Analysis
-
max time kernel
78s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 19:18
Static task
static1
Behavioral task
behavioral1
Sample
g1wxxdmz.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
g1wxxdmz.exe
Resource
win10v2004-20230220-en
General
-
Target
g1wxxdmz.exe
-
Size
1.7MB
-
MD5
3ee020029ff565966fcaa7945046ba2e
-
SHA1
e77da75107a3b45226fcae0ab9f1be2ab678005b
-
SHA256
1f1b5c216688dca0d9e9dbabde3325226e064ce2a1534e86bd0c00785f37eeab
-
SHA512
d070d20ee6b1b8b4c9407bc3f6cd6acd2e3d71e303ce94eedfb24ab4acec79d58cebb4dec379b18d17915c64030dffd1bbcaa0d24568fa9af3fe2ca5c49b9386
-
SSDEEP
49152:56lLXnSXQIYzUbB54moWOdv38hsy7JQ6AnxDGfF:56l2gDzU954QgEhDNQtnxqt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RAVEndPointProtection-installer.exepid process 3404 RAVEndPointProtection-installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RAVEndPointProtection-installer.exedescription pid process Token: SeDebugPrivilege 3404 RAVEndPointProtection-installer.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
g1wxxdmz.exedescription pid process target process PID 4792 wrote to memory of 3404 4792 g1wxxdmz.exe RAVEndPointProtection-installer.exe PID 4792 wrote to memory of 3404 4792 g1wxxdmz.exe RAVEndPointProtection-installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\g1wxxdmz.exe"C:\Users\Admin\AppData\Local\Temp\g1wxxdmz.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\RAVEndPointProtection-installer.exe"C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\g1wxxdmz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\RAVEndPointProtection-installer.exeFilesize
532KB
MD5c003d9a41ea705f7ceadd009687bd73e
SHA1c73247b97afa351b2e7d5913305ed90bdd6a4495
SHA25649453f9d53dbc592b3eefa46e0dfd44e3ed06fb97c904c6af9e274dd63507d33
SHA512e55fb7e3973d69f8a580e00213aa66dc1fcaec2fcb1c31a2a02dcae18b0b0f32120615bd1c8edd5fd2dc85dc4dc8886d1972aed6d063fecce83f1f2fa5b0052e
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\RAVEndPointProtection-installer.exeFilesize
532KB
MD5c003d9a41ea705f7ceadd009687bd73e
SHA1c73247b97afa351b2e7d5913305ed90bdd6a4495
SHA25649453f9d53dbc592b3eefa46e0dfd44e3ed06fb97c904c6af9e274dd63507d33
SHA512e55fb7e3973d69f8a580e00213aa66dc1fcaec2fcb1c31a2a02dcae18b0b0f32120615bd1c8edd5fd2dc85dc4dc8886d1972aed6d063fecce83f1f2fa5b0052e
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\rsAtom.dllFilesize
156KB
MD5918d0cc3b06cc7eb209498668b445335
SHA1b93eb4b05355932b32e825d9385edd156fa5044a
SHA256eedc9e5cf0004233f04253bf3ff9550853f3843736847f87e0fd5247dd2f7e56
SHA51200ceb3c5e756d16b6b44ae8e726c04587c6b7a97e48746c9bc6d542daee28dc0fd49066239208c91341c004836a8a1121c8b2b8397e79075bdc6a66260a44ee7
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\rsJSON.dllFilesize
215KB
MD53110b4bb16cc0841f6a6fbe7bf8d763f
SHA16b9b348c897474941a6210031e3d34b3c091bde9
SHA256d92c4525e454236f79961b2d31a648353faf96fc167b2198004a13fab4ce1168
SHA512c59f596b20f6b59ac632e5c48094e61c5e7a4f8491e5302e5ce4755cc0d880a9fcb1859dccceaf3c1e8f2d3421b462817ce91b89bce404eee04477e28df456da
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\rsLogger.dllFilesize
177KB
MD555fc8a6db9b869b96c6d1aea83cdc077
SHA162c08a1610d3f34361c8026085be53ca7ab86c29
SHA256d0381b4d8da37f1d36bd80fb73b484e0f8335e03504ddeea2bd7302097c25ca1
SHA5127faf52efbdbc0a489f05a508dfa82ffe137a2340c39383dff27859e84a34a0488de221c9cc6fcbd91098bb048d694c99dce846be64cf7971a56a90434d2b75bc
-
C:\Users\Admin\AppData\Local\Temp\nsw739F.tmp\rsStubLib.dllFilesize
221KB
MD506b11240e4500c2986a4733b191d6e98
SHA119b3a71835b7dd165ddbe2c1e47d2bc919e70e83
SHA256691de46d75f87fc7b36ec8155c0cabcebe7bad6edc4849c42a3782315f4f1f82
SHA512a65b81bba1ec9203da414f88df632831b7163de190cf07dd7af3efa229b7c18a48ef318165cd604c0f16b9a1ec9998171589298fa820522198197fb02f109280
-
memory/3404-197-0x000001F3C2780000-0x000001F3C2781000-memory.dmpFilesize
4KB
-
memory/3404-201-0x000001F3DD160000-0x000001F3DD16E000-memory.dmpFilesize
56KB
-
memory/3404-193-0x000001F3DCD10000-0x000001F3DCD48000-memory.dmpFilesize
224KB
-
memory/3404-189-0x000001F3C27E0000-0x000001F3C281A000-memory.dmpFilesize
232KB
-
memory/3404-195-0x000001F3DCD50000-0x000001F3DCD7A000-memory.dmpFilesize
168KB
-
memory/3404-196-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-187-0x000001F3C0BE0000-0x000001F3C0C66000-memory.dmpFilesize
536KB
-
memory/3404-198-0x000001F3C2760000-0x000001F3C2761000-memory.dmpFilesize
4KB
-
memory/3404-199-0x000001F3DCFE0000-0x000001F3DCFE8000-memory.dmpFilesize
32KB
-
memory/3404-191-0x000001F3C27A0000-0x000001F3C27D0000-memory.dmpFilesize
192KB
-
memory/3404-200-0x000001F3DE7F0000-0x000001F3DE828000-memory.dmpFilesize
224KB
-
memory/3404-202-0x000001F3C2770000-0x000001F3C2771000-memory.dmpFilesize
4KB
-
memory/3404-203-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-204-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-205-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-206-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-207-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-208-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB
-
memory/3404-209-0x000001F3DB1B0000-0x000001F3DB1C0000-memory.dmpFilesize
64KB