640b114370fa81ff62ab647061a7fcd6537dc1e4b89b3aadb6317ec5ee759cbb

Analysis

max time kernel
58s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RBX Alt Manager.exe
Size

3.8MB
MD5

131932e4f1709c336a48394d010b839d
SHA1

03a63f9e44f317606361017c49982fabbcc84ae3
SHA256

348fd64bb5a77cece920aadaf8adc583d662342d84b2e1b42773c95a12cd658b
SHA512

3dcef7db833b7a318d092712d34edb8ecee1e9727ca2abc9ed2114a2473048a4e95c3e37ed15f2749bf3e79582abe77b4c78d1b8a07a6df78a9b216fd43d965b
SSDEEP

98304:V2bT1QzcmapX3TJcKGFjyPkqXf0Fk7WpW7:+QzWNdcKbPkSIk7yW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	2628	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	Auto Update.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	RBX Alt Manager.exe
Token: SeDebugPrivilege	2628	Auto Update.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1892	3516	RBX Alt Manager.exe	78
PID 3516 wrote to memory of 1892	3516	RBX Alt Manager.exe	78
PID 3516 wrote to memory of 1892	3516	RBX Alt Manager.exe	78
PID 1892 wrote to memory of 2628	1892	RBX Alt Manager.exe	79
PID 1892 wrote to memory of 2628	1892	RBX Alt Manager.exe	79
PID 1892 wrote to memory of 2628	1892	RBX Alt Manager.exe	79

C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
"C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 4304
      4⤵
      Program crash
      PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2628 -ip 2628
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RBX Alt Manager.exe.log

Filesize
1KB

MD5
49dba8ccb51a2b61192f2d0d076a9a94

SHA1
4d8a8fd2024145fe92decadfc0571344b7309e12

SHA256
239831e68c7d70c4712d4b6e0ef47f646e764b5cd259c97b4e8d25a9ef8f67cf

SHA512
76a7ebc2351cda876cf5b25f0d74514a2a74f0199df58cb31d5da340abad67959bceedd7aa9c4cdb2c4e97ae215b9c595bbb4ac1ec16fb6344b16e561eba2706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe.config

Filesize
2KB

MD5
3af58cc4ea567ff23275857a7662903b

SHA1
14cc53e5aaf65da4315436c9b85768ae04e94569

SHA256
b19b7fdd8aa951e1ad15cf5f2c901f1c0a2c9b86a87added6268a72c97d1aa88

SHA512
6d277743a1ac3fd520aa3e9dc2d3b6c8346d7f0dc2742ed716ae55ebd660e1cbe9bb754639cbda0d31561982bb89efd44c2328f382c27eb092339d0709dad253

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
933B

MD5
083c9613bea87bb1dcbf9bfee2c666fe

SHA1
7d310e72288eb118f3930664f835028084d999bf

SHA256
1480054437115d21b16e161d0b58bb8670831abf2aa5f21fc59b46afc01dbef9

SHA512
c9163d1802c5b53fe5fd57fa3ecc7e37d082fd6cb6d31fc98b8fe045ff422ee54cd0ebc43848cf823795f41aaaf0bd9cc775f652ed5bf7822bed49e66c69f360

Download Submit
memory/1892-145-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/2628-149-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2628-146-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/2628-147-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/2628-148-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2628-150-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2628-151-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2628-153-0x000000000A2E0000-0x000000000A2EA000-memory.dmp

Filesize
40KB

Download
memory/2628-154-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3516-140-0x0000000006880000-0x0000000006A06000-memory.dmp

Filesize
1.5MB

Download
memory/3516-137-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3516-135-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/3516-134-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/3516-133-0x00000000008F0000-0x0000000000CBA000-memory.dmp

Filesize
3.8MB

Download