aa6b6902dbec722f3df67f

SHA256
5b5e6ea00d747cc516bf4d8fe823911dcd8c4fe77ffdfe3f51a1b4fec6f79b1e

SHA512
9bbf167e0e46fbe57c024fb29247e8a96d3a215303907577dbddc7e0aa972c0f00ac73d1cc811619041dc7d7c18c67fee7541686b8623e62fb005045d432d515

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\Updater.exe

Filesize
360KB

MD5
da0ce2e508257db01a1f9fa3117f3d20

SHA1
b78eae612eab5d65cc9f8ebe024ae05b99034344

SHA256
88173972e3a73596aa6197b733cc59509ea2f3077b6eb3f922040da3fc6060d8

SHA512
8c0bc1d2ea840d3b4c82f06375a28b012182020fe01ab9b8bcb824a6e6629134e3ff26c578bbe854e98bb5d96a73d96a60ff7ecbf00137e99bdead8dbd345d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\languages\English.xaml

Filesize
23KB

MD5
32f998dd26b27e45378946e42659d581

SHA1
ab92eb18f5ebca8e774c99f49a6423e8932915ce

SHA256
e0e9128b1071144213c2f80d123939d537404eb4b0ed5d0b57cc4239fa97de62

SHA512
69e79206f80bb3c14a16a43047e38162549c5958c224228060645189c31e956880081c554a2131d197cf81574cbe625ea868598f876ea668835d76c6d7062a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\libmpv.dll

Filesize
428KB

MD5
917d4de2a361211366d461c12a4f49f4

SHA1
fe1ef6a2a0e08ddb0cc5206681fd9f544cefaf66

SHA256
0ea908c745e0cfb01c9c4539ef31c20f0c9cd52aecaf5cab32851adc3d5495e6

SHA512
270c611997a5f93daa8634b86ff20db2bd8e55a896fd6b88480f562bb52fafbf859afdf03a46961530d7c3ee221af6e70b249ebe49139695fe30a2602915d8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\libthemes.dll

Filesize
478KB

MD5
24178b595b2542beba6513d3841f24e0

SHA1
593861c9004b71b71a542a1d9a111315e82248fa

SHA256
09eb25d8f02ea4949ca2faa2c882973d2c55da555d79c43f711fcf86842361bb

SHA512
11479842a47fbcc3561f85ad8acbcbe3ce69b56d1588dbb8e747438b493d4892e622a5a15871b7981933f71f51184e58fa56f96ded7e0c2b7da1fa89b80ed6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\sfvip player.exe

Filesize
853KB

MD5
9d5eb08c1f77ee9cc639daf12202e9ce

SHA1
955594c1d083433db1354b935d76a629e38b437a

SHA256
0850c2a156096dc2fcf9cfb04c49495d83c30eaa5e9f77e98408dfce723b517b

SHA512
34b59be47e287a74e50845364e65ca37f316be185c170b1b0615228b749ae9cf31e52c7176acb6d38b13cbf027c24f28ae62d474faf21b684aeea4e4b25c0269

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFVIP-Player-x64\sfvip player.exe.config

Filesize
178B

MD5
fa4323d079346ecb5bd95a9a46c61cd0

SHA1
0260f7621ce53ca3918d918c1730affa46885bf8

SHA256
1db230d0cecfb848155ced039164e79b146efb10e0804154ce643eca6438a0b5

SHA512
aa2343b23e42e77153a9289487adc8996e64b55a08ae94cd4fb99fc5c873d70270e6792e9705ff6962fee88eea31d850c268c10aef3311b0fa4c5b174aa6e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
205KB

MD5
1167f37e5bc323f8bb2dcdb565ed9d9c

SHA1
3952d65679abaa500c2cd71b68a79f68bc1de024

SHA256
96703fa2c46d73ee8c3d4e907804f2e747d3241a8c3e14ec75d08b6b66a7a5dc

SHA512
4f99dda54dcb481e19852b30d5c9c68b5ae499bbbb1be59b06184b48a8ef901d5965da97424779a3af2c94cf59fe77b08f7c5948a5f7128b02b851af1efc8fdf

Download Submit
memory/2120-22-0x00000137AF160000-0x00000137AF170000-memory.dmp

Filesize
64KB

Download
memory/2120-23-0x00000137AF160000-0x00000137AF170000-memory.dmp

Filesize
64KB

Download
memory/2120-21-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/2120-143-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/3084-162-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-161-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-165-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-164-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/3084-163-0x000001E5BE050000-0x000001E5BE058000-memory.dmp

Filesize
32KB

Download
memory/3084-167-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-153-0x000001E5BAEF0000-0x000001E5BAF6E000-memory.dmp

Filesize
504KB

Download
memory/3084-166-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-158-0x000001E5BB060000-0x000001E5BB0D2000-memory.dmp

Filesize
456KB

Download
memory/3084-168-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-148-0x000001E59F100000-0x000001E59F1DA000-memory.dmp

Filesize
872KB

Download
memory/3084-149-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/3084-150-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3084-152-0x000001E5BAEE0000-0x000001E5BAEF0000-memory.dmp

Filesize
64KB

Download
memory/3536-139-0x000002936E490000-0x000002936E4EE000-memory.dmp

Filesize
376KB

Download
memory/3536-144-0x0000029370070000-0x0000029370080000-memory.dmp

Filesize
64KB

Download
memory/3536-156-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/3536-140-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/3536-141-0x0000029370070000-0x0000029370080000-memory.dmp

Filesize
64KB

Download
memory/3536-142-0x0000029370070000-0x0000029370080000-memory.dmp

Filesize
64KB

Download
memory/5024-2-0x0000023898710000-0x0000023898720000-memory.dmp

Filesize
64KB

Download
memory/5024-1-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/5024-3-0x0000023898710000-0x0000023898720000-memory.dmp

Filesize
64KB

Download
memory/5024-0-0x00000238FE0F0000-0x00000238FE126000-memory.dmp

Filesize
216KB

Download
memory/5024-6-0x00000238FFC80000-0x00000238FFC8E000-memory.dmp

Filesize
56KB

Download
memory/5024-4-0x0000023898710000-0x0000023898720000-memory.dmp

Filesize
64KB

Download
memory/5024-20-0x00007FF9B7050000-0x00007FF9B7B11000-memory.dmp

Filesize
10.8MB

Download
memory/5024-5-0x00000238FFCB0000-0x00000238FFCE8000-memory.dmp

Filesize
224KB

Download