d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d

Analysis

max time kernel
97s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/12/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfile-main/Sobfox.exe
Size

5.2MB
MD5

a34a8c7f18a484aebc37cc67e86f8441
SHA1

c0fbef5f036d7b4bb1d9d350e24d6d99096f1ba1
SHA256

1f350ddd7b2d7cf5da7dd41b793d1d28642b7bfd4ddac2c278499b2d911bece5
SHA512

e8df773de29f73bf7b1e3915b842abcdb3f42185cfb632b60ae1f5c1fcf9cc0cad57d3f54f79f9ce6c94c9691e3f72e66efdec4f63ba5f5de908f318d2d9f9ab
SSDEEP

98304:j3GIi+v8hp0EI/mbrVVxAnPJ6hR0O+vk3nVcJGOLS:j3GIiMhubJVeQ5+k3nVYLS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Sobfox.exe

Executes dropped EXE 1 IoCs

pid	Process
5116	RDR4.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\system32\RDR4.exe	Sobfox.exe
File opened for modification	C:\Program Files\system32\RDR4.exe	Sobfox.exe
File created	C:\Program Files\system32\stTfuo7I.exe	Sobfox.exe
File opened for modification	C:\Program Files\system32\stTfuo7I.exe	Sobfox.exe
File opened for modification	C:\Program Files\system32	Sobfox.exe
File created	C:\Program Files\system32\__tmp_rar_sfx_access_check_240607703	Sobfox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 5116	1996	Sobfox.exe	79
PID 1996 wrote to memory of 5116	1996	Sobfox.exe	79

C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Sobfox.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\system32\RDR4.exe
  "C:\Program Files\system32\RDR4.exe"
  2⤵
  - Executes dropped EXE
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\system32\RDR4.exe

Filesize
100KB

MD5
de431fe64329b3dde12f288898cba489

SHA1
b8f1f3d0b2cc37cc4aa041046fa9ced2bc92f6ad

SHA256
157d83991428e260d9e07c6d8679d35835d6c8c3d8ac1b5669ec10419f4e0e9f

SHA512
b7127225c5dcd2d027158cbc11eaebaef8f674ec0ff775f6eb11bc43692ad90c52af558590131543de803f0223d66dad69c776034adddaab613299afea26e95a

Download Submit
memory/5116-13-0x00007FF77BD90000-0x00007FF77BDBF000-memory.dmp

Filesize
188KB

Download