Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
CustomRP.1.17.20.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CustomRP.1.17.20.exe
Resource
win10v2004-20240221-en
General
-
Target
CustomRP.1.17.20.exe
-
Size
6.3MB
-
MD5
cc080cc12cd5372be2610f6038fae99b
-
SHA1
2347c627519578d180fb9fd9bf44b7f3f0be8ff9
-
SHA256
8be0a8ba506a52d5cd53738635400ef35217ea3bf5ffceba8bc254a770b589fd
-
SHA512
96499d31c65dd13b7d9eb86be1f2c7abc602063e5941a7b067814dc6c67bead65ceed1c6dac64dbab59035d51e1b90056591fcbde93b63f8adb64d88094ed93c
-
SSDEEP
196608:OVrrMxrPT5cYVNCuK3Wh0AO5KtTHCx7h+:prr+YVNCuK3xAOott
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CustomRP.lnk CustomRP.exe -
Executes dropped EXE 2 IoCs
pid Process 1592 CustomRP.1.17.20.tmp 1844 CustomRP.exe -
Loads dropped DLL 25 IoCs
pid Process 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe 1844 CustomRP.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\CustomRP\\CustomRP.exe,1" CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\shell\open CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\.crp\OpenWithProgids CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\.crp CustomRP.1.17.20.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\.crp\OpenWithProgids\CustomRP.crp CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Applications\CustomRP.exe CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\DefaultIcon CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\shell\open\command CustomRP.1.17.20.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CustomRP\\CustomRP.exe\" \"%1\"" CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Applications\CustomRP.exe\SupportedTypes CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Applications CustomRP.1.17.20.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Applications\CustomRP.exe\SupportedTypes\.crp CustomRP.1.17.20.tmp Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\ = "CustomRP Preset" CustomRP.1.17.20.tmp Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\CustomRP.crp\shell CustomRP.1.17.20.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1592 CustomRP.1.17.20.tmp 1592 CustomRP.1.17.20.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1844 CustomRP.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1592 CustomRP.1.17.20.tmp 1844 CustomRP.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1844 CustomRP.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4896 wrote to memory of 1592 4896 CustomRP.1.17.20.exe 86 PID 4896 wrote to memory of 1592 4896 CustomRP.1.17.20.exe 86 PID 4896 wrote to memory of 1592 4896 CustomRP.1.17.20.exe 86 PID 1592 wrote to memory of 1844 1592 CustomRP.1.17.20.tmp 93 PID 1592 wrote to memory of 1844 1592 CustomRP.1.17.20.tmp 93 PID 1592 wrote to memory of 1844 1592 CustomRP.1.17.20.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe"C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\is-RD1JL.tmp\CustomRP.1.17.20.tmp"C:\Users\Admin\AppData\Local\Temp\is-RD1JL.tmp\CustomRP.1.17.20.tmp" /SL5="$501C8,5484192,1081856,C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe"C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD50fb8cc7beee2d6899ea8a4a0856164a9
