03595be308cd92512645f8f37b6731f372da3c6b5dbf298c4d16a9683a8e4f19

Analysis

max time kernel
5s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 23:46

Target

$PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/Any_setup.exe
Size

144KB
MD5

894222e8962b46263c26aa9ea08c2050
SHA1

9778d5e7d4cd15717f3240cae4255934ccd5231c
SHA256

e5c6a460471e5f1d37c083c1069e95e253ad80c25e42f5624f6824bb1f4ce826
SHA512

472787c8827cb5df1c527caee6bb0766429a096f3931f30d7a435d891a0741b333c16000ae53cf1bb2398ba77187c5ae240145b30f51899bff074232e7f900b5
SSDEEP

1536:O3Wakjwa5CkyoH+p5nyn3nuC7XJ9Mje5rxLtLEc9Eccdk5GGA93EpjjMe61BW+pi:r8y0e5rxLtLnXLDMJLWFXG3yvD

Score

6^/10

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

pid	Process
2280	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	Any_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Any_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2280	3756	Any_setup.exe	80
PID 3756 wrote to memory of 2280	3756	Any_setup.exe	80
PID 3756 wrote to memory of 2280	3756	Any_setup.exe	80
PID 3756 wrote to memory of 636	3756	Any_setup.exe	82
PID 3756 wrote to memory of 636	3756	Any_setup.exe	82
PID 3756 wrote to memory of 636	3756	Any_setup.exe	82
PID 3756 wrote to memory of 2404	3756	Any_setup.exe	84
PID 3756 wrote to memory of 2404	3756	Any_setup.exe	84
PID 3756 wrote to memory of 2404	3756	Any_setup.exe	84
PID 3756 wrote to memory of 368	3756	Any_setup.exe	86
PID 3756 wrote to memory of 368	3756	Any_setup.exe	86
PID 3756 wrote to memory of 368	3756	Any_setup.exe	86

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\SoftForum\XecureWeb\AnySign\dll\Any_setup.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\SoftForum\XecureWeb\AnySign\dll\Any_setup.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name = "AnySign4PC" dir=in action=allow program="C:\Program Files (x86)\SoftForum\XecureWeb\AnySign\dll\AnySign4PC.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe" LoopbackExempt -a -n=microsoft.microsoftedge_8wekyb3d8bbwe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe" LoopbackExempt -a -n=windows_ie_ac_001
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe" LoopbackExempt -a -n=windows_ie_ac_122
  2⤵
  - System Location Discovery: System Language Discovery
  PID:368