Resubmissions
30-09-2022 10:35
220930-mm59psebhl 629-09-2022 13:01
220929-p9fcxaahd8 617-12-2021 18:47
211217-xfnq7aegfp 1016-12-2021 14:14
211216-rj2vbsccc8 1016-12-2021 14:07
211216-re4s5achhj 10Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 14:07
Static task
static1
Behavioral task
behavioral1
Sample
RL.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RL.exe
Resource
win10-en-20211208
General
-
Target
RL.exe
-
Size
333KB
-
MD5
981f7a4bb2592bffcbdf543a742cb1a2
-
SHA1
64d97d061583e343ce7a02a4b905281d95ff0bba
-
SHA256
4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50
-
SHA512
b0be15a1d8a80506de3b615f1c5713a9acaf46b9577187f6c1dbfa6539b0641ebc4c83178a3c4bed2342d5e8bea4c910b30853d1e91b87b824d4f9173b46397b
Malware Config
Extracted
C:\Readme.txt
Wana-XD@bk.ru
RL000@protonmail.ch
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1868 1584 WerFault.exe RL.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RL.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1584 RL.exe Token: SeDebugPrivilege 1868 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
RL.exedescription pid process target process PID 1584 wrote to memory of 1868 1584 RL.exe WerFault.exe PID 1584 wrote to memory of 1868 1584 RL.exe WerFault.exe PID 1584 wrote to memory of 1868 1584 RL.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RL.exe"C:\Users\Admin\AppData\Local\Temp\RL.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1584 -s 12962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1584-55-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1584-57-0x000000001B880000-0x000000001B882000-memory.dmpFilesize
8KB
-
memory/1868-58-0x0000000000000000-mapping.dmp
-
memory/1868-59-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmpFilesize
8KB
-
memory/1868-60-0x0000000001C20000-0x0000000001C21000-memory.dmpFilesize
4KB