059573775752d0f7d05bf7d0a540908127fa7b9c55199927c760704d77d392cd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 12:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fy-v1.25beta1.rar/Setup_1.25_Beta2.exe
Size

7.1MB
MD5

a95594a3ec99c734e7f6f286b71202c2
SHA1

14e2805487c8004a56989ae8f2506761ad26bea7
SHA256

5a1824544110e2c322cbc542d33c94c5597b9e91e98b26edce8e26c585af71eb
SHA512

b7c1b8168bb6e3f6f3682fb68d7488c07babcf4248ccd5859ed3011d20c5b8c65715969242342626ed77868bba486d82c7eefea194439e1c118ddcea9895cd95
SSDEEP

196608:gsm1HrWBfW8PvWPmSke2XrrAqUoktfaJT1XplC2INo3kLwD5R:gsUKkAMmbe+3vDkqXPn3RR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Setup_1.25_Beta2.exe

Executes dropped EXE 1 IoCs

pid	Process
3540	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3540	Setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3540	3812	Setup_1.25_Beta2.exe	93
PID 3812 wrote to memory of 3540	3812	Setup_1.25_Beta2.exe	93
PID 3812 wrote to memory of 3540	3812	Setup_1.25_Beta2.exe	93

C:\Users\Admin\AppData\Local\Temp\fy-v1.25beta1.rar\Setup_1.25_Beta2.exe
"C:\Users\Admin\AppData\Local\Temp\fy-v1.25beta1.rar\Setup_1.25_Beta2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe" /setup
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
815KB

MD5
cd5524a374f79f0be1cd27d673a2a200

SHA1
7008adf0d245b853fd8e907fd56488666bff8d35

SHA256
55057a14e6da79342fe8db3f316aa04c7c74cdafb062991898a683ab2b7639a2

SHA512
cd99cf99315309ae5deeb9eb3a01bad93e2a07109b80d7c27b11ba8b27940076a2337b150aae40d3d48ff29a18989b64b793091535b009b1274b42f87c9e00d9

Download Submit
memory/3540-46-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/3540-48-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3540-51-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/3812-47-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download