e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce

Analysis

max time kernel
109s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe
Size

387KB
MD5

5770682f3275642423eb1fb14bd06dc5
SHA1

927a99f08eba0d77033cebc9cd5620ec2ecf9d0e
SHA256

e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce
SHA512

494d317e93f1bceb0267f7ba545085cfa1f86af82fe1a81e70c76ba5d5ad396a872f1b558c3e2e9b5428aa0bdc6be4552ab1b35977519ac73fa443e849fff308
SSDEEP

12288:jaUCvVrEybKXI7njZ+kJzQKQieRLg1zcVWrGD:jidrEun9Vi3RLg1zcArGD

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4936	RealPlayer.exe
3176	rnsetup0.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	RealPlayer.exe

Loads dropped DLL 7 IoCs

pid	Process
3176	rnsetup0.exe
3176	rnsetup0.exe
3176	rnsetup0.exe
3176	rnsetup0.exe
3176	rnsetup0.exe
3176	rnsetup0.exe
3176	rnsetup0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rnsetup0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rnsetup0.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	rnsetup0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	rnsetup0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	rnsetup0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe
4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe
4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3176	rnsetup0.exe
3176	rnsetup0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4936	4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe	82
PID 4744 wrote to memory of 4936	4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe	82
PID 4744 wrote to memory of 4936	4744	e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe	82
PID 4936 wrote to memory of 3176	4936	RealPlayer.exe	86
PID 4936 wrote to memory of 3176	4936	RealPlayer.exe	86
PID 4936 wrote to memory of 3176	4936	RealPlayer.exe	86

C:\Users\Admin\AppData\Local\Temp\e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe
"C:\Users\Admin\AppData\Local\Temp\e0275ae6e52cfd069eb8903f9dbc9327982a21091b29b00ce2d9d7b3266e18ce.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\rninst~0\RealPlayer.exe
  "C:\Users\Admin\AppData\Local\Temp\rninst~0\RealPlayer.exe" /StubSelfUpdate R41ATC
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe
    "C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe" /orgexename="RealPlayer.exe" /StubSelfUpdate R41ATC
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9915FBCE5ECE56452A09FB65EDE2FAD2_7715B9B75972191225E5A9E23D890CAA

Filesize
471B

MD5
808128c8e3ace01c71380e7277c3e9c6

SHA1
ad69e941a9aa288df7ac0a488da0c3d491c9fc61

SHA256
ff3a5e9ca3eb665a2ef35f12d11c7a0ea251e4a90843e570d4583d5085169e12

SHA512
05f32a812e96e8c4dd0e1ebd3088339ad0d6f7d8be2744d1c2426fc8ebc2dfe17ec4f6e7addb5e6608cdb639306ab1da49f639a59f79409143990e8bbbcb1d5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1

Filesize
471B

MD5
5ff398b63d6f24432858102fed46d1d6

SHA1
0420eb27a65780c5c1ebef61790f247f0475896a

SHA256
fa0fb6a2839cce5e7d46cdba732b931e43880d41dbed685fa038f200ed6be465

SHA512
508f6d997d8e1178e7f04daa69b175b5585dc443710c707fb7a3bb519291440b67519a55a2ae390a1650359069e8a97ff24c8696cb9ac2ac77d52e04f7efd4a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9915FBCE5ECE56452A09FB65EDE2FAD2_7715B9B75972191225E5A9E23D890CAA

Filesize
408B

MD5
220f77d95fe4574274aca1479eed2705

SHA1
72a13485491e02fd5b8fb62bab215f178c1d3b46

SHA256
4b0187127f5a87432cedab5636df9b4529415f4f6534e19c57ff2aba07289dd0

SHA512
09cafafe1d0a53262e0a71b498859b2c96f9ed04e8d1ad3fc1eb8003a67643c7d16fbe654344c6dd2044d36ad15ed42e229f68fadb3a09da1480e270cc90aae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1

Filesize
430B

MD5
84d1d9e9ba6e8edfaeef47c207f03eda

SHA1
048f687145d21722b68a0ee5e4f4ea2f1e008c83

SHA256
3e7e6c5d3e2e5c2d899db39a39e988e1a75243d727e759d13a48c60fcfdff5fe

SHA512
7c0b5f32b7a7f197ac325de736df7ecfc1587ef624b07877ef499f23f98078eca15c2886b43436fa8c45d75a0d948c257ad6b47541955966388e08e9fad16b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~0\RealPlayer.exe

Filesize
1.1MB

MD5
467f8bd8497b36da0908554c989f463d

SHA1
838a91007838d949135cfafb2cdf36f84851158e

SHA256
c45c2f2e8a840177fb0c7f89ccc19f87ab733a915b113e67a3fb49facdcd1da3

SHA512
f9ff8bbc0de363967d6d1bc34286cefd268f4e8da86e1add7ad596439a3907a71657e41613c81886e2047add40fb2847aeb22545eb34df1eae1c3aeadaf65cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~0\RealPlayer.exe

Filesize
1.1MB

MD5
467f8bd8497b36da0908554c989f463d

SHA1
838a91007838d949135cfafb2cdf36f84851158e

SHA256
c45c2f2e8a840177fb0c7f89ccc19f87ab733a915b113e67a3fb49facdcd1da3

SHA512
f9ff8bbc0de363967d6d1bc34286cefd268f4e8da86e1add7ad596439a3907a71657e41613c81886e2047add40fb2847aeb22545eb34df1eae1c3aeadaf65cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\DotSetupSDK.dll

Filesize
36KB

MD5
c5b3f0dc8c98baaf896a8f87efdc24ab

SHA1
3699e63b22ebe3f1b16cbc8a5517755f4c6e0807

SHA256
d5daef9f701a0f8aa0ebbbb380ee96713edb7d3aa87ad8c6c3c90144a35d26fe

SHA512
b18fe88e14ad9c65f683ffd247874d23dbafc8b73e287cb0e1d42024d18f5c96a27b6bf882e35fc8232bcf879a13e717531ed7487193c622301eb5697976ebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\DotSetupSDK.dll

Filesize
36KB

MD5
c5b3f0dc8c98baaf896a8f87efdc24ab

SHA1
3699e63b22ebe3f1b16cbc8a5517755f4c6e0807

SHA256
d5daef9f701a0f8aa0ebbbb380ee96713edb7d3aa87ad8c6c3c90144a35d26fe

SHA512
b18fe88e14ad9c65f683ffd247874d23dbafc8b73e287cb0e1d42024d18f5c96a27b6bf882e35fc8232bcf879a13e717531ed7487193c622301eb5697976ebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\DotSetupSDK.dll

Filesize
36KB

MD5
c5b3f0dc8c98baaf896a8f87efdc24ab

SHA1
3699e63b22ebe3f1b16cbc8a5517755f4c6e0807

SHA256
d5daef9f701a0f8aa0ebbbb380ee96713edb7d3aa87ad8c6c3c90144a35d26fe

SHA512
b18fe88e14ad9c65f683ffd247874d23dbafc8b73e287cb0e1d42024d18f5c96a27b6bf882e35fc8232bcf879a13e717531ed7487193c622301eb5697976ebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\compat.dll

Filesize
656KB

MD5
32fcd7c614388162a012b74568375dba

SHA1
41351843d18354c09656ec7e9dce06bcd4409673

SHA256
d0c9d8eaf6b3e637c17294c9e759bd56acddcdfea006203ee2dae7b0204f2074

SHA512
6248e34c3060e927455a7ae3dee41dd3be0919cffd4a7570e572f16d2ad971f80e7a0649af49b2fdec26744716096edc248d2150c67a350d69374eff015fc17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\gcapi_dll.dll

Filesize
382KB

MD5
6573f1ce02c40c1ac551b400d00c3ad7

SHA1
a48482cc74991073e33896aa5b123a4bbe0a6a85

SHA256
83df177575b30d71dbe7c5a330d3ede62ba949bb57cee76fb4d46994e0d5fac9

SHA512
9a1b7bc388581c2e92dd64946bccba667441bfcb75b2248fd42c832f95d30126a26faed5d721296d7787f6e3efb963347cd23eb19bd3ee2cec8bd88b1105611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\gtapi.dll

Filesize
71KB

MD5
23700aa70d1751d592d8641fc0e0660f

SHA1
7ba497faeb0271abd74bc3a3f9233a545f67de65

SHA256
45b1a3bb2ae9622fefc1f131e7d4e6d32eb4f761dbbcccfe9e239b49f3b78521

SHA512
37de6dc813b5e813eafa7d176ae29464c74e4d92b0cb93a71f41dbc476597835ea431c3ccb7f5be82a2be6d79096a65fd3d820d391b52fa24bc64d468fab8cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rninst~1\ui_data\inst_config\rncompat.dll

Filesize
101KB

MD5
fbcacd3f6b24724300b36978c3d2bc0c

SHA1
4122cdaab2f50b3b36767e5bdbdce3a7f74b15fa

SHA256
3feb1507e3a1111e3ea3f9bf348b1def600f5bd7f44d360d489808ffd45cb1c6

SHA512
f9892f98e543f53d9fdc16bf3180d4014cea588ecee8ef501b6464f88b101e5e502f088fb207e8511b1f746bde13453971442157cf446bfcdf44b7853f33acd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe

Filesize
961KB

MD5
780aae7f5877ec859be7ee5edea4fc5e

SHA1
23002c636c49c7fd49e8d7583e7ddde6e7e52ae0

SHA256
4d286b3b9a7df1900a39bbcbd80c270d3738ea5fe3a3891a451fc4b15c6c032b

SHA512
3e0fa36be899752a857f203117fff783a3f2a2e4d3d35559132cdab7927cc7b72cd6928e6344a6b53b8ebc71362c2b42d485f701ebf857b3946094a21d2ee89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe

Filesize
961KB

MD5
780aae7f5877ec859be7ee5edea4fc5e

SHA1
23002c636c49c7fd49e8d7583e7ddde6e7e52ae0

SHA256
4d286b3b9a7df1900a39bbcbd80c270d3738ea5fe3a3891a451fc4b15c6c032b

SHA512
3e0fa36be899752a857f203117fff783a3f2a2e4d3d35559132cdab7927cc7b72cd6928e6344a6b53b8ebc71362c2b42d485f701ebf857b3946094a21d2ee89f

Download Submit
memory/3176-135-0x0000000000000000-mapping.dmp

Download
memory/3176-148-0x0000000072650000-0x0000000072660000-memory.dmp

Filesize
64KB

Download
memory/3176-149-0x0000000007C30000-0x00000000081D4000-memory.dmp

Filesize
5.6MB

Download
memory/3176-150-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/4936-132-0x0000000000000000-mapping.dmp

Download