Analysis
-
max time kernel
23s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar
Resource
win10v2004-20240226-en
General
-
Target
DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar
-
Size
1.1MB
-
MD5
cb80960b9a14711e70278bec71f14bbc
-
SHA1
0fadfe3996315a1d5eeb2c384a3e12ced1d20925
-
SHA256
01e8a1ca1f1bf33e403c46728290c2b82c7587233d32c82752f72b10f7a3f5e7
-
SHA512
4cff873710d4977dc55fa22d97ba15282f63cc6cc931f2201826c0995a7f620e7c46af1d8be6ee53c6d602b99c5b4185a468ad3f17448a82ee3444685489105d
-
SSDEEP
24576:QzJ6DGQqBbVwn6c+O0EcCPSR70/g/nucNygVJKz4NBbZxe9/XH:QzCRAVG5fauGs+JKQbihH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 4792 7zFM.exe Token: 35 4792 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 4792 7zFM.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3904 wrote to memory of 4792 3904 cmd.exe 7zFM.exe PID 3904 wrote to memory of 4792 3904 cmd.exe 7zFM.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DEVELOPER_SNIPER_JOD_DARK_ESSENTIAL_PLAN.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow