325379ac3d6cb0de1e119d5e05c4fbc8f3a3c35107e0817923d27bd70e344f0d

Analysis

max time kernel
124s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDA Pro 7.5.rar
Size

333.4MB
MD5

1400d149768bc74ac0d1559ba61f2fd0
SHA1

16bd68dbd97847f17a6ced761cf4f4f78ed05b33
SHA256

325379ac3d6cb0de1e119d5e05c4fbc8f3a3c35107e0817923d27bd70e344f0d
SHA512

f84fc596f9a2455358ec4f67286c99f478ec4f96dec485a358ff109c0e7cf6c09f96b88d6e135415a9afc84a80c38db985f10d90d2c9c912f8d3148badcfae77
SSDEEP

6291456:C6wtcHJdHFxgTO6+O/ZNxFHZ4HWdN2T9a2HAgo9PYfQFD84G/+eQsu7ALF/xUx:b8okT+ENxFHqHWdkTngL93SLQP7Ah2x

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
544	ida64.exe

Loads dropped DLL 6 IoCs

pid	Process
544	ida64.exe
544	ida64.exe
544	ida64.exe
544	ida64.exe
544	ida64.exe
544	ida64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	420	7zFM.exe
Token: 35	420	7zFM.exe
Token: SeRestorePrivilege	4540	7zG.exe
Token: 35	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
420	7zFM.exe
4540	7zG.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 420	544	cmd.exe	93
PID 544 wrote to memory of 420	544	cmd.exe	93

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\" -spe -an -ai#7zMap19469:102:7zEvent24943
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\ida64.exe
"C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\ida64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\Qt5Core.dll

Filesize
5.3MB

MD5
770c19c0938faaec8a471291af3b8258

SHA1
18426b403007556702ee1dba703b88dacdf6442a

SHA256
f4bb94194c6cc946f4cc2f9f331a0e4dc08a6180f95250bc404f993c0f082762

SHA512
f0705a4ed45f7dd0a96e1b16a557927d16128d4c3f1bc0e0fe099a4c6fda030276d2c067b7a682cb8a1973ac3267980566898f635ca113335034c666821886c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\Qt5Gui.dll

Filesize
6.0MB

MD5
e3ddcbf6454378030fb21616c301418f

SHA1
34c9ef4fcaef11ce2f44d8f1de626e1deccb7617

SHA256
233116a16585ecff6a7e8f500efa52a6e1277601898ffce1d100f828eb29b745

SHA512
414db90adb094320b3f92180b1c68d0f43b5cf98efc2278199f0fe8687e870cc49516ffb931c6faa30384e3b46279df78b8247ac5839a649724d993489925674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\Qt5Gui.dll

Filesize
5.5MB

MD5
90bca2bc28d406f159e19ce61d9cad5d

SHA1
6397c18a6a8f3e513eae304c6f6c6b17a6369421

SHA256
90d03058205022c6bfcc8e0136cb2c5870f18d53678172672b30034de77e1b5d

SHA512
2b6b0db83d3078e4692069a28d882cd95153f343b9ba556750a7750c21975ff7dd39108d2b856827baec15b86c4fb89ca2ad757cd2748d3b3ef4e4ca33b133ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\Qt5PrintSupport.dll

Filesize
316KB

MD5
9202512581c2ecdcbc68101bd609cdb1

SHA1
1a94dd729f345e2d98c555287afda49f7a4ad377

SHA256
8f228458a99aca0f6aa5aa2f366bee096193e2d52baa4cbe88bcd17cce2518e1

SHA512
9fbc4a61bfbb60dd7de68a1c3181e7eefe34d8381ea7ca3699321aa8e990355b9ebd72c1ebd9e49e397a01108c20ff1566b95ce696aedca23b190f3c72db5de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\Qt5Widgets.dll

Filesize
5.3MB

MD5
ce299d5dca46de56813e8e5c269c961f

SHA1
96d7b66b1251802108c998b67c6273e26f870c26

SHA256
282475dd2c8148638000ecde4132f6eb29d4e6e56eb1c0f2e3897dba60195541

SHA512
4b53eb780c57c256753fb42be173ffa7eea14c65cebc0263da333e2f22cc40ffe7a2617e7cfe32321112535de99178341f6f9756429fa51d79d0839fc47a5120

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\ida64.dll

Filesize
3.4MB

MD5
e9b6c058f98fac1d0e689e21feb902fe

SHA1
b5ad80c1ce98d37cfaeec22533551c4f9d464a02

SHA256
4818a72f3a22ecdc4f5e272fc2b41e2561d42c8aa65b723f7a9f945305e7c447

SHA512
67abf1e3aa627fe5ccf2774cf9761c7229543c8456cf0f3b21a5ed1a82d3a7686c0e791100685b8dc3a05519e87282e3c8d96079d3f474de0fd88f97ff84d6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\ida64.exe

Filesize
4.0MB

MD5
49c792b5be71d206e1ee75c06829ca0c

SHA1
8cbea26408f807694e59c7d013f38867ff613f44

SHA256
1d505c8aa64a559be8514a042cb5b14711d3ddc6cc841e327d79f3d7faa7d9e5

SHA512
193caea24d97de2837ab827df29adf77f0f2558c34479a229284ea02a950390c93977b58d258c52397c6930e1e762f0fe7515f2eec36cf4c0ca774158942ff52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\python\2\PyQt5\uic\port_v2\__init__.py

Filesize
548B

MD5
8e40717de96792f3f07cc9233be4743c

SHA1
6de35101b0ce8fdb91729d54668006f694cffd25

SHA256
4fb2f6155bfb5efd7b9f5df6f80e11fb3d7997657fc2c8282c0189a3177dfe3c

SHA512
f0072d85733febcd67d10bac289f1f90d1b929fe1aaf1e90a09b5dd1836b47f183dc8e9f671ab599c74625b984c8336ef32be44914c0c532d240c7486b951bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDA Pro 7.5\python\3\PyQt5\python_3.8\sip.pyi

Filesize
2KB

MD5
659c59af4841ab542bc5ae43abe187c9

SHA1
838206246c95a4b673408c78fc6b294246d53913

SHA256
618cdf56d2935c762f32b9c73e5e998ddc471f5f70c4c5a980dc22386e898279

SHA512
e88d5cba70a86aee598d14305eb92baa9f22ba3f0c06ef108334f663413ab54c8a6dd9e57b13a31834a8e80cb86e455a97bfa806a1697ea39a639dca79be4aa6

Download Submit
memory/544-2896-0x0000000068C70000-0x00000000691CA000-memory.dmp

Filesize
5.4MB

Download
memory/544-2895-0x00007FF7DE4F0000-0x00007FF7DE906000-memory.dmp

Filesize
4.1MB

Download