89df1eb47e24963acda027076d670844dd2923fdd76546046afba32ab783cb6c

Resubmissions

07-03-2024 15:06

240307-sg3jhseb28 10

Analysis

max time kernel
43s
max time network
60s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MyRecover_for_iOS_Setup.exe
Size

150.2MB
MD5

711914b787f57f86d85e9c94b363fe1a
SHA1

7b7bd150b40ab943382312e9acabd9ee265c214e
SHA256

07f3ca1a27b3530377b10d00b2bf3501e44e89d76f97c293ce29796416c14c5e
SHA512

8993399a4a57741ebfbeef46e3b52fe6a066441d3ee15842b342d09bed8187b01b305fc9429af824009460410498fd56666f98c006466b9e3d317bd2a13dbc18
SSDEEP

3145728:ATZoffPTtbXgviwTwBl6dbTuvkfbPYLVKcVm0:Ao3pgaU0l6devkkLVdm0

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AwrtWinsrv.datAwrtWinsrv.dat	RegClear.exe
File opened for modification	C:\Windows\SysWOW64\AwrtWinsrv.dat	RegClear.exe

Executes dropped EXE 2 IoCs

pid	Process
2644	MyRecover_for_iOS_Setup.tmp
2956	RegClear.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	MyRecover_for_iOS_Setup.exe
2644	MyRecover_for_iOS_Setup.tmp
2644	MyRecover_for_iOS_Setup.tmp
2644	MyRecover_for_iOS_Setup.tmp
2644	MyRecover_for_iOS_Setup.tmp
2644	MyRecover_for_iOS_Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2536 wrote to memory of 2644	2536	MyRecover_for_iOS_Setup.exe	30
PID 2644 wrote to memory of 2956	2644	MyRecover_for_iOS_Setup.tmp	32
PID 2644 wrote to memory of 2956	2644	MyRecover_for_iOS_Setup.tmp	32
PID 2644 wrote to memory of 2956	2644	MyRecover_for_iOS_Setup.tmp	32
PID 2644 wrote to memory of 2956	2644	MyRecover_for_iOS_Setup.tmp	32

C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\is-N24FC.tmp\MyRecover_for_iOS_Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N24FC.tmp\MyRecover_for_iOS_Setup.tmp" /SL5="$3014E,156935003,619008,C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\RegClear.exe
    "C:\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\RegClear.exe" gaid "/V2.0.0/" "Install/Microsoft Windows 7 Ultimate Eidtion 64-bit" "Run Installation" 0
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\RegClear.exe

Filesize
322KB

MD5
592a7a0cbc754a2159e6a6fbeb29639f

SHA1
9d4853c36ecb7c32c04a63d2e0494c1457f840c6

SHA256
9acf795284b9b336ad033b712b5a86b7b8193e545f4d56864ff3891237293ee5

SHA512
07300e30ae91a57403240ed0243d2809f17f0106c9230867e1be2bd0b7d446ba20208a071130bb8675378378ae3c393343aa67d3c3f2e8df76b940ec6bf7ec96

Download Submit
\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\PathFormat.dll

Filesize
188KB

MD5
7e70de8a68422051884937ebbeb446dc

SHA1
d149ad4dcb886555c57b4fafa4e2256bb4b2e159

SHA256
b06b78e3cd3b6e9c2bbe236ab846b46e757002ad7bbb7b842996ce0adc42e731

SHA512
65ab4779e8736af0071d28ceab6025e0cd39a8a5cd1c48c5bfc0341071d6cfff9a87f737c865a3d77e14b1b33827e1e610fc3050d8d82dc58321704da571b8cf

Download Submit
\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I26CO.tmp\ipc_plug.dll

Filesize
653KB

MD5
1c4fd0422b77ba720d4afff927a40c3d

SHA1
089eb2354c4b75823e72027f79ce3d02e4b21b31

SHA256
21a0d1fc97ba23e4c497e3a3d6dfcb7c6e7caf24ee60908a33809cd27fe98bc8

SHA512
78bca18fe8c5bc4dac744174b910ad9a25563259c5598e8c0a5e85fb1cadefa5b91a0b716617e39a4a79f1d223966cbd87a6acc6fe6465504fa3eb354b22a6e9

Download Submit
\Users\Admin\AppData\Local\Temp\is-N24FC.tmp\MyRecover_for_iOS_Setup.tmp

Filesize
1.9MB

MD5
960543892c9040a4bb985005a9ee49e2

SHA1
4154a4e4921fc61fa10b997c66545971454c07da

SHA256
9f6fa8200d2da592a53622189a54ab0c8bb20f54a03e1a8ac59aa9692b897a17

SHA512
12453c96d5a12754b2474475165c524858d1946fd0956645efa01c3f7fbb2ece8414d2d35d848e21938f1f93ebfc7bf17968e960ef047e68d5f87280161aaf3e

Download Submit
memory/2536-1-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2536-32-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2644-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2644-33-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2644-36-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download