e4c54831495a2717c6a8e1f6a67ae17f4b46e23a8d21836deb61dbff0b2256cd

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 18:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RCX/RCX.exe
Size

2.4MB
MD5

cb2910db65e1c7f468f3a82650486ccf
SHA1

8fac4c5dc4731b69b73dc4a68180225b7fa0656f
SHA256

b7acae52125a814ed6df47862832cbabb89e9796d7c1c120926bc37a0513785a
SHA512

1f4461fee6b84f9402d1ef70071dae1815f23c57186c3b8d8cffbf00effe1f1db37d7f796bc06f76ac294a334f4357ce6e1b770b4c44ac09216787c2a60d425a
SSDEEP

12288:41rDGR1ZDsD0brfV7V7VArfV7V7V7V7VArsrsrsrfV7V7V7V7V7V7V7V7VArsrf5:41GZDs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RCX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	RCX.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2312	RCX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2312	RCX.exe
2312	RCX.exe
1296	RCXDraw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1296	2312	RCX.exe	92
PID 2312 wrote to memory of 1296	2312	RCX.exe	92
PID 2312 wrote to memory of 1296	2312	RCX.exe	92

C:\Users\Admin\AppData\Local\Temp\RCX\RCX.exe
"C:\Users\Admin\AppData\Local\Temp\RCX\RCX.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\RCX\RCXDraw.exe
  "C:\Users\Admin\AppData\Local\Temp\RCX\RCXDraw.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-2-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/2312-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2312-1-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2312-3-0x0000000010000000-0x00000000103AB000-memory.dmp

Filesize
3.7MB

Download
memory/2312-4-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download