Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
11-04-2023 00:27
General
-
Target
ac1a7c20a8b82d0a7f88a88ec2ba9c5b.exe
-
Size
1.8MB
-
MD5
ac1a7c20a8b82d0a7f88a88ec2ba9c5b
-
SHA1
d6038c54508285e9a91f9b91df8b1ab68545b609
-
SHA256
a1c3849c60a5d2e2a1ea7395310bf7ef4aefa043a211322223295724475a26af
-
SHA512
e7969935330a1db8a926bca4098399285586a0d019b9340dd84411c61beac89d0c304316fc21d4630b07feb69ee539d81d774723d8ad09cb0ba973989b5a3f9d
-
SSDEEP
49152:KolvmehC5I7hjyWUeSLaXC8DOy5rNj7zA7DO4X:KolvmO+I7VysJPxiDt
Malware Config
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac1a7c20a8b82d0a7f88a88ec2ba9c5b.exe"C:\Users\Admin\AppData\Local\Temp\ac1a7c20a8b82d0a7f88a88ec2ba9c5b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\RAVEndPointProtection-installer.exe"C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\ac1a7c20a8b82d0a7f88a88ec2ba9c5b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:103⤵
- Executes dropped EXE
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:101⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeFilesize
570KB
MD5820f675bb7349c22036ca3d3d519864f
SHA146dc916e2bce1613fa8b3a67aaae045aa40df400
SHA25624604e8f52a8eb7336adc1013099f1e0404a7d4a7cf9da5786247eb8914cbfbc
SHA5129a010943b65054243de7fd397b334ce3dc93116c13770d93a3e72cac9a6837094ec5a2c3b0848e19eeff6338116431d051700ef50ccad15a275d3c8befc93e3e
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeFilesize
570KB
MD5820f675bb7349c22036ca3d3d519864f
SHA146dc916e2bce1613fa8b3a67aaae045aa40df400
SHA25624604e8f52a8eb7336adc1013099f1e0404a7d4a7cf9da5786247eb8914cbfbc
SHA5129a010943b65054243de7fd397b334ce3dc93116c13770d93a3e72cac9a6837094ec5a2c3b0848e19eeff6338116431d051700ef50ccad15a275d3c8befc93e3e
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeFilesize
570KB
MD5820f675bb7349c22036ca3d3d519864f
SHA146dc916e2bce1613fa8b3a67aaae045aa40df400
SHA25624604e8f52a8eb7336adc1013099f1e0404a7d4a7cf9da5786247eb8914cbfbc
SHA5129a010943b65054243de7fd397b334ce3dc93116c13770d93a3e72cac9a6837094ec5a2c3b0848e19eeff6338116431d051700ef50ccad15a275d3c8befc93e3e
-
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeFilesize
570KB
MD5820f675bb7349c22036ca3d3d519864f
SHA146dc916e2bce1613fa8b3a67aaae045aa40df400
SHA25624604e8f52a8eb7336adc1013099f1e0404a7d4a7cf9da5786247eb8914cbfbc
SHA5129a010943b65054243de7fd397b334ce3dc93116c13770d93a3e72cac9a6837094ec5a2c3b0848e19eeff6338116431d051700ef50ccad15a275d3c8befc93e3e
-
C:\Program Files\ReasonLabs\EPP\InstallerLib.dllFilesize
323KB
MD57fb0fb1a303f43feeb26681afa534d9d
SHA1e6db9cfb702c1b1b68db6fd9fd9553e2eeb67c76
SHA2565543c99defe596ec3b3b62ab0f1326a247562a199faf26ef24d44529b1ca1433
SHA51262380fb219cba2d8127358ed70276b23fe488a920f52fcc27e59283b56697defae416e8969acb540c360ce87617b06fb4a4e06607f7c08782e56ecb6c6d037bc
-
C:\Program Files\ReasonLabs\EPP\Uninstall.exeFilesize
1.8MB
MD5ac1a7c20a8b82d0a7f88a88ec2ba9c5b
SHA1d6038c54508285e9a91f9b91df8b1ab68545b609
SHA256a1c3849c60a5d2e2a1ea7395310bf7ef4aefa043a211322223295724475a26af
SHA512e7969935330a1db8a926bca4098399285586a0d019b9340dd84411c61beac89d0c304316fc21d4630b07feb69ee539d81d774723d8ad09cb0ba973989b5a3f9d
-
C:\Program Files\ReasonLabs\EPP\mc.dllFilesize
1.1MB
MD52690f0d6488ee419914ffc7ec46d4436
SHA1d6f84107e272a4a575abf83949be535de88e5d9f
SHA2562844d9737acd537cd2197563223e4284065f1df696a552b10c562036c6484ce5
SHA512498c9db08d348ce1a2c783df7be0f7db12c090915045b6eeffb42e17b8c8b3291c9b49c40734b60e41b6708dfc64e66fa27628749c1c4ae27661af9100d2e483
-
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dllFilesize
323KB
MD54f0e91be10ee8aa533975fe9d5fa257a
SHA12805d1c525af298ed7698456b627d140ad6b132c
SHA256b6b2faf01a3c46b7c08d6aaa5c78e4fddc1d25c447629e564ba6e4bd1a98f64f
SHA51281f1dba9b5c220722c00cd86b733fdec029f07e7861f1274c9c9117e4a530b00e766cc9488774a7f42f9f4e5fc94d8e8b830457de1350025dd04706ed06a14cf
-