SHA1d2a90065ca504db5bdae05d27329ace677669fac
SHA256250996fc58e740424f7e7d269432ac60878e483f887d1d696e27e4b3369367af
SHA5120a4df4497a3b5611b1cf7cf71b5444befb5705a3de0e4e20dc95d3e58d5e2e4382b3def4b0ef72d6d55e921c512565c8aea20dda9c67cc205a0e57195fee54c5
-
C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\user.config
Filesize958B
MD5cd92285e69e8576a00f10db340bcc0f0
SHA17648f6ca89f96cda37b97489ed8b4461e260c90a
SHA2562659761410aebac76cfc1e4763f0047d74a220b9ebe4192bfb80a3638c53abd0
SHA512df50a7663d61f4f7f11b5c58fda2dc166bd269b7a9bce99be8ae9817ab090eb5abc104ed095d2db8970d05a48423aa363a2b4afcb0311dde4dd3f4740d56a27d
-
C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\user.config
Filesize454B
MD5ba47aff15216dcd0915ade13a823f2ad
SHA1dddcaa14d8b1ad3c135b264fe034746aca63363b
SHA256044dc224fe8b17561cc5195c162bd5f8b46207c9b89acbcdbc16628cf633bcbd
SHA51246ba460062f7a2c3829624efcd93ff85ad648d1e2a79e5ab1b1f0e06ac940f2652370fb8a0093d88c2abba7319b7878aac50ff4b9d55c0bdbd2174c9abc78ac9
-
C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\v2msyrmy.newcfg
Filesize1KB
MD5df34e89aecd08a90302c4bbdcd6a5021
SHA1e17e3daf2f5f0310ec712844fae69472c814a416
SHA256ce48e3babc2f992843d804f6ca53a470693289d17870902a520b95b460276ca9
SHA512f3c9fc01c0f827ed6e13afca39196d3ae297c779a03f0e63483828e20ebd530c30460be1d74bfa5dbd05957f5e31d22d1da4433d92e371cad65c2056acfe27da
-
C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\AppCenter.config
Filesize270B
MD553f6807660d9d0184b90912edebcff98
SHA1598e3e1dd3ee5fa90518759cec9ce121ab224f36
SHA256f0d09c6030db95ff955ca67389ec8f578b562dd79e9b7bd70645b03844d811c0
SHA512e3470a7aae17586c8b92eb3221beedec5431602d5cc8c8d56f62619a089ae6043014fdd3b727762e82637a8871decf4694459f1e213d5093c109edd062214a3f
-
C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\AppCenter.config
Filesize183B
MD5b684055407f1c6f1a5a4409fcb892032
SHA1bea3ccc460392870b7919405e88628fbd9c415a3
SHA256990269e9c519a337e958051e7d1eac9c679326be41650170c411f40e87a1c066
SHA5126516a57d863b3d93134a2c2144e0e1934287352ba1d222e2093db3cdd605f2a71c9a17dfb9cd46cedf7d54f07be181dace8e9bdb83ce39a211f3caf1a34c1965
-
Filesize
147KB
MD5e39cd45b2e0390c91b34651c7dd0f7d7
SHA1172a00f49e8ddb413ade56d46d10c59830ce9c69
SHA25647c9f22684bae6afd08cdcca386edf8b47fa5e2a749faeb6499dc4b3ca6e5642
SHA512fd25a41efc0e301049b8b19a7b3fc6122cf187045a32514396603a9ba4305a74c115041583fe86b2b581b2523107b2bd440c9a0e3a1b4d96b22ef632d607ae1d
-
Filesize
1.1MB
MD563af645411159b6af72bc5ca26830944
SHA1f062b012d322722c1557ae23803153a5355ac2f2
SHA2561f040321cc8a4c721e832db5a7fcbf9d71e840ecb93907ec8df0ef394a175a29
SHA512fed156abe4b5f9f9b2860013ad0e5fcfe197461efd0cdb18e3d6cf227077e41fce740a1c5efda84e05e9d89dfe12437d8a61993ff2f9ea512442e768fe0c8b1a
-
Filesize
4KB
MD5b496e0b64ad960a0b13327a350ed89dd
SHA1d84f215a7c6766c60bb27fc59bddafa6069830e1
SHA2564691bf30db39d0cb27f0608e1c01de7865b9e7175667899c0dabc57b91908afb
SHA512b548343b0188adb3c75557722c35d086365ac0a091bef8164a1ee3e52bf7455edbc17fe1d3297e8da117527afa8639de19aa10c875cacd644b5c13725d0727a7
-
Filesize
82KB
