Analysis

  • max time kernel
    53s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 20:22

General

  • Target

    CustomRP.1.17.20.exe

  • Size

    6.3MB

  • MD5

    cc080cc12cd5372be2610f6038fae99b

  • SHA1

    2347c627519578d180fb9fd9bf44b7f3f0be8ff9

  • SHA256

    8be0a8ba506a52d5cd53738635400ef35217ea3bf5ffceba8bc254a770b589fd

  • SHA512

    96499d31c65dd13b7d9eb86be1f2c7abc602063e5941a7b067814dc6c67bead65ceed1c6dac64dbab59035d51e1b90056591fcbde93b63f8adb64d88094ed93c

  • SSDEEP

    196608:OVrrMxrPT5cYVNCuK3Wh0AO5KtTHCx7h+:prr+YVNCuK3xAOott

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 25 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe
    "C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\is-RD1JL.tmp\CustomRP.1.17.20.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RD1JL.tmp\CustomRP.1.17.20.tmp" /SL5="$501C8,5484192,1081856,C:\Users\Admin\AppData\Local\Temp\CustomRP.1.17.20.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe
        "C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-RD1JL.tmp\CustomRP.1.17.20.tmp

          Filesize

          3.3MB

          MD5

          0fb8cc7beee2d6899ea8a4a0856164a9

          SHA1

          d2a90065ca504db5bdae05d27329ace677669fac

          SHA256

          250996fc58e740424f7e7d269432ac60878e483f887d1d696e27e4b3369367af

          SHA512

          0a4df4497a3b5611b1cf7cf71b5444befb5705a3de0e4e20dc95d3e58d5e2e4382b3def4b0ef72d6d55e921c512565c8aea20dda9c67cc205a0e57195fee54c5

        • C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\user.config

          Filesize

          958B

          MD5

          cd92285e69e8576a00f10db340bcc0f0

          SHA1

          7648f6ca89f96cda37b97489ed8b4461e260c90a

          SHA256

          2659761410aebac76cfc1e4763f0047d74a220b9ebe4192bfb80a3638c53abd0

          SHA512

          df50a7663d61f4f7f11b5c58fda2dc166bd269b7a9bce99be8ae9817ab090eb5abc104ed095d2db8970d05a48423aa363a2b4afcb0311dde4dd3f4740d56a27d

        • C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\user.config

          Filesize

          454B

          MD5

          ba47aff15216dcd0915ade13a823f2ad

          SHA1

          dddcaa14d8b1ad3c135b264fe034746aca63363b

          SHA256

          044dc224fe8b17561cc5195c162bd5f8b46207c9b89acbcdbc16628cf633bcbd

          SHA512

          46ba460062f7a2c3829624efcd93ff85ad648d1e2a79e5ab1b1f0e06ac940f2652370fb8a0093d88c2abba7319b7878aac50ff4b9d55c0bdbd2174c9abc78ac9

        • C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\1.0.0.0\v2msyrmy.newcfg

          Filesize

          1KB

          MD5

          df34e89aecd08a90302c4bbdcd6a5021

          SHA1

          e17e3daf2f5f0310ec712844fae69472c814a416

          SHA256

          ce48e3babc2f992843d804f6ca53a470693289d17870902a520b95b460276ca9

          SHA512

          f3c9fc01c0f827ed6e13afca39196d3ae297c779a03f0e63483828e20ebd530c30460be1d74bfa5dbd05957f5e31d22d1da4433d92e371cad65c2056acfe27da

        • C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\AppCenter.config

          Filesize

          270B

          MD5

          53f6807660d9d0184b90912edebcff98

          SHA1

          598e3e1dd3ee5fa90518759cec9ce121ab224f36

          SHA256

          f0d09c6030db95ff955ca67389ec8f578b562dd79e9b7bd70645b03844d811c0

          SHA512

          e3470a7aae17586c8b92eb3221beedec5431602d5cc8c8d56f62619a089ae6043014fdd3b727762e82637a8871decf4694459f1e213d5093c109edd062214a3f

        • C:\Users\Admin\AppData\Local\maximmax42\CustomRP.exe_Url_r15q51hssngmokjllmk3xsx1r0qzuwow\AppCenter.config

          Filesize

          183B

          MD5

          b684055407f1c6f1a5a4409fcb892032

          SHA1

          bea3ccc460392870b7919405e88628fbd9c415a3

          SHA256

          990269e9c519a337e958051e7d1eac9c679326be41650170c411f40e87a1c066

          SHA512

          6516a57d863b3d93134a2c2144e0e1934287352ba1d222e2093db3cdd605f2a71c9a17dfb9cd46cedf7d54f07be181dace8e9bdb83ce39a211f3caf1a34c1965

