Resubmissions

30/09/2022, 10:35

220930-mm59psebhl 6

29/09/2022, 13:01

220929-p9fcxaahd8 6

17/12/2021, 18:47

211217-xfnq7aegfp 10

16/12/2021, 14:14

211216-rj2vbsccc8 10

16/12/2021, 14:07

211216-re4s5achhj 10

Analysis

  • max time kernel
    56s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/09/2022, 10:35

General

  • Target

    RL.exe

  • Size

    333KB

  • MD5

    981f7a4bb2592bffcbdf543a742cb1a2

  • SHA1

    64d97d061583e343ce7a02a4b905281d95ff0bba

  • SHA256

    4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50

  • SHA512

    b0be15a1d8a80506de3b615f1c5713a9acaf46b9577187f6c1dbfa6539b0641ebc4c83178a3c4bed2342d5e8bea4c910b30853d1e91b87b824d4f9173b46397b

  • SSDEEP

    6144:Jk2RY4ljn2ESxRTIoWD4BXHOfCzP+52iC3WfiNaw1QDSLk/3U:Jk2RYi6TIoWMZ4GWf19/k

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RL.exe
    "C:\Users\Admin\AppData\Local\Temp\RL.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2752 -s 1536
      2⤵
      • Program crash
      PID:2888
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4344

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2752-120-0x000002445E080000-0x000002445E0D8000-memory.dmp

    Filesize

    352KB