C:\Program Files\ReasonLabs\EPP\ui\EPP.exeFilesize
2.2MB
MD5955bd70051bd2c7b8875563a200ddf1b
SHA19ede66e03a1b2055ac71650d09ce83a7e54063ab
SHA25687ae950a3d4a45481231e34948ac682b01af7a65a25ac4cfb1dd3b1e0bab0855
SHA5122d064a08c430a6c520dfa78839101fb2a0f106dcaf682c7260c2e25afa2977eaf7d25f307914c55fb2c000d324fa2725f150e105d20ae09b6c815f6cc8458e0c
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\ArchiveUtilityx64.dllFilesize
150KB
MD54fc9464d17d23f6540419a5fc496d8b8
SHA1b14c769ddaa2fa9681703fe4db0060f253baf051
SHA256e4636b0971e7c1af61d803cd1b0116dff6550348de42b47216321005c7cbaafc
SHA51209affc1c17d0b2b2e3a32426922abdec78eadccc222b4226b48f972d425c02d000f9cf9c0b0460d29af39f5f171116ec825e9f382f3f4533551aba2a0053234f
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\ArchiveUtilityx64.dllFilesize
150KB
MD54fc9464d17d23f6540419a5fc496d8b8
SHA1b14c769ddaa2fa9681703fe4db0060f253baf051
SHA256e4636b0971e7c1af61d803cd1b0116dff6550348de42b47216321005c7cbaafc
SHA51209affc1c17d0b2b2e3a32426922abdec78eadccc222b4226b48f972d425c02d000f9cf9c0b0460d29af39f5f171116ec825e9f382f3f4533551aba2a0053234f
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\ArchiveUtilityx64.dllFilesize
150KB
MD54fc9464d17d23f6540419a5fc496d8b8
SHA1b14c769ddaa2fa9681703fe4db0060f253baf051
SHA256e4636b0971e7c1af61d803cd1b0116dff6550348de42b47216321005c7cbaafc
SHA51209affc1c17d0b2b2e3a32426922abdec78eadccc222b4226b48f972d425c02d000f9cf9c0b0460d29af39f5f171116ec825e9f382f3f4533551aba2a0053234f
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\RAVEndPointProtection-installer.exeFilesize
531KB
MD5669e4e81a5618a7fffeab4b985ce1120
SHA1b121199e075c68fb29c401b4a46d5c636c386c06
SHA256c75abeb794038a9c303115cf5b779c3c011ba03b0e26e7bbbe4b36126788b341
SHA512aee9c4a00c99b70aee19539afad8155cacc5da4070c01255c4ac68eb0df90c6605b6f70ff41f4b3074374b017ca6480c6a72bdc9e50a3869f3de435705c5e164
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\RAVEndPointProtection-installer.exeFilesize
531KB
MD5669e4e81a5618a7fffeab4b985ce1120
SHA1b121199e075c68fb29c401b4a46d5c636c386c06
SHA256c75abeb794038a9c303115cf5b779c3c011ba03b0e26e7bbbe4b36126788b341
SHA512aee9c4a00c99b70aee19539afad8155cacc5da4070c01255c4ac68eb0df90c6605b6f70ff41f4b3074374b017ca6480c6a72bdc9e50a3869f3de435705c5e164
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\rsAtom.dllFilesize
155KB
MD5bf74043d14c622a42ea97d0a80a7562d
SHA1d6e119db758ac49edc8e3881cb02ffb1547f5cdf
SHA256df013e76ec6a8b71fc590c9509c43622baadfc218c536351d58f142b74aae31a
SHA512aab7dec66a8c77eba166fefbda983584d26886667ebdc45258abc7afdafdfb75af86ba2d1a72a298d600e44964600d96fd16821323e83c73e4ba45ba52c46ce4
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\rsJSON.dllFilesize
215KB
MD5318dd0089f6458f0c098d4a617a3d580
SHA11e2082ee1ba365c71b8f754df4d0d6f86836ac47
SHA256d1b6b90540f22b7ce374cba7a6ca3797d5b612030b2cd140044698025e165be9
SHA512d05a08098e2a83a4cee3263cd92a1e04495d341c21590fa38c1b5d7fbc75b3725c4e8a213896f98661cd0b30935dfb516292a25fb007c957c4b4742de57d4195
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\rsLogger.dllFilesize
177KB
MD58a26b568e6a5e2558729cb481ac07b8c
SHA1891223ee3412eb7aa007e3c42fee967a80a2c744
SHA2564a6a80ff0313f71ddfed32856ea3ae19967f890669ddc699f5e6a5f1fda1bd7d
SHA512b18122e03c99e538457385e9249e96bf47157142ab793f9a64e13457cc1870a26f106fc86932c4ca3be0bf0a3830967432833f66bda28d4a1bfb66c566519f71
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\rsStubLib.dllFilesize
236KB
MD5fe50d97bd52140c7adada5228d707d55
SHA1d464171f88c5ff0a54c72a484ffd1e997eac1f01
SHA256a72687758443d596617631aadaa49da712390186f1a04bc448722f21cd9f4664
SHA512ecf3203f8df276aa3d6e09ff8884a0ff1e71af704feb51e4b9303fb21ed0b22d3cc3730b4cf0bebb9164afff196678db3c5eb846e9813ef59d3d0afd18e47925
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\rsSyncSvc.exeFilesize
570KB
MD5820f675bb7349c22036ca3d3d519864f
