4cd1a3fabda64aa2ed1c81643bd46bd8698038f0c5be83e408ecd1c4fa175c63

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INQ 4419-R1.exe
Size

420KB
MD5

b85a69cbd2e9dbbb2f5d3141bb942daf
SHA1

6f460df7dcbbd0209fcda977a6056086b2e39620
SHA256

4cd1a3fabda64aa2ed1c81643bd46bd8698038f0c5be83e408ecd1c4fa175c63
SHA512

aace1d881cf6dd109377191a953bc11701686e3d5b79bce0b76d588090c217ea1f5ade50fe83f32428abee67f3af2e22d789a90e8d947a5e71e6d25e7d1ea2c9
SSDEEP

12288:RGSuP0Pf27bI2aiCpvcwvuqDqXncc6E8Vy+CwY3zCE:RluPUN2anpBW1XR8Vhij

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	rdsro.exe

Executes dropped EXE 2 IoCs

pid	Process
720	rdsro.exe
3884	rdsro.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 3884	720	rdsro.exe	65
PID 3884 set thread context of 3896	3884	rdsro.exe	14
PID 3884 set thread context of 380	3884	rdsro.exe	95
PID 380 set thread context of 3352	380	systray.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	720	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
3884	rdsro.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
720	rdsro.exe
3884	rdsro.exe
3896	INQ 4419-R1.exe
3896	INQ 4419-R1.exe
380	systray.exe
380	systray.exe
380	systray.exe
380	systray.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	rdsro.exe
Token: SeDebugPrivilege	380	systray.exe
Token: SeManageVolumePrivilege	2036	svchost.exe
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3352	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 720	3896	INQ 4419-R1.exe	30
PID 3896 wrote to memory of 720	3896	INQ 4419-R1.exe	30
PID 3896 wrote to memory of 720	3896	INQ 4419-R1.exe	30
PID 720 wrote to memory of 3884	720	rdsro.exe	65
PID 720 wrote to memory of 3884	720	rdsro.exe	65
PID 720 wrote to memory of 3884	720	rdsro.exe	65
PID 720 wrote to memory of 3884	720	rdsro.exe	65
PID 3896 wrote to memory of 380	3896	INQ 4419-R1.exe	95
PID 3896 wrote to memory of 380	3896	INQ 4419-R1.exe	95
PID 3896 wrote to memory of 380	3896	INQ 4419-R1.exe	95
PID 380 wrote to memory of 2996	380	systray.exe	108
PID 380 wrote to memory of 2996	380	systray.exe	108
PID 380 wrote to memory of 2996	380	systray.exe	108

C:\Users\Admin\AppData\Local\Temp\INQ 4419-R1.exe
"C:\Users\Admin\AppData\Local\Temp\INQ 4419-R1.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\rdsro.exe
  "C:\Users\Admin\AppData\Local\Temp\rdsro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\rdsro.exe
    "C:\Users\Admin\AppData\Local\Temp\rdsro.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 520
    3⤵
    - Program crash
    PID:2256
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2996

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 720
1⤵
PID:2276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ogqfsosjxzw.kle

Filesize
231KB

MD5
3eb81a514ca0106b42073723013ff2a1

SHA1
a913332af8a397659bd92a49ebb727e7ed99217b

SHA256
a53459e33359f99ba5ba5fef15cfaa6a8c3d576bdbd7c49874c27043bb11070e

SHA512
1fc7e6606a27d6dfa617eef3179b193089deb036a8fbb9b10702a6dfde6d6958a6a6596af20087183fb8b4ecf7fefafcfc9e0d774b29e29a4906a78ece58fa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdsro.exe

Filesize
295KB

MD5
e30518917841cb8b1162dd8733f8fdb3

SHA1
6cd7d168c700fd69dfb254b713960e9662b1de12

SHA256
0d62c2e9d1769c3707aea2887f9ecae663cbc7334780bf85960642e6764227fc

SHA512
51198e5d2886f74c0a172a253a58581801ffcea5dbf18403420de45ed414a2c39fc5c16598816d08d922735d33b1da80a4ba5117b291dc7bb2e377be87cedf68

Download Submit
memory/380-19-0x0000000002520000-0x00000000025B1000-memory.dmp

Filesize
580KB

Download
memory/380-18-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/380-17-0x0000000002520000-0x00000000025B1000-memory.dmp

Filesize
580KB

Download
memory/380-16-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/380-11-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/380-15-0x0000000002630000-0x000000000297A000-memory.dmp

Filesize
3.3MB

Download
memory/380-13-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/720-5-0x0000000002D70000-0x0000000002D72000-memory.dmp

Filesize
8KB

Download
memory/2036-44-0x0000026128640000-0x0000026128650000-memory.dmp

Filesize
64KB

Download
memory/2036-28-0x0000026128540000-0x0000026128550000-memory.dmp

Filesize
64KB

Download
memory/2036-60-0x00000261309A0000-0x00000261309A1000-memory.dmp

Filesize
4KB

Download
memory/2036-62-0x00000261309D0000-0x00000261309D1000-memory.dmp

Filesize
4KB

Download
memory/2036-63-0x00000261309D0000-0x00000261309D1000-memory.dmp

Filesize
4KB

Download
memory/2036-64-0x0000026130AE0000-0x0000026130AE1000-memory.dmp

Filesize
4KB

Download
memory/3352-20-0x0000000007140000-0x0000000007237000-memory.dmp

Filesize
988KB

Download
memory/3352-27-0x0000000007140000-0x0000000007237000-memory.dmp

Filesize
988KB

Download
memory/3884-9-0x00000000018A0000-0x0000000001BEA000-memory.dmp

Filesize
3.3MB

Download
memory/3884-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-10-0x00000000029F0000-0x0000000003148000-memory.dmp

Filesize
7.3MB

Download
memory/3896-12-0x00000000029F0000-0x0000000003148000-memory.dmp

Filesize
7.3MB

Download