Analysis Overview
SHA256
cb6f91dc0ef15705a4449ece2ee7324c9e24a75dbf852651d095179dcaf2739b
Threat Level: Known bad
The file RejSpacer72.exe was found to be: Known bad.
Malicious Activity Summary
GCleaner
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-02 05:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-02 05:31
Reported
2023-07-02 05:32
Platform
win10v2004-20230621-en
Max time kernel
40s
Max time network
44s
Command Line
Signatures
GCleaner
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{f4724154-103f-11ee-9fa7-806e6f6e6963}\6QC5LufDLiAxuJ.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe
"C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe"
C:\Users\Admin\AppData\Roaming\{f4724154-103f-11ee-9fa7-806e6f6e6963}\6QC5LufDLiAxuJ.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "RejSpacer72.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RejSpacer72.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "RejSpacer72.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| NL | 45.12.253.56:80 | 45.12.253.56 | tcp |
| NL | 45.12.253.72:80 | 45.12.253.72 | tcp |
| NL | 45.12.253.75:80 | 45.12.253.75 | tcp |
| US | 8.8.8.8:53 | 56.253.12.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.253.12.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.253.12.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp |
Files
memory/3560-133-0x0000000000400000-0x0000000001318000-memory.dmp
memory/3560-134-0x0000000000400000-0x0000000001318000-memory.dmp
C:\Users\Admin\AppData\Roaming\{f4724154-103f-11ee-9fa7-806e6f6e6963}\6QC5LufDLiAxuJ.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
C:\Users\Admin\AppData\Roaming\{f4724154-103f-11ee-9fa7-806e6f6e6963}\6QC5LufDLiAxuJ.exe
| MD5 | 3fb36cb0b7172e5298d2992d42984d06 |
| SHA1 | 439827777df4a337cbb9fa4a4640d0d3fa1738b7 |
| SHA256 | 27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6 |
| SHA512 | 6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c |
memory/3560-142-0x0000000010000000-0x000000001001B000-memory.dmp
memory/3560-147-0x0000000000400000-0x0000000001318000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G63C5RNT\dll[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/3560-159-0x0000000000400000-0x0000000001318000-memory.dmp