Overview
overview
7Static
static
3BorisFX Sa...re.dll
windows7-x64
1BorisFX Sa...re.dll
windows10-2004-x64
1BorisFX Sa...up.exe
windows7-x64
7BorisFX Sa...up.exe
windows10-2004-x64
7BorisFX Sa...64.lnk
windows7-x64
3BorisFX Sa...64.lnk
windows10-2004-x64
3BorisFX Sa...64.lnk
windows7-x64
3BorisFX Sa...64.lnk
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
BorisFX Sapphire OFX/File/Sapphire.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
BorisFX Sapphire OFX/File/Sapphire.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
BorisFX Sapphire OFX/Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
BorisFX Sapphire OFX/Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
BorisFX Sapphire OFX/Win64.lnk
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
BorisFX Sapphire OFX/Win64.lnk
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
BorisFX Sapphire OFX/lib64.lnk
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
BorisFX Sapphire OFX/lib64.lnk
Resource
win10v2004-20240704-en
General
-
Target
BorisFX Sapphire OFX/Setup.exe
-
Size
204.1MB
-
MD5
23ad1e7cce6958035a7e0ee751505316
-
SHA1
92891335a729a611d518378c2c0cd8abf97e740d
-
SHA256
df7a3a158a9c10e7bf637d370ea973d81c77decbb0fc7ae430a794267b313e76
-
SHA512
9dc76bf79aa2fd3631f9098e1c909aab72711dd6c450e2ce58167099f6592d85d16acbd66b9e956571b6550197c1fbc0554aa451aaf6ca70d4bb882c3687ec78
-
SSDEEP
6291456:QWsenRwkLYNw2UV9iGWM9icKuhgG083xin3PDwkjThik0:QWjnRNYNcV9PWM8cKuhR083xin/3j92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3760 Setup.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3760 4932 Setup.exe 85 PID 4932 wrote to memory of 3760 4932 Setup.exe 85 PID 4932 wrote to memory of 3760 4932 Setup.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe"C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\is-MFLG2.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MFLG2.tmp\Setup.tmp" /SL5="$D0046,213530096,61952,C:\Users\Admin\AppData\Local\Temp\BorisFX Sapphire OFX\Setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701KB
MD56fea6308725988aa64e5dcb7ba3ce7a9
SHA1a4df4e87a40a70611c7feaf5f5cee2447cbd4593
SHA2565ea873ebfe31e4ad55a94518142c0676ad364f7af9f823b8ba7d190a05665c7d
SHA512e5e2b1481f2f56e449280694c962ef768943dd4dcec0bec668debb459eaa98572bb7cad3c3a79a4bf21536ae9494e6548e3735f0a6d7afe020f279d2d3a345a3