        • C:\Users\Admin\AppData\Roaming\CustomRP\CommonMark.dll

          Filesize

          147KB

          MD5

          e39cd45b2e0390c91b34651c7dd0f7d7

          SHA1

          172a00f49e8ddb413ade56d46d10c59830ce9c69

          SHA256

          47c9f22684bae6afd08cdcca386edf8b47fa5e2a749faeb6499dc4b3ca6e5642

          SHA512

          fd25a41efc0e301049b8b19a7b3fc6122cf187045a32514396603a9ba4305a74c115041583fe86b2b581b2523107b2bd440c9a0e3a1b4d96b22ef632d607ae1d

        • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe

          Filesize

          1.1MB

          MD5

          63af645411159b6af72bc5ca26830944

          SHA1

          f062b012d322722c1557ae23803153a5355ac2f2

          SHA256

          1f040321cc8a4c721e832db5a7fcbf9d71e840ecb93907ec8df0ef394a175a29

          SHA512

          fed156abe4b5f9f9b2860013ad0e5fcfe197461efd0cdb18e3d6cf227077e41fce740a1c5efda84e05e9d89dfe12437d8a61993ff2f9ea512442e768fe0c8b1a

        • C:\Users\Admin\AppData\Roaming\CustomRP\CustomRP.exe.config

          Filesize

          4KB

          MD5

          b496e0b64ad960a0b13327a350ed89dd

          SHA1

          d84f215a7c6766c60bb27fc59bddafa6069830e1

          SHA256

          4691bf30db39d0cb27f0608e1c01de7865b9e7175667899c0dabc57b91908afb

          SHA512

          b548343b0188adb3c75557722c35d086365ac0a091bef8164a1ee3e52bf7455edbc17fe1d3297e8da117527afa8639de19aa10c875cacd644b5c13725d0727a7

        • C:\Users\Admin\AppData\Roaming\CustomRP\DiscordRPC.dll

          Filesize

          82KB

          MD5

          2e9f2a132f59cde7f3a888f5fa674cfc

          SHA1

          441271e6e1c2a65eb43ac8a76be8d7bf5f0b9a00

          SHA256

          84ef313d2525da8006167fdd8b78556f5038bf1571e3201e619b3d956fe6d842

          SHA512

          dd420ed1cfebb181c5706ebda1f88c267a40a158b5d22a6bea54710add2cee395a6dd67e9e04c96b387db791aea84ea3b124db5e424d8b3a2d5f1b807856534d

        • C:\Users\Admin\AppData\Roaming\CustomRP\Microsoft.AppCenter.Analytics.dll

          Filesize

          25KB

          MD5

          4f0eeea40634e091b149e22d098f0084

          SHA1

          8426f3f5a89dd8a32e07c54362a523825cdd4361

          SHA256

          29ce7dd433293977386ae132e3a72b60bf32559f5b56b555166b78953212743e

          SHA512

          415fe0ee2a36ae51420f11afb9d127bc41fba899274be097674059e5b50fc2a5ee206779160191c3cfb2a24f0c4c8799072ab013adae6a557754883066ad847d

        • C:\Users\Admin\AppData\Roaming\CustomRP\Microsoft.AppCenter.Crashes.dll

          Filesize

          52KB

          MD5

          1fb364c1d622905aebd6e57500c169d1

          SHA1

          5423fb63ab28a24e1fdef3616e5e0e3301dbbc5f

          SHA256

          07125de19eb06c67010039448e898c7bb954d25cf0a77b05d95329ed575f24e2

          SHA512

          ae724010f049989ec006ce71990073834f8d58ebf1133a589ec3de839acde1c07b136deaf9e237c3b5a3d216ea9dbbc5aaaf482df1b549ee786a7a2e27d6bff8

        • C:\Users\Admin\AppData\Roaming\CustomRP\Microsoft.AppCenter.dll

          Filesize

          145KB

          MD5

          885481ebbec08fa817ada9a5f7a527ad

          SHA1

          c9390ecd62766338584a0ff45c71d6abd64db379

          SHA256

          82e14d7bada761bf353929163bde2cf5c12e41727937ae5f0c7314fcee8be029

          SHA512

          9b2a24f9d30886321e5961d5bd59377a4500bc5f9de23c5a217e94087a8f8742e3754cfaae8d93c6d3bdf7d6b1fa578a103bc6e98571bd201e1dc9564d38ed39

