Overview

overview

7

Static

static

1

CustomRP.1.17.2.exe

windows7-x64

7

CustomRP.1.17.2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    67s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2023 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CustomRP.1.17.2.exe

  • Size

    4.9MB

  • MD5

    20f3a68ce8ef5c34c82389855b3a4d77

  • SHA1

    d2d60c295a298f44ce13bb98765b9180c272cb16

  • SHA256

    f98167f2d64fec953dbd3161325428f157e02a43eab5e4bb2aa2c40575fc118c

  • SHA512

    c21a4a549f7339542fae554709bbcb48b26d2a974c23e82cc76aac8df8ed4908d1940cfd1ea7d3a85b1f4dfc661485aa47cbf4f9931766ae14174d6c784a4070

  • SSDEEP

    98304:AkLX56QgB7Fy3dYWKOldTejCpL3ZU1tVu1pRG49a301cCBL:fX56/B7Fk2+CRy849a3ZCBL

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.2.exe
    "C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\is-2NS8U.tmp\CustomRP.1.17.2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2NS8U.tmp\CustomRP.1.17.2.tmp" /SL5="$60126,4039170,1081856,C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
        "C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=CustomRP.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1016
  • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
    "C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=CustomRP.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    95a6f45669a5e1c171cf56da1bcfb952

    SHA1

    a6293e8d33f2a9e80d3bec62ac9d4a0226afa1f6

    SHA256

    de5144b5ee191a45d1138a7d8f5004c317a5f3e7600b0fb20ba84d76dc8e16b8

    SHA512

    82e6a47014d534985c0db67d890c73e7ca2f7b1dbd3a42d157ef31c342cee335bb6eb097e80b8c5ecb0575458604dff2d3797a62e7400a1c41aae653f33d607a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    417e46929444c15cbe1cdaf356196ee7

    SHA1

    d381470dfa36b09f071bb5a152c787cbc4aabdbe

    SHA256

    2f9fe2ad836187480c0f087edde22f93b7a07cbc872c50cf37d8c27e4304b188

    SHA512

    72f08e50d6adbc13c318d24f3e7f172e0487633826e26d28775f4fb04b4192e3dd3eceaa195e642f0416d9d9999d0d1241824bb528e1bb9b2e3fedbf708aaee9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{02268E21-ACD8-11ED-BF3D-D6AAFEFD221A}.dat
    Filesize

    5KB

    MD5

    823d605e7d965b00a7d6237d324ae168

    SHA1

    ea57fa413d6f053e6e8c9c9c50015feb1a5f6401

    SHA256

    6855113cb43d23a2bcdaa030eaff11e4ba8dbe99dc41fa76f42a8505664997ab

    SHA512

    73a85b31387ae4ae3706255b397e81900ea1c06401972d575b8442d7dd845a596982671343e3b18499b69414b0708cc5310f799b92a83d5a5612a40069645930

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-2NS8U.tmp\CustomRP.1.17.2.tmp
    Filesize

    3.3MB

    MD5

    3747b02515153a99a7b2502a33fd2ca3

    SHA1

    7fd85eed092f41ee06ff1cc27c30290450cd487f

    SHA256

    b9ba492fa0beec11cb1fc09db2241b53d7cd7a402d9c12ce05677f584eeb0011

    SHA512

    f85fbd4f30f6c67362a0876d5b28480a6ff1d6427be1f8c2ec0150e998f9138fcfbda61da59f9dac6b7acef09f46e446e391880b25e290c6b408c277e17ed879

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-2NS8U.tmp\CustomRP.1.17.2.tmp
    Filesize

    3.3MB

    MD5

    3747b02515153a99a7b2502a33fd2ca3

    SHA1

    7fd85eed092f41ee06ff1cc27c30290450cd487f

    SHA256

    b9ba492fa0beec11cb1fc09db2241b53d7cd7a402d9c12ce05677f584eeb0011

    SHA512

    f85fbd4f30f6c67362a0876d5b28480a6ff1d6427be1f8c2ec0150e998f9138fcfbda61da59f9dac6b7acef09f46e446e391880b25e290c6b408c277e17ed879

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
    Filesize

    1.1MB

    MD5

    0ab3da175bd76144e3d9e39235effbd9

    SHA1

    d6975f21b68091adfe0534331c0a037b252c52c3

    SHA256

    f03063fb625f27bb7969ec17a8958d18161c1446c4c512e3514efc4554d5635b

    SHA512

    d9d93f48b3ef7c1d566aedc6fd274fd5c0d751ed36832e710b0334a61029d3d068cfd84f9d109dc6dd739a882f7b2994678e1b59639ff5fd87944b6a1ac4e35a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
    Filesize

