Overview

overview

9

Static

static

1

33877b8884...e1.exe

windows7-x64

9

33877b8884...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2023 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33877b8884cf90087c656b31329e41e1.exe

  • Size

    1.7MB

  • MD5

    33877b8884cf90087c656b31329e41e1

  • SHA1

    52b056b754639d8eb0262d9ca4f73120cad556a1

  • SHA256

    e652030ce495ca211f8556f7ed80ef7d87cb52c3c5e1fb810a83e3903b05fd6f

  • SHA512

    c08a4cb57c4c69f63c58df2ed8c3ff18fe99d4bb230f0b4608a074bac54e5a4519a8583a906b293aca71c8140576af9906033214b5e44b81b7ce778dd47cfe3f

  • SSDEEP

    49152:7ql3+9C105dOZp76JFx15JwBdQT9lniLbTmwNZ304E:7ql3m405Yr76JNHwBuUT5Z3I

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33877b8884cf90087c656b31329e41e1.exe
    "C:\Users\Admin\AppData\Local\Temp\33877b8884cf90087c656b31329e41e1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\RAVEndPointProtection-installer.exe
      "C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\33877b8884cf90087c656b31329e41e1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        3⤵
        • Executes dropped EXE
        PID:2096
  • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
    "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
    1⤵
    • Executes dropped EXE
    PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
    Filesize

    583KB

    MD5

    81379bea79c65a1e6962f44a24d60827

    SHA1

    f228c69a65e71a8a8d2e7fe2f09589dec45be550

    SHA256

    fe9d2c590d0eb3c77728a612b62c9af0d596209229573c8c2a2803c673cf7365

    SHA512

    fd5085cb26c20a6158a1b066deceaec6884bcab7783e0a204c2b93a80647d4d14a80b57352fc3ae4dd6e66102dc5d50542e8de453da8d3e197d1bd23c9130075

    Download Submit
  • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
    Filesize

    583KB

    MD5

    81379bea79c65a1e6962f44a24d60827

    SHA1

    f228c69a65e71a8a8d2e7fe2f09589dec45be550

    SHA256

    fe9d2c590d0eb3c77728a612b62c9af0d596209229573c8c2a2803c673cf7365

    SHA512

    fd5085cb26c20a6158a1b066deceaec6884bcab7783e0a204c2b93a80647d4d14a80b57352fc3ae4dd6e66102dc5d50542e8de453da8d3e197d1bd23c9130075

    Download Submit
  • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
    Filesize

    583KB

    MD5

    81379bea79c65a1e6962f44a24d60827

    SHA1

    f228c69a65e71a8a8d2e7fe2f09589dec45be550

    SHA256

    fe9d2c590d0eb3c77728a612b62c9af0d596209229573c8c2a2803c673cf7365

    SHA512

    fd5085cb26c20a6158a1b066deceaec6884bcab7783e0a204c2b93a80647d4d14a80b57352fc3ae4dd6e66102dc5d50542e8de453da8d3e197d1bd23c9130075

    Download Submit
  • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
    Filesize

    583KB

    MD5

    81379bea79c65a1e6962f44a24d60827

    SHA1

    f228c69a65e71a8a8d2e7fe2f09589dec45be550

    SHA256

    fe9d2c590d0eb3c77728a612b62c9af0d596209229573c8c2a2803c673cf7365

    SHA512

    fd5085cb26c20a6158a1b066deceaec6884bcab7783e0a204c2b93a80647d4d14a80b57352fc3ae4dd6e66102dc5d50542e8de453da8d3e197d1bd23c9130075

    Download Submit
  • C:\Program Files\ReasonLabs\EPP\Uninstall.exe
    Filesize

    832KB

    MD5

    56ac7051b8d41aabc904dc94858f1428

    SHA1

    73545dd426c89c99bb6f87cc72f3e5e4fdb45677

    SHA256

    3e065f9d61605bdbccf72c7132e069b96206dc755e45dabd24119fde26e89e49

    SHA512

    60d5423201967afbbb6c76180715de4a079292a9fbdcd3eb8f64d015352d5e6376e6595944cbb4782b619e4e853b548f2f0a1ca981fc77f7136d7627532d4493

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\ArchiveUtilityx64.dll
    Filesize

    162KB

    MD5

    fb4169f7c216c2012cd4bec0829e258c

    SHA1

    79f6c0bc5c4902c2b09a284d25d96069da098925

    SHA256

    e1f4114bcfadd788d8728b1b2eae22747b7bb165c10720026199b418d1a62238

    SHA512

    6e89dcf7b1ae4840c660624f6db8c16d052df846a5692896151263e7d8865e43343bcdcf526dbc46e35f7733e83035bae0afe5eb8816bbe9134d25c3d8e0e67d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\ArchiveUtilityx64.dll
    Filesize

    162KB

    MD5

    fb4169f7c216c2012cd4bec0829e258c

    SHA1

    79f6c0bc5c4902c2b09a284d25d96069da098925

    SHA256

    e1f4114bcfadd788d8728b1b2eae22747b7bb165c10720026199b418d1a62238

    SHA512

    6e89dcf7b1ae4840c660624f6db8c16d052df846a5692896151263e7d8865e43343bcdcf526dbc46e35f7733e83035bae0afe5eb8816bbe9134d25c3d8e0e67d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\ArchiveUtilityx64.dll
    Filesize