        • C:\Users\Admin\AppData\Roaming\CustomRP\Newtonsoft.Json.dll

          Filesize

          695KB

          MD5

          715a1fbee4665e99e859eda667fe8034

          SHA1

          e13c6e4210043c4976dcdc447ea2b32854f70cc6

          SHA256

          c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

          SHA512

          bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

        • C:\Users\Admin\AppData\Roaming\CustomRP\Octokit.dll

          Filesize

          1.3MB

          MD5

          c8661cb616427ae0abd25b58e7c4540e

          SHA1

          5f9fa035ab86b9171c744920d3b84409574a9106

          SHA256

          c89ca50adab276a65db96b4fa378ec523948899f03fac2936265a58bf6424ca8

          SHA512

          dcefe8cf7f824ae7c6889f88d1d101540b03884b8cce2a82b3d1152f089483c8ff0cdbae13e8fb08a2149c9de1e83df7008456089d9df57263651c555c6ef39c

        • C:\Users\Admin\AppData\Roaming\CustomRP\SQLitePCLRaw.batteries_v2.dll

          Filesize

          11KB

          MD5

          59e7b8c38944a8d591363fb5874dc971

          SHA1

          fdfe99922a4e9aba60ed6b1859ed331bc5940faa

          SHA256

          4ed2707cc2644d63bbd27cf39840aaa4a8617b6b275008f031e16d3a76c75e4b

          SHA512

          5d2d3e138588352267ee8f21d02f7ee6dc9353ce4a22e9fcac56e0016bfcb52ffeb4c530dbd5c6d8d1e2fe0855a50fa909c0b3129eb4fb8e13376f4bfc684f9e

        • C:\Users\Admin\AppData\Roaming\CustomRP\SQLitePCLRaw.core.dll

          Filesize

          49KB

          MD5

          5e45fcc43a6a54b13e1d384c3c6c6e85

          SHA1

          6b54a3602f37ec3b3204914c58fa53f6453ccd3f

          SHA256

          f424dc7b2ac7172e3041ac567603a0cea940fbfded8a2a8df53b2aa22d445da5

          SHA512

          0bb27e39263b2cac625761aeb0db80e4cf43b10573cd8126b250620f82be8508cda948f4dc23693956b39db0af4628f11abd5e28b5b8c6d7a024cf5b30fc7b3f

        • C:\Users\Admin\AppData\Roaming\CustomRP\SQLitePCLRaw.provider.dynamic_cdecl.dll

          Filesize

          63KB

          MD5

          359189a6345d70dcb4703cd4b75b5be4

          SHA1

          afb93196574037c1c84a16892e57766097d579e4

          SHA256

          408749d563fcea1d444ffc35069cc0f9db4c7d10636e08c522b06368e90b5834

          SHA512

          9f729288d4953413abff0884cb88944b579adbb2ea43d49eeae560d0992ee71e9ef072c872e7edf22235e924ad4fbf41ddc063ad4858704cff4cb3166b7c7a22

        • C:\Users\Admin\AppData\Roaming\CustomRP\System.Memory.dll

          Filesize

          138KB

          MD5

          f09441a1ee47fb3e6571a3a448e05baf

          SHA1

          3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

          SHA256

          bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

          SHA512

          0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

        • C:\Users\Admin\AppData\Roaming\CustomRP\System.Runtime.CompilerServices.Unsafe.dll

          Filesize

          16KB

          MD5

          da04a75ddc22118ed24e0b53e474805a

          SHA1

          2d68c648a6a6371b6046e6c3af09128230e0ad32

          SHA256

          66409f670315afe8610f17a4d3a1ee52d72b6a46c544cec97544e8385f90ad74

          SHA512

          26af01ca25e921465f477a0e1499edc9e0ac26c23908e5e9b97d3afd60f3308bfbf2c8ca89ea21878454cd88a1cddd2f2f0172a6e1e87ef33c56cd7a8d16e9c8

        • C:\Users\Admin\AppData\Roaming\CustomRP\runtimes\win-x86\native\e_sqlite3.dll

          Filesize

          1.2MB

          MD5

          e52a4a0a6f61ec95aa51d8ffd682b72e

          SHA1

          6a3529c7ac873131a766415879b20925ff404b64

          SHA256

          7dd2e2923e9a988866d969bb5a76a9d3448a11a0f225b83c734161977db564a5

          SHA512

          0e91687ba8b36cc0a7019ba1bd819f538cd55649914319a074669b7a04fdc9a195d36ba1fd5eeeb6149bffdf46e6dccc6e8d4b8e1cce62aa13463f9410423883

