a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120

General

Target

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
Size

5.0MB
MD5

3fc57fd38dd0521976ea9c0f37c187dc
SHA1

f5610c292278e8dd75decdf238dc630f91d204a9
SHA256

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120
SHA512

c4b8055d6dca7a969b7096ea7cb04db872bfa3addc0aece41f5fc62c33ae6e1982dfa6e71e0f373456cf89b2f99ff2dee947bb62ba612126c0e86a49146b1300
SSDEEP

98304:EstZLNLdQRhpII22cNb3g2n8zMkd6tSYFxrkDB4n:5ZUhH22cNb3Z8Qkd6tSgJkD

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RSVBSJHP.exeRSVBSJHP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	RSVBSJHP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	RSVBSJHP.exe

Executes dropped EXE 4 IoCs

Processes:

RSVBSJHP.exeRSVBSJHP.exeDeploy.exe7za.exe

pid process

384 RSVBSJHP.exe
2372 RSVBSJHP.exe
2536 Deploy.exe
1028 7za.exe
Possible privilege escalation attempt 3 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exe

pid process

1912 icacls.exe
2692 takeown.exe
3428 takeown.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exetakeown.exe

pid process

1912 icacls.exe
2692 takeown.exe
3428 takeown.exe

pid	process
1912	icacls.exe
2692	takeown.exe
3428	takeown.exe

pid	process
1912	icacls.exe
2692	takeown.exe
3428	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!! = "IZDXPNVK.exe PYRJFNUVQ RSVBSJHP.exe"	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

RSVBSJHP.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	RSVBSJHP.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	RSVBSJHP.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\System32\RSVBSJHP.exe	autoit_exe
C:\Windows\system32\RSVBSJHP.exe	autoit_exe
C:\Windows\System32\RSVBSJHP.exe	autoit_exe
C:\Windows\System32\Deploy.exe	autoit_exe
C:\Windows\system32\Deploy.exe	autoit_exe

Drops file in System32 directory 6 IoCs

Processes:

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

description	ioc	process
File created	C:\Windows\system32\RSVBSJHP.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File opened for modification	C:\Windows\system32\RSVBSJHP.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File created	C:\Windows\system32\IZDXPNVK.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File opened for modification	C:\Windows\system32\IZDXPNVK.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File created	C:\Windows\system32\Deploy.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File opened for modification	C:\Windows\system32\Deploy.exe	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

Drops file in Windows directory 6 IoCs

Processes:

Deploy.exea61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

description	ioc	process
File created	C:\Windows\ES3\7za.exe	Deploy.exe
File opened for modification	C:\Windows\ES3\7za.exe	Deploy.exe
File opened for modification	C:\Windows\ES3\Sidebar_Task.tmp	Deploy.exe
File created	C:\Windows\es3\EsSets.es3	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
File created	C:\Windows\ES3\Language.ini	Deploy.exe
File opened for modification	C:\Windows\ES3\Language.ini	Deploy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

RSVBSJHP.exeRSVBSJHP.exe

pid	process
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
384	RSVBSJHP.exe
2372	RSVBSJHP.exe
2372	RSVBSJHP.exe
2372	RSVBSJHP.exe
2372	RSVBSJHP.exe
2372	RSVBSJHP.exe
2372	RSVBSJHP.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

reg.exereg.exetakeown.exe

description pid process

Token: SeRestorePrivilege 4856 reg.exe
Token: SeRestorePrivilege 1112 reg.exe
Token: SeTakeOwnershipPrivilege 2692 takeown.exe

description	pid	process
Token: SeRestorePrivilege	4856	reg.exe
Token: SeRestorePrivilege	1112	reg.exe
Token: SeTakeOwnershipPrivilege	2692	takeown.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

pid	process
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

pid	process
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exeRSVBSJHP.execmd.execmd.exeDeploy.exe

