aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a

General

Target

aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
Size

5.3MB
MD5

f5933875c7005f0dd97ee34c75285af2
SHA1

8afac045e42019475f04e01c8b7c7ee840c8ad1a
SHA256

aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a
SHA512

8c73878c85ed0f938a2dd6e24f925cbf21e036b04b5ee14f7bdf021853260c95f23fb22e92f81b84fdbadb41fe27ff73f6f753f72bc782fc553ffd081f8f62bb
SSDEEP

98304:6zjwk9Mdso+6KIjS8bTt6SpX36rvB3nq2kqDsUQKgesSYunR/qVzVdZfqQHbT:4w0MHXb5H0W6VnPsn5LSYuRufh3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rzxinstall.exe

pid process

1692 rzxinstall.exe
Loads dropped DLL 4 IoCs

Processes:

aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exerzxinstall.exe

pid process

1472 aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
1692 rzxinstall.exe
1692 rzxinstall.exe
1692 rzxinstall.exe

pid	process
1692	rzxinstall.exe

pid	process
1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
1692	rzxinstall.exe
1692	rzxinstall.exe
1692	rzxinstall.exe

Drops file in System32 directory 5 IoCs

Processes:

rzxinstall.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rzx1002_09_1.dll	rzxinstall.exe
File opened for modification	C:\Windows\SysWOW64\smartX.dll	rzxinstall.exe
File created	C:\Windows\SysWOW64\rzxinstall.log	rzxinstall.exe
File opened for modification	C:\Windows\SysWOW64\staticfg.ini	rzxinstall.exe
File created	C:\Windows\SysWOW64\staticfg.ini	rzxinstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rzxinstall.exe

pid process

1692 rzxinstall.exe
1692 rzxinstall.exe
1692 rzxinstall.exe
1692 rzxinstall.exe

pid	process
1692	rzxinstall.exe
1692	rzxinstall.exe
1692	rzxinstall.exe
1692	rzxinstall.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe

description	pid	process	target process
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe
PID 1472 wrote to memory of 1692	1472	aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe	rzxinstall.exe

C:\Users\Admin\AppData\Local\Temp\aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
"C:\Users\Admin\AppData\Local\Temp\aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1692

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\staticfg.ini
Filesize
39B

MD5
88a786baf85e7f2adac945fd15f70fb2

SHA1
a0682affe28ff060245f5c124478383ef5238ff1

SHA256
d234f6cc58e02d06afdc3a3ae4e390c4c396351f6e97b5dd7039cc01c553f9b1

SHA512
346e6fbe22f3e4eb8f77b9fa21e3c8d8e169da2760a66d850cbfed04db18a59c835b0fac09fcb0568a75f0d67cc6814fbbe16ca17cb1168c6ee2664fc9612d92

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe
Filesize
68KB

MD5
39940894a957ee1203d17a2327875288

SHA1
27221bbb1506a85cde97e436e7e4f48031b4948c

SHA256
1acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1

SHA512
62640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063

Download Submit
memory/1472-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1692-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing