Overview

overview

7

Static

static

7

anyfix-ios...2).exe

windows7-x64

6

anyfix-ios...2).exe

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

1

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

7

$PLUGINSDI...up.exe

windows10-2004-x64

7

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDIR/nsDui.dll

windows7-x64

3

$PLUGINSDIR/nsDui.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$PLUGINSDI...ll.exe

windows7-x64

4

$PLUGINSDI...ll.exe

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    31s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    anyfix-ios-system-recovery-en-setup (2).exe

  • Size

    7.1MB

  • MD5

    9c3c41d2f9b7d33d38641e85ba0a5fd9

  • SHA1

    5e3fc663df59515cdf7eb9c4c0a43130a26689ba

  • SHA256

    0609ebd4157f1b0591ab2a98749c0073a479ffae8e3eb5ba560838bb3eaaa0c5

  • SHA512

    2a38369f24c28c310e6ed98506fc89177a00e2766a89ed992fca5867bec55f0125aa0403fe619d051044acdf6f0dfe63c230e072e3732693cd51cce43f616a06

  • SSDEEP

    98304:2aswfDVoKwsGwFzDXoAgjrpeuUaCp1o9Djk5mfZwg4yCr78VEZ7W9xlWes3bdjOi:2VwVssGOzDXYU/s5IsBwTLQGWblMLs/y

Score
6/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops file in Program Files directory 39 IoCs
  • Loads dropped DLL 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\anyfix-ios-system-recovery-en-setup (2).exe
    "C:\Users\Admin\AppData\Local\Temp\anyfix-ios-system-recovery-en-setup (2).exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"E4710679\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w""
      2⤵
        PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"E4710679\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w""
        2⤵
          PID:2948
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="thunder" dir=in program="C:\Program Files (x86)\iMobie\AnyFix - iOS System Recovery\xldownload\download\MiniThunderPlatform.exe" action=allow
          2⤵
          • Modifies Windows Firewall
          PID:1708
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="thunder" dir=out program="C:\Program Files (x86)\iMobie\AnyFix - iOS System Recovery\xldownload\download\MiniThunderPlatform.exe" action=allow
          2⤵
          • Modifies Windows Firewall
          PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"E4710679\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Download Try Again\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w""
          2⤵
            PID:2436
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"E4710679\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Download Try Again\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w""
            2⤵
              PID:2860
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
            1⤵
              PID:780

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\nsyBB5.tmp\xl.7z
              Filesize

              2.2MB

              MD5

              9131dccf1db6284a3ca3b18cc16da468

              SHA1

              73337e7408cea4bf27cbf319233aeb58136c9f0f

              SHA256

              0c142ca564c20bc1325412d37a0b7977fb33fc285a586c16cccc93873cc344b2

              SHA512

              1f50d9fa769ea3e7a7d2d913e0f09d62af874edc4738f6ab5ded92524435c6f5d004235f5d7d31130d9e7fd371f026639d794154106afe17d0022faa761bbb59

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\BgWorker.dll
              Filesize

              2KB

              MD5

              33ec04738007e665059cf40bc0f0c22b

              SHA1

              4196759a922e333d9b17bda5369f14c33cd5e3bc

              SHA256

              50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

              SHA512

              2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\CheckProVs.dll
              Filesize

              7KB

              MD5

              62e85098ce43cb3d5c422e49390b7071

              SHA1

              df6722f155ce2a1379eff53a9ad1611ddecbb3bf

              SHA256

              ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

              SHA512

              dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\ExecDos.dll
              Filesize

              6KB

              MD5

              774e3b33d151413dc826bf2421cd51e8

              SHA1

              ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa

              SHA256

              91d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454

              SHA512

              3cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\GoogleTracingLib.dll
              Filesize

              36KB

              MD5

              d8fca35ff95fe00a7174177181f8bd13

              SHA1

              fbafea4d2790dd2c0d022dfb08ded91de7f5265e

              SHA256

              ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

              SHA512

              eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\System.dll
              Filesize

              11KB

              MD5

              ca332bb753b0775d5e806e236ddcec55

              SHA1

              f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

              SHA256

              df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

              SHA512

              2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\msvcp100.dll
              Filesize

              593KB

              MD5

              d029339c0f59cf662094eddf8c42b2b5

              SHA1

              a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

              SHA256

              934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

              SHA512

              021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\msvcr100.dll
              Filesize

              809KB

              MD5

              366fd6f3a451351b5df2d7c4ecf4c73a

              SHA1

              50db750522b9630757f91b53df377fd4ed4e2d66

              SHA256

              ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

              SHA512

              2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\nsDui.dll
              Filesize

              3.1MB

              MD5

              da277c7997c003698b5fb0b8bb9491bb

              SHA1

              c897c3d8809d9af00ab05cdbd1eb3f35f9e98d23

              SHA256

              e49008ab87c0f707fb2cac811b3a2c74ba82ee7f6e91635f5cf5ed6e3c2c09e7

              SHA512

              cd3b73449bdbfceba3d6975f749d91f9c75b312bebc670aedb2facd42e3c0d3d4775c77bea024d949502278e7539d2052ad96411677fd663961979fa6d456367

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\nsProcess.dll
              Filesize

              4KB

              MD5

              f0438a894f3a7e01a4aae8d1b5dd0289

              SHA1

              b058e3fcfb7b550041da16bf10d8837024c38bf6

              SHA256

              30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

              SHA512

              f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

              Download Submit

            • \Users\Admin\AppData\Local\Temp\nsyBB5.tmp\nsis7z.dll
              Filesize

              313KB

              MD5

              06a47571ac922f82c098622b2f5f6f63

              SHA1

              8a581c33b7f2029c41edaad55d024fc0d2d7c427

              SHA256

              e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

              SHA512

              04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

              Download Submit

            • memory/2008-76-0x0000000004030000-0x0000000004031000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2008-144-0x0000000004030000-0x0000000004031000-memory.dmp

              Filesize

              4KB

              Download