89df1eb47e24963acda027076d670844dd2923fdd76546046afba32ab783cb6c

Resubmissions

07-03-2024 15:06

240307-sg3jhseb28 10

Analysis

max time kernel
183s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MyRecover_for_iOS_Setup.exe
Size

150.2MB
MD5

711914b787f57f86d85e9c94b363fe1a
SHA1

7b7bd150b40ab943382312e9acabd9ee265c214e
SHA256

07f3ca1a27b3530377b10d00b2bf3501e44e89d76f97c293ce29796416c14c5e
SHA512

8993399a4a57741ebfbeef46e3b52fe6a066441d3ee15842b342d09bed8187b01b305fc9429af824009460410498fd56666f98c006466b9e3d317bd2a13dbc18
SSDEEP

3145728:ATZoffPTtbXgviwTwBl6dbTuvkfbPYLVKcVm0:Ao3pgaU0l6devkkLVdm0

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	MyRecover_for_iOS_Setup.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AwrtWinsrv.datAwrtWinsrv.dat	RegClear.exe
File opened for modification	C:\Windows\SysWOW64\AwrtWinsrv.dat	RegClear.exe

Executes dropped EXE 2 IoCs

pid	Process
488	MyRecover_for_iOS_Setup.tmp
2752	RegClear.exe

Loads dropped DLL 2 IoCs

pid	Process
488	MyRecover_for_iOS_Setup.tmp
488	MyRecover_for_iOS_Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeAuditPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeSecurityPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeTakeOwnershipPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeManageVolumePrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeRestorePrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeBackupPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeLoadDriverPrivilege	488	MyRecover_for_iOS_Setup.tmp
Token: SeSystemEnvironmentPrivilege	488	MyRecover_for_iOS_Setup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 488	4476	MyRecover_for_iOS_Setup.exe	99
PID 4476 wrote to memory of 488	4476	MyRecover_for_iOS_Setup.exe	99
PID 4476 wrote to memory of 488	4476	MyRecover_for_iOS_Setup.exe	99
PID 488 wrote to memory of 2752	488	MyRecover_for_iOS_Setup.tmp	101
PID 488 wrote to memory of 2752	488	MyRecover_for_iOS_Setup.tmp	101
PID 488 wrote to memory of 2752	488	MyRecover_for_iOS_Setup.tmp	101

C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\is-0SAOV.tmp\MyRecover_for_iOS_Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0SAOV.tmp\MyRecover_for_iOS_Setup.tmp" /SL5="$C002E,156935003,619008,C:\Users\Admin\AppData\Local\Temp\MyRecover_for_iOS_Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\is-IQM1M.tmp\RegClear.exe
    "C:\Users\Admin\AppData\Local\Temp\is-IQM1M.tmp\RegClear.exe" gaid "/V2.0.0/" "Install/Microsoft Windows 10 Pro 64-bit" "Run Installation" 0
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5060 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0SAOV.tmp\MyRecover_for_iOS_Setup.tmp

Filesize
1.9MB

MD5
960543892c9040a4bb985005a9ee49e2

SHA1
4154a4e4921fc61fa10b997c66545971454c07da

SHA256
9f6fa8200d2da592a53622189a54ab0c8bb20f54a03e1a8ac59aa9692b897a17

SHA512
12453c96d5a12754b2474475165c524858d1946fd0956645efa01c3f7fbb2ece8414d2d35d848e21938f1f93ebfc7bf17968e960ef047e68d5f87280161aaf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQM1M.tmp\PathFormat.dll

Filesize
188KB

MD5
7e70de8a68422051884937ebbeb446dc

SHA1
d149ad4dcb886555c57b4fafa4e2256bb4b2e159

SHA256
b06b78e3cd3b6e9c2bbe236ab846b46e757002ad7bbb7b842996ce0adc42e731

SHA512
65ab4779e8736af0071d28ceab6025e0cd39a8a5cd1c48c5bfc0341071d6cfff9a87f737c865a3d77e14b1b33827e1e610fc3050d8d82dc58321704da571b8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQM1M.tmp\RegClear.exe

Filesize
322KB

MD5
592a7a0cbc754a2159e6a6fbeb29639f

SHA1
9d4853c36ecb7c32c04a63d2e0494c1457f840c6

SHA256
9acf795284b9b336ad033b712b5a86b7b8193e545f4d56864ff3891237293ee5

SHA512
07300e30ae91a57403240ed0243d2809f17f0106c9230867e1be2bd0b7d446ba20208a071130bb8675378378ae3c393343aa67d3c3f2e8df76b940ec6bf7ec96

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IQM1M.tmp\ipc_plug.dll

Filesize
653KB

MD5
1c4fd0422b77ba720d4afff927a40c3d

SHA1
089eb2354c4b75823e72027f79ce3d02e4b21b31

SHA256
21a0d1fc97ba23e4c497e3a3d6dfcb7c6e7caf24ee60908a33809cd27fe98bc8

SHA512
78bca18fe8c5bc4dac744174b910ad9a25563259c5598e8c0a5e85fb1cadefa5b91a0b716617e39a4a79f1d223966cbd87a6acc6fe6465504fa3eb354b22a6e9

Download Submit
memory/488-6-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/488-33-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/488-36-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4476-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4476-32-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download