MD52e9f2a132f59cde7f3a888f5fa674cfc
SHA1441271e6e1c2a65eb43ac8a76be8d7bf5f0b9a00
SHA25684ef313d2525da8006167fdd8b78556f5038bf1571e3201e619b3d956fe6d842
SHA512dd420ed1cfebb181c5706ebda1f88c267a40a158b5d22a6bea54710add2cee395a6dd67e9e04c96b387db791aea84ea3b124db5e424d8b3a2d5f1b807856534d
-
Filesize
25KB
MD54f0eeea40634e091b149e22d098f0084
SHA18426f3f5a89dd8a32e07c54362a523825cdd4361
SHA25629ce7dd433293977386ae132e3a72b60bf32559f5b56b555166b78953212743e
SHA512415fe0ee2a36ae51420f11afb9d127bc41fba899274be097674059e5b50fc2a5ee206779160191c3cfb2a24f0c4c8799072ab013adae6a557754883066ad847d
-
Filesize
52KB
MD51fb364c1d622905aebd6e57500c169d1
SHA15423fb63ab28a24e1fdef3616e5e0e3301dbbc5f
SHA25607125de19eb06c67010039448e898c7bb954d25cf0a77b05d95329ed575f24e2
SHA512ae724010f049989ec006ce71990073834f8d58ebf1133a589ec3de839acde1c07b136deaf9e237c3b5a3d216ea9dbbc5aaaf482df1b549ee786a7a2e27d6bff8
-
Filesize
145KB
MD5885481ebbec08fa817ada9a5f7a527ad
SHA1c9390ecd62766338584a0ff45c71d6abd64db379
SHA25682e14d7bada761bf353929163bde2cf5c12e41727937ae5f0c7314fcee8be029
SHA5129b2a24f9d30886321e5961d5bd59377a4500bc5f9de23c5a217e94087a8f8742e3754cfaae8d93c6d3bdf7d6b1fa578a103bc6e98571bd201e1dc9564d38ed39
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
1.3MB
MD5c8661cb616427ae0abd25b58e7c4540e
SHA15f9fa035ab86b9171c744920d3b84409574a9106
SHA256c89ca50adab276a65db96b4fa378ec523948899f03fac2936265a58bf6424ca8
SHA512dcefe8cf7f824ae7c6889f88d1d101540b03884b8cce2a82b3d1152f089483c8ff0cdbae13e8fb08a2149c9de1e83df7008456089d9df57263651c555c6ef39c
-
Filesize
11KB
MD559e7b8c38944a8d591363fb5874dc971
SHA1fdfe99922a4e9aba60ed6b1859ed331bc5940faa
SHA2564ed2707cc2644d63bbd27cf39840aaa4a8617b6b275008f031e16d3a76c75e4b
SHA5125d2d3e138588352267ee8f21d02f7ee6dc9353ce4a22e9fcac56e0016bfcb52ffeb4c530dbd5c6d8d1e2fe0855a50fa909c0b3129eb4fb8e13376f4bfc684f9e
-
Filesize
49KB
MD55e45fcc43a6a54b13e1d384c3c6c6e85
SHA16b54a3602f37ec3b3204914c58fa53f6453ccd3f
SHA256f424dc7b2ac7172e3041ac567603a0cea940fbfded8a2a8df53b2aa22d445da5
SHA5120bb27e39263b2cac625761aeb0db80e4cf43b10573cd8126b250620f82be8508cda948f4dc23693956b39db0af4628f11abd5e28b5b8c6d7a024cf5b30fc7b3f
-
Filesize
63KB
MD5359189a6345d70dcb4703cd4b75b5be4
SHA1afb93196574037c1c84a16892e57766097d579e4
SHA256408749d563fcea1d444ffc35069cc0f9db4c7d10636e08c522b06368e90b5834
SHA5129f729288d4953413abff0884cb88944b579adbb2ea43d49eeae560d0992ee71e9ef072c872e7edf22235e924ad4fbf41ddc063ad4858704cff4cb3166b7c7a22
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
Filesize
16KB
MD5da04a75ddc22118ed24e0b53e474805a
SHA12d68c648a6a6371b6046e6c3af09128230e0ad32
SHA25666409f670315afe8610f17a4d3a1ee52d72b6a46c544cec97544e8385f90ad74
SHA51226af01ca25e921465f477a0e1499edc9e0ac26c23908e5e9b97d3afd60f3308bfbf2c8ca89ea21878454cd88a1cddd2f2f0172a6e1e87ef33c56cd7a8d16e9c8
-
Filesize
1.2MB
MD5e52a4a0a6f61ec95aa51d8ffd682b72e
SHA16a3529c7ac873131a766415879b20925ff404b64
SHA2567dd2e2923e9a988866d969bb5a76a9d3448a11a0f225b83c734161977db564a5
SHA5120e91687ba8b36cc0a7019ba1bd819f538cd55649914319a074669b7a04fdc9a195d36ba1fd5eeeb6149bffdf46e6dccc6e8d4b8e1cce62aa13463f9410423883