dceb403322c56504e7df3c96414097994ae92ef0e659a84ba6447aecc9e37fdf

Analysis

max time kernel
592s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cracking/Core RDP.exe
Size

521KB
MD5

c0596a4239ffc9e162bac50b57a1351d
SHA1

0ea8c8873b947713957d80f0cfd2196ac6355d76
SHA256

075f1e405d224212be9dfce4f465ea042d5ffbc130c27173dfc574e926cbef99
SHA512

bf616a10eece91808b8563bedd54ed865e35e77a4a61a1773025b808ad1b0ab414b93cd27597b0fefa3f386bfe5fb44246247da792db88cc1c2b1902daa7b042
SSDEEP

12288:9rMIztyCK5x8CBmn+RrNbEyWYa0Ie1vUx9VS:7ZyCA8CBmn+RrNj9ay5IS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Core RDP.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	gCore RDP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Core RDP.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\gVSTOInstaller.ico	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\gOSE.ico	Core RDP.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Core RDP.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjabswitch.exe	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Core RDP.exe
File opened for modification	C:\Program Files\7-Zip\RCX9E25.tmp	Core RDP.exe
File created	C:\Program Files\7-Zip\7zG.exe	Core RDP.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gInspectorOfficeGadget.ico	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjmap.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCXA4DB.tmp	Core RDP.exe
File opened for modification	C:\Program Files\7-Zip\RCX9E85.tmp	Core RDP.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gjhat.ico	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	Core RDP.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gjavac.ico	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gjcmd.ico	Core RDP.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gjavah.ico	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjavac.exe	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\gmisc.ico	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjjs.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjar.exe	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gjconsole.ico	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe	Core RDP.exe
File created	C:\Program Files\Java\jre-1.8\bin\gjabswitch.ico	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\gFLTLDR.EXE	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\gmisc.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\gmisc.exe	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	Core RDP.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\gjhat.exe	Core RDP.exe
File created	C:\Program Files\Microsoft Office\root\Office16\gCLVIEW.ico	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCXA49C.tmp	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	Core RDP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui	Core RDP.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\gsetup.ico	Core RDP.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gappletviewer.ico	Core RDP.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Core RDP.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCXA5F9.tmp	Core RDP.exe
File created	C:\Program Files\Mozilla Firefox\gcrashreporter.ico	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	Core RDP.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui	Core RDP.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\gelevation_service.ico	Core RDP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	Core RDP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe
2396	gCore RDP.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2396	gCore RDP.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2396	2224	Core RDP.exe	84
PID 2224 wrote to memory of 2396	2224	Core RDP.exe	84
PID 2224 wrote to memory of 2396	2224	Core RDP.exe	84

C:\Users\Admin\AppData\Local\Temp\Cracking\Core RDP.exe
"C:\Users\Admin\AppData\Local\Temp\Cracking\Core RDP.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Cracking\gCore RDP.exe
  "C:\Users\Admin\AppData\Local\Temp\Cracking\gCore RDP.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\gOfficeC2RClient.ico

Filesize
4KB

MD5
3ea9bcbc01e1a652de5a6fc291a66d1a

SHA1
aee490d53ee201879dff37503a0796c77642a792

SHA256
a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c

SHA512
7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\gjavaws.ico

Filesize
4KB

MD5
38b41d03e9dfcbbd08210c5f0b50ba71

SHA1
2fbfde75ce9fe8423d8e7720bf7408cedcb57a70

SHA256
611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5

SHA512
ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\gmisc.ico

Filesize
4KB

MD5
fc27f73816c9f640d800cdc1c9294751

SHA1
e6c3d8835d1de4e9606e5588e741cd1be27398f6

SHA256
3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05

SHA512
9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x86\ssapihook.dll

Filesize
57KB

MD5
9e7f44b8f1512476aa896e977c58830b

SHA1
eddd878d9e16502ee1eb7f583dd04e01b458ba42

SHA256
8e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708

SHA512
ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802

Download Submit
C:\odt\office2016setup.exe

Filesize
521KB

MD5
c0596a4239ffc9e162bac50b57a1351d

SHA1
0ea8c8873b947713957d80f0cfd2196ac6355d76

SHA256
075f1e405d224212be9dfce4f465ea042d5ffbc130c27173dfc574e926cbef99

SHA512
bf616a10eece91808b8563bedd54ed865e35e77a4a61a1773025b808ad1b0ab414b93cd27597b0fefa3f386bfe5fb44246247da792db88cc1c2b1902daa7b042

Download Submit
memory/2224-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2224-296-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2224-295-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2396-11-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2396-24-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2396-13-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2396-14-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2396-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2396-16-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2396-17-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-18-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2396-19-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2396-20-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2396-21-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2396-22-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2396-23-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2396-12-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2396-25-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2396-26-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-10-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2396-9-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2396-8-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x0000000073A60000-0x0000000074011000-memory.dmp

Filesize
5.7MB

Download
memory/2396-2-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-1-0x0000000073A60000-0x0000000074011000-memory.dmp

Filesize
5.7MB

Download
memory/2396-298-0x0000000073A60000-0x0000000074011000-memory.dmp

Filesize
5.7MB

Download
memory/2396-299-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-300-0x0000000001CD0000-0x0000000001CE0000-memory.dmp

Filesize
64KB

Download