description	pid	process	target process
PID 4872 wrote to memory of 384	4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe	RSVBSJHP.exe
PID 4872 wrote to memory of 384	4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe	RSVBSJHP.exe
PID 384 wrote to memory of 4856	384	RSVBSJHP.exe	reg.exe
PID 384 wrote to memory of 4856	384	RSVBSJHP.exe	reg.exe
PID 384 wrote to memory of 1112	384	RSVBSJHP.exe	reg.exe
PID 384 wrote to memory of 1112	384	RSVBSJHP.exe	reg.exe
PID 384 wrote to memory of 3368	384	RSVBSJHP.exe	cmd.exe
PID 384 wrote to memory of 3368	384	RSVBSJHP.exe	cmd.exe
PID 3368 wrote to memory of 3428	3368	cmd.exe	takeown.exe
PID 3368 wrote to memory of 3428	3368	cmd.exe	takeown.exe
PID 3368 wrote to memory of 1912	3368	cmd.exe	icacls.exe
PID 3368 wrote to memory of 1912	3368	cmd.exe	icacls.exe
PID 384 wrote to memory of 2332	384	RSVBSJHP.exe	cmd.exe
PID 384 wrote to memory of 2332	384	RSVBSJHP.exe	cmd.exe
PID 2332 wrote to memory of 2692	2332	cmd.exe	takeown.exe
PID 2332 wrote to memory of 2692	2332	cmd.exe	takeown.exe
PID 384 wrote to memory of 2372	384	RSVBSJHP.exe	RSVBSJHP.exe
PID 384 wrote to memory of 2372	384	RSVBSJHP.exe	RSVBSJHP.exe
PID 4872 wrote to memory of 2536	4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe	Deploy.exe
PID 4872 wrote to memory of 2536	4872	a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe	Deploy.exe
PID 2536 wrote to memory of 3744	2536	Deploy.exe	cmd.exe
PID 2536 wrote to memory of 3744	2536	Deploy.exe	cmd.exe
PID 2536 wrote to memory of 1028	2536	Deploy.exe	7za.exe
PID 2536 wrote to memory of 1028	2536	Deploy.exe	7za.exe
PID 2536 wrote to memory of 1028	2536	Deploy.exe	7za.exe
PID 2536 wrote to memory of 3652	2536	Deploy.exe	cmd.exe
PID 2536 wrote to memory of 3652	2536	Deploy.exe	cmd.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

RSVBSJHP.exeRSVBSJHP.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	RSVBSJHP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	RSVBSJHP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	RSVBSJHP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	RSVBSJHP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	RSVBSJHP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	RSVBSJHP.exe

C:\Users\Admin\AppData\Local\Temp\a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
"C:\Users\Admin\AppData\Local\Temp\a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\RSVBSJHP.exe
  C:\Windows\system32\RSVBSJHP.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:384
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe load HKEY_USERS\a C:\Users\Administrator\NTUSER.DAT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe unload HKEY_USERS\a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3428
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\system32\RSVBSJHP.exe
    RSVBSJHP.exe 384 4872 0
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:2372
- C:\Windows\system32\Deploy.exe
  C:\Windows\system32\Deploy.exe -Deploy
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C Ver > C:\Users\Admin\AppData\Local\Temp\VerTemp.txt
    3⤵
    PID:3744
- - C:\Windows\ES3\7za.exe
    C:\Windows\ES3\7za.exe x "C:\Windows\ES3\EsSets.es3" -o"C:\Windows\ES3" -y -r
    3⤵
    - Executes dropped EXE
    PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q C:\Sysprep
    3⤵
    PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VerTemp.txt

Filesize
47B

MD5
1a1ea0c1a7df5f91ecd62cda837a3273

SHA1
f358bcfc14b04949db83e04c4e181f526b3fc5f3

SHA256
9fea0616868155973e2b5ca5d1524359e47916e8aee14dfad123b533c737ee76

SHA512
666a013157c5544ef7ebad000d6a5e0f2b4020bb7e7d8792880b7c35c662b1c710e25a8893f75b8599cba5bb934c18f91a689f0f24c53b287e601475b1ae9f01