    1.1MB

    MD5

    0ab3da175bd76144e3d9e39235effbd9

    SHA1

    d6975f21b68091adfe0534331c0a037b252c52c3

    SHA256

    f03063fb625f27bb7969ec17a8958d18161c1446c4c512e3514efc4554d5635b

    SHA512

    d9d93f48b3ef7c1d566aedc6fd274fd5c0d751ed36832e710b0334a61029d3d068cfd84f9d109dc6dd739a882f7b2994678e1b59639ff5fd87944b6a1ac4e35a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe.config
    Filesize

    4KB

    MD5

    938868fbadc7f25a3cb4ef9ced8e8757

    SHA1

    2875dd2465b7ec5ee4a46bad805b6026116505bb

    SHA256

    d9adf8d0d1083a63c539f96e6e9e9bfae291b14e2ea1c1bb5a6e6ecf89df9348

    SHA512

    38cce8346f59f43dd710eb8f7c35e126c471353681e5b25e8ac8dafe4eca0d0eb4209c54d56a3cd9161eda2e8b66c3cd93c3db616a1dc9e14da82fecee209db6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WVXAB54T.txt
    Filesize

    172B

    MD5

    1a506c41995225045e4dd57901829069

    SHA1

    4e1a74a1f46bb997aff32771d21565efe539159a

    SHA256

    e79b7a71372a2442f4a9ac3e0209d18945c78cfa3b8740c2972e4db38163cdac

    SHA512

    d2dec717f902fab5c0113d72aa7fd141465f673018ba6236e2088d2ae6e6b479ac16d4092d77f9e823ece592924afb32c21fa2d0c3d5830fd024455f5a45c549

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-2NS8U.tmp\CustomRP.1.17.2.tmp
    Filesize

    3.3MB

    MD5

    3747b02515153a99a7b2502a33fd2ca3

    SHA1

    7fd85eed092f41ee06ff1cc27c30290450cd487f

    SHA256

    b9ba492fa0beec11cb1fc09db2241b53d7cd7a402d9c12ce05677f584eeb0011

    SHA512

    f85fbd4f30f6c67362a0876d5b28480a6ff1d6427be1f8c2ec0150e998f9138fcfbda61da59f9dac6b7acef09f46e446e391880b25e290c6b408c277e17ed879

    Download Submit

  • \Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
    Filesize

    1.1MB

    MD5

    0ab3da175bd76144e3d9e39235effbd9

    SHA1

    d6975f21b68091adfe0534331c0a037b252c52c3

    SHA256

    f03063fb625f27bb7969ec17a8958d18161c1446c4c512e3514efc4554d5635b

    SHA512

    d9d93f48b3ef7c1d566aedc6fd274fd5c0d751ed36832e710b0334a61029d3d068cfd84f9d109dc6dd739a882f7b2994678e1b59639ff5fd87944b6a1ac4e35a

    Download Submit

  • \Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
    Filesize

    1.1MB

    MD5

    0ab3da175bd76144e3d9e39235effbd9

    SHA1

    d6975f21b68091adfe0534331c0a037b252c52c3

    SHA256

    f03063fb625f27bb7969ec17a8958d18161c1446c4c512e3514efc4554d5635b

    SHA512

    d9d93f48b3ef7c1d566aedc6fd274fd5c0d751ed36832e710b0334a61029d3d068cfd84f9d109dc6dd739a882f7b2994678e1b59639ff5fd87944b6a1ac4e35a

    Download Submit

  • \Users\Admin\AppData\Roaming\CustomRP\unins000.exe
    Filesize

    3.3MB

    MD5

    635f798839648d0317ce1df718027c2c

    SHA1

    285a63b56bff1a0daa0b33beb3c2fb8fd9220079

    SHA256

    f58171709b3b3c030dd8a0f790548977ad7842ecca1a07b38128b6e29dde4172

    SHA512

    38766030f136e16e538974f22dbd5e248a37d81f99c678a4173e02a94193cb65250360053cb9d911341a91fc22fc568b3d7604efae70fbaf4b3668ac438300d7

    Download Submit

  • memory/900-70-0x0000000000400000-0x0000000000515000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/900-54-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/900-61-0x0000000000400000-0x0000000000515000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/900-55-0x0000000000400000-0x0000000000515000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/952-62-0x00000000741E1000-0x00000000741E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/952-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1664-67-0x0000000000000000-mapping.dmp

    Download