Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 22:11
General
-
Target
Netflix Tools PACK/NetFlix Checker by xRisky v2/NetFlix Checker by xRisky v2.exe
-
Size
187KB
-
MD5
a936e1c25e761f0dac98e9d42ad28637
-
SHA1
1c9168c664a0bf33be15aa8311f803f7ebe865cb
-
SHA256
cc93d5cb201a68dd673a5cf55ac97723b226fb670a73df2d29548bf25245c2a4
-
SHA512
91ab6da7dcfe8639eb0a9c743e6e10ad6b2b30b5ef99e2b779402983a5485414e84f91539b18b93ff528517402ad24538f3ad929b6a583907b71dca1c631a636
-
SSDEEP
1536:94l0gePQLjUDAbY1oCT/n9156ET5B61H7SRIRUnPYG+lB:94l0g5G93/6hRUgt
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144KB
MD55ea4ee24f01613f1bd403312c46b9ec9
SHA13d76201186437c8e0daba0ee37472fe3c4ef546d
SHA256c81755fe990f1b023bf9b88eed4856c088755af050ea4627ed081a8203f03472
SHA51273b0cc6d49db601b50a5c89b4b0f083a69efd6ff063edc03c93cac16c104173b8a1d172279e88f8a1b17b3b56f27a9fe6f207fde51729292cbacb272c75c8f53
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
80KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
200KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
504KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
5.2MB
-
Filesize
336KB
-
Filesize
128KB