        • memory/1592-206-0x0000000000400000-0x0000000000751000-memory.dmp

          Filesize

          3.3MB

        • memory/1592-8-0x0000000000400000-0x0000000000751000-memory.dmp

          Filesize

          3.3MB

        • memory/1592-5-0x00000000008D0000-0x00000000008D1000-memory.dmp

          Filesize

          4KB

        • memory/1844-247-0x0000000009CC0000-0x0000000009CD6000-memory.dmp

          Filesize

          88KB

        • memory/1844-267-0x000000000A1D0000-0x000000000A236000-memory.dmp

          Filesize

          408KB

        • memory/1844-239-0x0000000009960000-0x000000000996A000-memory.dmp

          Filesize

          40KB

        • memory/1844-221-0x0000000009980000-0x0000000009A32000-memory.dmp

          Filesize

          712KB

        • memory/1844-243-0x0000000009CA0000-0x0000000009CB2000-memory.dmp

          Filesize

          72KB

        • memory/1844-217-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-316-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-248-0x0000000009CE0000-0x0000000009CFA000-memory.dmp

          Filesize

          104KB

        • memory/1844-216-0x0000000005D20000-0x0000000005D2A000-memory.dmp

          Filesize

          40KB

        • memory/1844-252-0x0000000009D30000-0x0000000009D56000-memory.dmp

          Filesize

          152KB

        • memory/1844-253-0x0000000009D00000-0x0000000009D08000-memory.dmp

          Filesize

          32KB

        • memory/1844-254-0x0000000009C90000-0x0000000009C98000-memory.dmp

          Filesize

          32KB

        • memory/1844-212-0x0000000005E00000-0x0000000005E92000-memory.dmp

          Filesize

          584KB

        • memory/1844-260-0x000000000A110000-0x000000000A118000-memory.dmp

          Filesize

          32KB

        • memory/1844-299-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-210-0x0000000005D30000-0x0000000005D58000-memory.dmp

          Filesize

          160KB

        • memory/1844-264-0x000000000A140000-0x000000000A15A000-memory.dmp

          Filesize

          104KB

        • memory/1844-222-0x00000000098C0000-0x0000000009936000-memory.dmp

          Filesize

          472KB

        • memory/1844-205-0x0000000005920000-0x0000000005930000-memory.dmp

          Filesize

          64KB

        • memory/1844-271-0x000000000A490000-0x000000000A5DE000-memory.dmp

          Filesize

          1.3MB

        • memory/1844-272-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-273-0x000000000A3D0000-0x000000000A3DA000-memory.dmp

          Filesize

          40KB

        • memory/1844-274-0x000000000B090000-0x000000000B216000-memory.dmp

          Filesize

          1.5MB

        • memory/1844-275-0x000000000A870000-0x000000000A892000-memory.dmp

          Filesize

          136KB

        • memory/1844-276-0x000000000B310000-0x000000000B664000-memory.dmp

          Filesize

          3.3MB

        • memory/1844-279-0x000000000BE20000-0x000000000BE3E000-memory.dmp

          Filesize

          120KB

        • memory/1844-281-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-201-0x0000000005F70000-0x0000000006514000-memory.dmp

          Filesize

          5.6MB

        • memory/1844-198-0x0000000072DD0000-0x0000000073580000-memory.dmp

          Filesize

          7.7MB

        • memory/1844-197-0x0000000000EB0000-0x0000000000FDA000-memory.dmp

          Filesize

          1.2MB

        • memory/1844-296-0x0000000006750000-0x000000000677C000-memory.dmp

          Filesize

          176KB

        • memory/1844-297-0x0000000006710000-0x0000000006720000-memory.dmp

          Filesize

          64KB

        • memory/1844-298-0x0000000072DD0000-0x0000000073580000-memory.dmp

          Filesize

          7.7MB

        • memory/4896-211-0x0000000000400000-0x0000000000515000-memory.dmp

          Filesize

          1.1MB

        • memory/4896-7-0x0000000000400000-0x0000000000515000-memory.dmp

          Filesize

          1.1MB

        • memory/4896-0-0x0000000000400000-0x0000000000515000-memory.dmp

          Filesize

          1.1MB