Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 15:56
Static task
static1
Behavioral task
behavioral1
Sample
RvcDownloader.exe
Resource
win10v2004-20231215-en
General
-
Target
RvcDownloader.exe
-
Size
1.1MB
-
MD5
7f6ce9a396cae9d375cb1a56de268b84
-
SHA1
4129cc4492f057cc2ec78c195c1badd7ab3d9c65
-
SHA256
604d490b9d5dfff01c9fceb085798c6b42f5778c9f125457be654dc4f436ab04
-
SHA512
e3cfe5afbde8b7889767cd9556ddbff2a3652ab139f06f02ec27cbd638d05604b3cbd5dcc2732a62750ced77d32eeab69b92e7eca38fe434121611c8775c314d
-
SSDEEP
24576:YAKoSJz+0Iw0kyFKLjA4OInTbghKT+5YqyIkIIWV+05rk4o/iq6MH:HCS7wDNjA4OIPiDGqyIkHfy0N
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation RvcDownloader.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\java update.exe taskmgr.exe -
Executes dropped EXE 4 IoCs
pid Process 1616 Dllhost.exe 3560 Server.exe 656 Server.exe 5040 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." Dllhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 31 2.tcp.eu.ngrok.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
pid Process 3100 RvcDownloader.exe 3100 RvcDownloader.exe 1616 Dllhost.exe 1616 Dllhost.exe 3560 Server.exe 3560 Server.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 656 Server.exe 656 Server.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 1616 Dllhost.exe 5040 Server.exe 5040 Server.exe 1616 Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3100 RvcDownloader.exe 1616 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2760 taskmgr.exe Token: SeSystemProfilePrivilege 2760 taskmgr.exe Token: SeCreateGlobalPrivilege 2760 taskmgr.exe Token: SeDebugPrivilege 1616 Dllhost.exe Token: 33 2760 taskmgr.exe Token: SeIncBasePriorityPrivilege 2760 taskmgr.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: SeShutdownPrivilege 1548 unregmp2.exe Token: SeCreatePagefilePrivilege 1548 unregmp2.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe Token: 33 1616 Dllhost.exe Token: SeIncBasePriorityPrivilege 1616 Dllhost.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe 2760 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3100 RvcDownloader.exe 1616 Dllhost.exe 3560 Server.exe 656 Server.exe 5040 Server.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3100 wrote to memory of 1616 3100 RvcDownloader.exe 89 PID 3100 wrote to memory of 1616 3100 RvcDownloader.exe 89 PID 3100 wrote to memory of 1616 3100 RvcDownloader.exe 89 PID 1616 wrote to memory of 2892 1616 Dllhost.exe 92 PID 1616 wrote to memory of 2892 1616 Dllhost.exe 92 PID 1616 wrote to memory of 2892 1616 Dllhost.exe 92 PID 4976 wrote to memory of 4572 4976 wmplayer.exe 98 PID 4976 wrote to memory of 4572 4976 wmplayer.exe 98 PID 4976 wrote to memory of 4572 4976 wmplayer.exe 98 PID 4976 wrote to memory of 208 4976 wmplayer.exe 99 PID 4976 wrote to memory of 208 4976 wmplayer.exe 99 PID 4976 wrote to memory of 208 4976 wmplayer.exe 99 PID 208 wrote to memory of 1548 208 unregmp2.exe 100 PID 208 wrote to memory of 1548 208 unregmp2.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe"C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
PID:2892
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3560
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:4572
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:656
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD525d1b50e7c0d451f3d850eb54d27ca05
SHA1a238807715c70a335f54e80d4855644b21a9e870
SHA256650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA5124223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5
-
Filesize
64KB
MD5fc240c081ec382df4b74d591d7d37a45
SHA1396e9d8accb2ff8b32e6c3957808cb87d23ad47c
SHA2568cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038
SHA512d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1.1MB
MD57f6ce9a396cae9d375cb1a56de268b84
SHA14129cc4492f057cc2ec78c195c1badd7ab3d9c65
SHA256604d490b9d5dfff01c9fceb085798c6b42f5778c9f125457be654dc4f436ab04
SHA512e3cfe5afbde8b7889767cd9556ddbff2a3652ab139f06f02ec27cbd638d05604b3cbd5dcc2732a62750ced77d32eeab69b92e7eca38fe434121611c8775c314d
-
Filesize
192KB
MD5f41faa9212ef320eb6ed1aeac222ab93
SHA11c111b75d430e33aeba08666664e4fa0930ed463
SHA256575ae4898ca0e80cca0e88c595d96ca20501cdfc3bd3908e8bc8d546e70718a4
SHA512d1c8709b64ba7b76477bb2d20185603f4aa0fc9eeb538339f64f6f2e979d540f43f0c06ae0cecf7a1b236a4c1ef6c836308d6b872ea35783efb38e1cf6105d4b
-
Filesize
1KB
MD56598555afb4ddb6dd093adadce301469
SHA1fce7ec371800175602a615abf24469abf6073c8a
SHA256b4906cebbf6d4ebeddab263c7c32fea23ed13a9cb8204162f72e196f13b424eb
SHA5127b30ea0edaa4d281c1176506ebbdd659c51473b64aac61c444aa09b40264d4112ed5ae88796ccd98ec89d94bd33f05839f793b818858c62d275ae8c8e864147a