SHA146dc916e2bce1613fa8b3a67aaae045aa40df400
SHA25624604e8f52a8eb7336adc1013099f1e0404a7d4a7cf9da5786247eb8914cbfbc
SHA5129a010943b65054243de7fd397b334ce3dc93116c13770d93a3e72cac9a6837094ec5a2c3b0848e19eeff6338116431d051700ef50ccad15a275d3c8befc93e3e
-
C:\Users\Admin\AppData\Local\Temp\nshF320.tmp\uninstall.icoFilesize
170KB
MD5af1c23b1e641e56b3de26f5f643eb7d9
SHA16c23deb9b7b0c930533fdbeea0863173d99cf323
SHA2560d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058
SHA5120c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4
-
memory/1536-206-0x000002297DA10000-0x000002297DA1E000-memory.dmpFilesize
56KB
-
memory/1536-476-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-209-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-210-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-211-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-207-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-205-0x000002297FB00000-0x000002297FB38000-memory.dmpFilesize
224KB
-
memory/1536-204-0x000002297DA00000-0x000002297DA08000-memory.dmpFilesize
32KB
-
memory/1536-203-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-202-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-201-0x0000022919620000-0x0000022919621000-memory.dmpFilesize
4KB
-
memory/1536-200-0x0000022919610000-0x0000022919611000-memory.dmpFilesize
4KB
-
memory/1536-199-0x000002297FA90000-0x000002297FABA000-memory.dmpFilesize
168KB
-
memory/1536-196-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-197-0x0000022919640000-0x0000022919641000-memory.dmpFilesize
4KB
-
memory/1536-195-0x000002297F270000-0x000002297F2A8000-memory.dmpFilesize
224KB
-
memory/1536-193-0x000002297DA50000-0x000002297DA80000-memory.dmpFilesize
192KB
-
memory/1536-191-0x000002297F230000-0x000002297F26E000-memory.dmpFilesize
248KB
-
memory/1536-189-0x000002297D630000-0x000002297D6B6000-memory.dmpFilesize
536KB
-
memory/1536-465-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-466-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-468-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-470-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-472-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-474-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-208-0x000002291A510000-0x000002291A520000-memory.dmpFilesize
64KB
-
memory/1536-478-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-480-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-482-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-484-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-486-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-488-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-490-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-492-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-494-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-496-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-498-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-500-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-502-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-504-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-506-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-508-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-510-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-512-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-514-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-516-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-518-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-520-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-522-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-524-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-526-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB
-
memory/1536-528-0x000002291C6A0000-0x000002291C6F1000-memory.dmpFilesize
324KB