Overview

overview

7

Static

static

3

release_ZY...4H.rar

windows7-x64

1

release_ZY...4H.rar

windows10-2004-x64

7

ce-lib64.dll

windows7-x64

1

ce-lib64.dll

windows10-2004-x64

5

r7flexcrack.exe

windows7-x64

5

r7flexcrack.exe

windows10-2004-x64

5

r7flexpatcher.exe

windows7-x64

5

r7flexpatcher.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    r7flexpatcher.exe

  • Size

    41KB

  • MD5

    211679d0bf22b11671c9c8278072400f

  • SHA1

    46767069ff081ae73fda2217a63b7b4f0c91e64a

  • SHA256

    56c6f8cabe41895e7793fa4bd9936ea424e2e63459571f717a8d66cb808cdd96

  • SHA512

    8e16bc0e1153996e56704ffae2c611ee43aa591fdcdad0c5bbca41cda41b19fe3c0e4ea720a19fe6bca6545c32622d9eabf9d618f96f2601e74d6e916cd3fa48

  • SSDEEP

    768:eKk1kCV2sBbH4vVuLG544uB/RUNeM9bKqpmzCHNV:ulWw+44uB69bhmAV

Score
7/10
defense_evasionprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\r7flexpatcher.exe
    "C:\Users\Admin\AppData\Local\Temp\r7flexpatcher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe
      "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" runas
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Access Token Manipulation: Create Process with Token
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:808
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          3⤵
            PID:4536
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4508
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5
              4⤵
                PID:4584
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                4⤵
                  PID:3420
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  4⤵
                    PID:3248

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{94234E97-5A00-4E88-9038-6AF1988DB72F}\Addresses.TMP
              Filesize

              31B

              MD5

              987abbe4eb34348216b1de52cdaf15fa

              SHA1

              63555da2db440772866ecf31141e6e4c1c633574

              SHA256

              19a0734c49bca929ed1cda1c123d336c83000059d8bdf2c97855381072fc9ff6

              SHA512

              8c1622c400bd6b25841f7f5db60f9db0858fc0a6a4449326ab801035080d207cf78246afb650072eb14bb1a69fc87a2212c2b0a8a1733a9f6061df5d7424707b

              Download Submit

            • memory/644-0-0x00007FF6A06CE000-0x00007FF6A1BB3000-memory.dmp

              Filesize

              20.9MB

              Download

            • memory/644-2-0x00007FF9AAB60000-0x00007FF9AAB62000-memory.dmp

              Filesize

              8KB

              Download

            • memory/644-1-0x00007FF9AAB50000-0x00007FF9AAB52000-memory.dmp

              Filesize

              8KB

              Download

            • memory/644-3-0x00007FF6A0610000-0x00007FF6A3E7A000-memory.dmp

              Filesize

              56.4MB

              Download

            • memory/644-19-0x00007FF6A06CE000-0x00007FF6A1BB3000-memory.dmp

              Filesize

              20.9MB

              Download