Analysis
-
max time kernel
182s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
Resource
win10v2004-20220812-en
General
-
Target
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe
-
Size
5.3MB
-
MD5
f5933875c7005f0dd97ee34c75285af2
-
SHA1
8afac045e42019475f04e01c8b7c7ee840c8ad1a
-
SHA256
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a
-
SHA512
8c73878c85ed0f938a2dd6e24f925cbf21e036b04b5ee14f7bdf021853260c95f23fb22e92f81b84fdbadb41fe27ff73f6f753f72bc782fc553ffd081f8f62bb
-
SSDEEP
98304:6zjwk9Mdso+6KIjS8bTt6SpX36rvB3nq2kqDsUQKgesSYunR/qVzVdZfqQHbT:4w0MHXb5H0W6VnPsn5LSYuRufh3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rzxinstall.exepid process 4788 rzxinstall.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe -
Drops file in System32 directory 5 IoCs
Processes:
rzxinstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\staticfg.ini rzxinstall.exe File created C:\Windows\SysWOW64\staticfg.ini rzxinstall.exe File opened for modification C:\Windows\SysWOW64\rzx1002_09_1.dll rzxinstall.exe File opened for modification C:\Windows\SysWOW64\smartX.dll rzxinstall.exe File created C:\Windows\SysWOW64\rzxinstall.log rzxinstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rzxinstall.exepid process 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe 4788 rzxinstall.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exedescription pid process target process PID 1912 wrote to memory of 4788 1912 aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe rzxinstall.exe PID 1912 wrote to memory of 4788 1912 aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe rzxinstall.exe PID 1912 wrote to memory of 4788 1912 aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe rzxinstall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe"C:\Users\Admin\AppData\Local\Temp\aefd3734fbb0d12d2a4d9ed8856d32d6d3c7a51a5f74819fa1160a74f96ce11a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exeFilesize
68KB
MD539940894a957ee1203d17a2327875288
SHA127221bbb1506a85cde97e436e7e4f48031b4948c
SHA2561acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1
SHA51262640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rzxinstall.exeFilesize
68KB
MD539940894a957ee1203d17a2327875288
SHA127221bbb1506a85cde97e436e7e4f48031b4948c
SHA2561acd808d424d46934b6ed0984f5806385f3fd66bf19615ccaab701c6764a5cf1
SHA51262640360fdfc202bbddde7bc54a9231a44ce3609b4b3a96cd8466216df476a58ccd83105b28ee5ae297ba21631653ee77ab630d6b7de05f7073dc1f206c7d063
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\staticfg.iniFilesize
39B
MD588a786baf85e7f2adac945fd15f70fb2
SHA1a0682affe28ff060245f5c124478383ef5238ff1
SHA256d234f6cc58e02d06afdc3a3ae4e390c4c396351f6e97b5dd7039cc01c553f9b1
SHA512346e6fbe22f3e4eb8f77b9fa21e3c8d8e169da2760a66d850cbfed04db18a59c835b0fac09fcb0568a75f0d67cc6814fbbe16ca17cb1168c6ee2664fc9612d92
-
memory/4788-132-0x0000000000000000-mapping.dmp