493ab2e222425088cdb1b3622a0421ec94cfa5a0b9cf54dee76502daec4bae03

Analysis

max time kernel
149s
max time network
26s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BorisFX Sapphire OFX/Setup.exe
Size

204.1MB
MD5

23ad1e7cce6958035a7e0ee751505316
SHA1

92891335a729a611d518378c2c0cd8abf97e740d
SHA256

df7a3a158a9c10e7bf637d370ea973d81c77decbb0fc7ae430a794267b313e76
SHA512

9dc76bf79aa2fd3631f9098e1c909aab72711dd6c450e2ce58167099f6592d85d16acbd66b9e956571b6550197c1fbc0554aa451aaf6ca70d4bb882c3687ec78
SSDEEP

6291456:QWsenRwkLYNw2UV9iGWM9icKuhgG083xin3PDwkjThik0:QWjnRNYNcV9PWM8cKuhR083xin/3j92

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	Setup.tmp

Loads dropped DLL 1 IoCs

pid	Process
1560	Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29
PID 1560 wrote to memory of 2700	1560	Setup.exe	29

C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\is-HF8LN.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HF8LN.tmp\Setup.tmp" /SL5="$401B0,213530096,61952,C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-HF8LN.tmp\Setup.tmp

Filesize
701KB

MD5
6fea6308725988aa64e5dcb7ba3ce7a9

SHA1
a4df4e87a40a70611c7feaf5f5cee2447cbd4593

SHA256
5ea873ebfe31e4ad55a94518142c0676ad364f7af9f823b8ba7d190a05665c7d

SHA512
e5e2b1481f2f56e449280694c962ef768943dd4dcec0bec668debb459eaa98572bb7cad3c3a79a4bf21536ae9494e6548e3735f0a6d7afe020f279d2d3a345a3

Download Submit
memory/1560-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1560-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1560-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2700-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2700-12-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download