Download Submit
C:\Windows\ES3\7za.exe

Filesize
478KB

MD5
9309fcded3bca9e70621ad5ed0c78068

SHA1
6227fbc222783895e57dcaca792643d75d68948d

SHA256
b2c4ac6b3dc3753316051a609514e2c8f3b3038bd22bac9db638507f2ab6b47e

SHA512
0181b1d94f139aa69532e81858309978052920c3bcae546cef1275dd2d793686eeab5bc34dbb8718001175d9c67354d90846e087cf34a78c1b7347898477f44c

Download Submit
C:\Windows\ES3\7za.exe

Filesize
478KB

MD5
9309fcded3bca9e70621ad5ed0c78068

SHA1
6227fbc222783895e57dcaca792643d75d68948d

SHA256
b2c4ac6b3dc3753316051a609514e2c8f3b3038bd22bac9db638507f2ab6b47e

SHA512
0181b1d94f139aa69532e81858309978052920c3bcae546cef1275dd2d793686eeab5bc34dbb8718001175d9c67354d90846e087cf34a78c1b7347898477f44c

Download Submit
C:\Windows\System32\Deploy.exe

Filesize
3.5MB

MD5
d70763e710b730042f016c430f576849

SHA1
b336810bed3fd1be66d29206e5b98874d8343fc1

SHA256
b142495209dab402548c82f1ab0432ad1f9b090855b0371bdc1155ff39785f10

SHA512
e7d1fe94749f0539b0854e019d1fc639a563944fab9f096db818acc333448343a96096e30957f1b7f0f685f89ca7525db91005068cd414f6c0d2d6df21b1fc93

Download Submit
C:\Windows\System32\RSVBSJHP.exe

Filesize
964KB

MD5
7359ea3476e9f5d7f5e6845007531b4b

SHA1
ec48e75b6a03979a1af7d993c55a76bc5a7780fe

SHA256
43b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc

SHA512
01317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce

Download Submit
C:\Windows\System32\RSVBSJHP.exe

Filesize
964KB

MD5
7359ea3476e9f5d7f5e6845007531b4b

SHA1
ec48e75b6a03979a1af7d993c55a76bc5a7780fe

SHA256
43b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc

SHA512
01317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce

Download Submit
C:\Windows\system32\Deploy.exe

Filesize
3.5MB

MD5
d70763e710b730042f016c430f576849

SHA1
b336810bed3fd1be66d29206e5b98874d8343fc1

SHA256
b142495209dab402548c82f1ab0432ad1f9b090855b0371bdc1155ff39785f10

SHA512
e7d1fe94749f0539b0854e019d1fc639a563944fab9f096db818acc333448343a96096e30957f1b7f0f685f89ca7525db91005068cd414f6c0d2d6df21b1fc93

Download Submit
C:\Windows\system32\RSVBSJHP.exe

Filesize
964KB

MD5
7359ea3476e9f5d7f5e6845007531b4b

SHA1
ec48e75b6a03979a1af7d993c55a76bc5a7780fe

SHA256
43b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc

SHA512
01317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce

Download Submit
memory/384-132-0x0000000000000000-mapping.dmp

Download
memory/1028-149-0x0000000000000000-mapping.dmp

Download
memory/1112-136-0x0000000000000000-mapping.dmp

Download
memory/1912-139-0x0000000000000000-mapping.dmp

Download
memory/2332-140-0x0000000000000000-mapping.dmp

Download
memory/2372-142-0x0000000000000000-mapping.dmp

Download
memory/2536-144-0x0000000000000000-mapping.dmp

Download
memory/2692-141-0x0000000000000000-mapping.dmp

Download
memory/3368-137-0x0000000000000000-mapping.dmp

Download
memory/3428-138-0x0000000000000000-mapping.dmp

Download
memory/3652-152-0x0000000000000000-mapping.dmp

Download
memory/3744-147-0x0000000000000000-mapping.dmp

Download
memory/4856-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads