0609ebd4157f1b0591ab2a98749c0073a479ffae8e3eb5ba560838bb3eaaa0c5

Analysis

max time kernel
91s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anyfix-ios-system-recovery-en-setup (2).exe
Size

7.1MB
MD5

9c3c41d2f9b7d33d38641e85ba0a5fd9
SHA1

5e3fc663df59515cdf7eb9c4c0a43130a26689ba
SHA256

0609ebd4157f1b0591ab2a98749c0073a479ffae8e3eb5ba560838bb3eaaa0c5
SHA512

2a38369f24c28c310e6ed98506fc89177a00e2766a89ed992fca5867bec55f0125aa0403fe619d051044acdf6f0dfe63c230e072e3732693cd51cce43f616a06
SSDEEP

98304:2aswfDVoKwsGwFzDXoAgjrpeuUaCp1o9Djk5mfZwg4yCr78VEZ7W9xlWes3bdjOi:2VwVssGOzDXYU/s5IsBwTLQGWblMLs/y

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	anyfix-ios-system-recovery-en-setup (2).exe

Loads dropped DLL 8 IoCs

pid	Process
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe
2996	anyfix-ios-system-recovery-en-setup (2).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	anyfix-ios-system-recovery-en-setup (2).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	anyfix-ios-system-recovery-en-setup (2).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 5104	2996	anyfix-ios-system-recovery-en-setup (2).exe	83
PID 2996 wrote to memory of 5104	2996	anyfix-ios-system-recovery-en-setup (2).exe	83
PID 2996 wrote to memory of 5104	2996	anyfix-ios-system-recovery-en-setup (2).exe	83
PID 5104 wrote to memory of 1192	5104	cmd.exe	85
PID 5104 wrote to memory of 1192	5104	cmd.exe	85
PID 5104 wrote to memory of 1192	5104	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\anyfix-ios-system-recovery-en-setup (2).exe
"C:\Users\Admin\AppData\Local\Temp\anyfix-ios-system-recovery-en-setup (2).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"14E21498\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"14E21498\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=Am5IM8yJQAOFJ9M6Orj_4w"
    3⤵
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7792.tmp\nsDui.dll

Filesize
3.1MB

MD5
da277c7997c003698b5fb0b8bb9491bb

SHA1
c897c3d8809d9af00ab05cdbd1eb3f35f9e98d23

SHA256
e49008ab87c0f707fb2cac811b3a2c74ba82ee7f6e91635f5cf5ed6e3c2c09e7

SHA512
cd3b73449bdbfceba3d6975f749d91f9c75b312bebc670aedb2facd42e3c0d3d4775c77bea024d949502278e7539d2052ad96411677fd663961979fa6d456367

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads