a85c2cda61c3af339cc84922fd7a3b6c534efaa5a4e09d89b0af4c90ed52389b

Analysis

max time kernel
85s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/02/2023, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roguelegacy (1).exe
Size

64.1MB
MD5

39c68f7d5167e7166a22be56fdf63218
SHA1

55ce4dd6159efcc8ea2d42fa019c97f05fb4502e
SHA256

169b9c61242616ba58675bc093b7aff441f23686280a903fc5fff85bce615cee
SHA512

4b1036fa9c0a4c8c249aeda5eceff53e5acb1e83499bc97c75e6ae11fc9e6626a808a5c7ef992162142f999cb6b6e75fe18b52f6bd7215e6b6f37cced0eaa586
SSDEEP

1572864:M2syXKJyR0JCSTZZFVf7b4a3+0ciLjLj7dchPfbt5X7:M2syX1Ap4aO0ciLjL/dcxh5X7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	Roguelegacy.exe

Loads dropped DLL 6 IoCs

pid	Process
1168	Roguelegacy (1).exe
1168	Roguelegacy (1).exe
1168	Roguelegacy (1).exe
1168	Roguelegacy (1).exe
1088	Roguelegacy.exe
1088	Roguelegacy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1168	Roguelegacy (1).exe
Token: SeShutdownPrivilege	1088	Roguelegacy.exe
Token: SeShutdownPrivilege	1088	Roguelegacy.exe
Token: SeShutdownPrivilege	1088	Roguelegacy.exe
Token: SeShutdownPrivilege	1088	Roguelegacy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1088	1168	Roguelegacy (1).exe	27
PID 1168 wrote to memory of 1088	1168	Roguelegacy (1).exe	27
PID 1168 wrote to memory of 1088	1168	Roguelegacy (1).exe	27
PID 1168 wrote to memory of 1088	1168	Roguelegacy (1).exe	27
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28
PID 1088 wrote to memory of 1528	1088	Roguelegacy.exe	28

C:\Users\Admin\AppData\Local\Temp\Roguelegacy (1).exe
"C:\Users\Admin\AppData\Local\Temp\Roguelegacy (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
  C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe
    "C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Roguelegacy" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1144,i,4977435434483981341,16054652953088880239,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\resources.pak

Filesize
5.1MB

MD5
bd17bd87b4a2f1fc2ba31e6f58b19a32

SHA1
838294ed3d4d0cb11ea14ff6c200f33e75156e22

SHA256
d4297566631f6addf3492559462ece0c2e9b42f29faf873ebd01fc424f9f8e6f

SHA512
1b9970dc73b4e647841712542c9751c727e6d33b45e987c42b49741e1873d540406f47bb9b869d334786191844071aac66043435f09510be5a141f518ca1f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\resources\app.asar

Filesize
28.0MB

MD5
cb1b3b9384332f4bd6c5dcd401e148ce

SHA1
f0356dcecbfcc32c493a1fbb9b93555b4ff18a1c

SHA256
a4986712c476c12caf7fb8d6582ec682ce964851d58316fc5b723d202b4f3b03

SHA512
52d5e0e60b0acc7b012260febbab212fa68f5d9a525b41c821256828584f8acc9871f5dce88891bd77b90fd9cf923fe1059d9cd9ad545d5835ca8d28a3d4516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\v8_context_snapshot.bin

Filesize
471KB

MD5
0e92bb66ea722338663d6d2d891b5d35

SHA1
b73c8560c974dc9b17488a7b50895dc03f43bc6f

SHA256
e795edcbe49ef9dbe4ad88c4fce19076fafc13f56353753a39e35a3355c3d2d1

SHA512
cc8e28d47f1298382645e658deecf784fcdb9e4eca44537eff878d090be215c437d87e709c186947f798a46580517bac76bb9d69c09830991ed1d94d29e2a367

Download Submit
\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\Roguelegacy.exe

Filesize
150.6MB

MD5
ee9cd1c27e5bb4b12710fda9e12b8fa1

SHA1
4f97f233f3d31f04922ea67bbda3fb449f72a138

SHA256
2239a0fda685d6cca7b1d219c8e66828ce4ec2ccca75dabd21bc518c841d41df

SHA512
92ffbeb063d07aa515ec4b90177abeaaf1f771543bb8d5b97294d763d10482e1d53308f7c7b8325c73c69ff1e80ff0ba0a60d8253e496424ac00070ee135e83e

Download Submit
\Users\Admin\AppData\Local\Temp\2LJnC5syyOhcu9EYXw7BX3MfaQ7\ffmpeg.dll

Filesize
2.6MB

MD5
0b003a4518c24a426554920171f7a842

SHA1
d64f248f642373c899011a6f0e125335b067a56f

SHA256
d4caab8ba7c39c32d88408b96622c065c31b7c5578a3d58c591b0dba609c4535

SHA512
9581b6473cdb52f8735f0ad92b01caffd95646e6231e20f0b0919aa89faec01561052ed9a0b650a79dfe915bcd3036095e761c87e02bd384b37417e4e7c59298

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1F94.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1F94.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1F94.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1088-67-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1168-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download