    28KB

    MD5

    cf4e8ff5fc92731578ec98971703030a

    SHA1

    0e05e68fc98a51ce5d6b259286a7b45f78fd01eb

    SHA256

    963f1af85a4a0700100dbda5bafad5e7a33bfd824d637e08df50e413d2ac00c5

    SHA512

    8d5fe535c6a964979839e977dc84c9221217e1dc9c3bcd70c05ce264c44ca04426248002bfe65e8bb16cbeeef02b8e286c3ac77c77630604db67208eb88e3233

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\RAVEndPointProtection-installer.exe
    Filesize

    545KB

    MD5

    59cef2794999cb23e559b7444b3fa985

    SHA1

    c002d1d3e35d1c9e088758e879c8f8216ce3dfd6

    SHA256

    70861a27c89d4d96f6890b34ae95d60e088464621262bb01ccd9902207a89e8d

    SHA512

    5b72bec356d6cd8e6c36d1bd600583941ac793465dd4c12014477db29ff4da8a9ffb66aeb0e62e2187f869d3ca2b3f0c2c55dc158a75bc09bad44d327a44a250

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\RAVEndPointProtection-installer.exe
    Filesize

    545KB

    MD5

    59cef2794999cb23e559b7444b3fa985

    SHA1

    c002d1d3e35d1c9e088758e879c8f8216ce3dfd6

    SHA256

    70861a27c89d4d96f6890b34ae95d60e088464621262bb01ccd9902207a89e8d

    SHA512

    5b72bec356d6cd8e6c36d1bd600583941ac793465dd4c12014477db29ff4da8a9ffb66aeb0e62e2187f869d3ca2b3f0c2c55dc158a75bc09bad44d327a44a250

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\rsAtom.dll
    Filesize

    183KB

    MD5

    940e1fef77deaa462294c246907bba56

    SHA1

    53c0492a8ce02e571d4f5947594d8ce1d8ab9764

    SHA256

    76917aee9a495adc0448e5e2eaae71a630a5e8fb8b2634511ce758852b5edc69

    SHA512

    16deb5cdff128c869aec334f99b5e03c7611c9ddfdb79bb386dc6f277796c969ffbbf87cefd8efeed2e975371c514726c1789b701fdec06909124db7e8ade93a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\rsJSON.dll
    Filesize

    227KB

    MD5

    90f39f7496a36deaecba2fc7cdb1df03

    SHA1

    e479c40d3c178249e76586861feac8cc42a6d2e1

    SHA256

    febcb1444adbc967b4e2676791768a09252fa3425784023e336e9001e0ba1f60

    SHA512

    eff35fc63b19e32bbfa0855645480223aca335f6e88dbca48420290181bf2b6a27916f4bb6870d79015de3665de51756e821fcdc60ea4bf9e7a4a15d3d25d739

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\rsLogger.dll
    Filesize

    189KB

    MD5

    162516b6ea44a1f893fec9e64bce7c74

    SHA1

    837d32925c1f526adfa385c12c41ad349c1cc194

    SHA256

    20488cedcff8554f303433932678767acf8c08a38d0d12b22b32503eb5908998

    SHA512

    319564240a9a823355bc06e88d80f70e46ff4aacaa6d82a6a3a57691afc4ba2c08425d051f00987f4866db2c614b65733c28daa46dcedfa735d0adffbfea4829

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\rsStubLib.dll
    Filesize

    231KB

    MD5

    078f8a969512ec188983e8fad883f529

    SHA1

    bf62840b7844f15cc1804e9b6a1d8a0859fe3f4e

    SHA256

    c0bc2701aae8034585d7881cd64cb0b884e84f816f23b6360e43f9100a875057

    SHA512

    796abd9239cb682e8c90bdc95264457d1a4dee7024e8c729d99c62c6972128aadabe7004b6fce46dbebf0c3aabc4874b9fe6f8c1732f7d318d98cd456df91dea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsrB25E.tmp\rsSyncSvc.exe
    Filesize

    583KB

    MD5

    81379bea79c65a1e6962f44a24d60827

    SHA1

    f228c69a65e71a8a8d2e7fe2f09589dec45be550

    SHA256

    fe9d2c590d0eb3c77728a612b62c9af0d596209229573c8c2a2803c673cf7365

    SHA512

    fd5085cb26c20a6158a1b066deceaec6884bcab7783e0a204c2b93a80647d4d14a80b57352fc3ae4dd6e66102dc5d50542e8de453da8d3e197d1bd23c9130075

    Download Submit
  • memory/2200-201-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-209-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-202-0x0000021279730000-0x0000021279738000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2200-203-0x0000021279780000-0x00000212797B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2200-204-0x0000021279740000-0x000002127974E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2200-205-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-206-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-207-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-208-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-200-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-199-0x000002125D950000-0x000002125D951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2200-198-0x000002125D940000-0x000002125D941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2200-196-0x00000212794A0000-0x00000212794B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2200-197-0x000002125D960000-0x000002125D961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2200-195-0x00000212794B0000-0x00000212794DE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2200-193-0x0000021279460000-0x0000021279498000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2200-191-0x000002125D9C0000-0x000002125D9F0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2200-189-0x000002125D980000-0x000002125D9BA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2200-187-0x000002125D570000-0x000002125D5F6000-memory.dmp
    Filesize

    536KB

    Download