01e8a1ca1f1bf33e403c46728290c2b82c7587233d32c82752f72b10f7a3f5e7

Analysis

max time kernel
23s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar
Size

1.1MB
MD5

cb80960b9a14711e70278bec71f14bbc
SHA1

0fadfe3996315a1d5eeb2c384a3e12ced1d20925
SHA256

01e8a1ca1f1bf33e403c46728290c2b82c7587233d32c82752f72b10f7a3f5e7
SHA512

4cff873710d4977dc55fa22d97ba15282f63cc6cc931f2201826c0995a7f620e7c46af1d8be6ee53c6d602b99c5b4185a468ad3f17448a82ee3444685489105d
SSDEEP

24576:QzJ6DGQqBbVwn6c+O0EcCPSR70/g/nucNygVJKz4NBbZxe9/XH:QzCRAVG5fauGs+JKQbihH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 4792 7zFM.exe
Token: 35 4792 7zFM.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zFM.exe

pid process

4792 7zFM.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3904 wrote to memory of 4792 3904 cmd.exe 7zFM.exe
PID 3904 wrote to memory of 4792 3904 cmd.exe 7zFM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeRestorePrivilege	4792	7zFM.exe
Token: 35	4792	7zFM.exe

pid	process
4792	7zFM.exe

description	pid	process	target process
PID 3904 wrote to memory of 4792	3904	cmd.exe	7zFM.exe
PID 3904 wrote to memory of 4792	3904	cmd.exe	7zFM.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads