Analysis

  • max time kernel
    204s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 13:24

General

  • Target

    rm2k3-install.exe

  • Size

    29.2MB

  • MD5

    ef0586cb6f4f783f30c9f2a920ccf212

  • SHA1

    b386f0391f2355fa7b32845cf133d3fa4e105a28

  • SHA256

    b37aee201207a0a602d805cc1a5cb5b0c77a0b09a1484f22828d2776376b6495

  • SHA512

    d155e9d6d17a7b92450b761fbe9f6b0c7e5051b56e4941c72e8061c1e5309f23997052ee3169430113b3e11cf79a1f8678d7865fad12332a5fc5e28db6d999c9

  • SSDEEP

    786432:/xpNblY4nsmn2uwMNXFeBThPa7YFuFnEPYmWP9ZEUg:p7O4sm27MN18EFnG01Y

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe
    "C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\INS258A.tmp
      C:\Users\Admin\AppData\Local\Temp\INS258A.tmp /SL3 $6014E C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe 30583964 30587378 61952
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
  • C:\Program Files (x86)\rpg2003\RPG2003.EXE
    "C:\Program Files (x86)\rpg2003\RPG2003.EXE"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:2716

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\rpg2003\RPG2003.EXE

          Filesize

          2.9MB

          MD5

          98eb6c534d0d793cfac89a22e473176e

          SHA1

          46994490ecf8053c314700aada173a9613507ec4

          SHA256

          e84909a31a7d850b085a8284d7bd55ef99f763e5174a5dd7cc4238af0c8c5a88

          SHA512

          3baeff7263ff791e938f21d1316a1bca3a5669e3d03606b771bf5cdd3c9ee100ad9367f695d2f9cb1b0178c7393c6d8fcd412462fb781001271088c54938abc5

        • C:\Program Files (x86)\rpg2003\RPG_RT.exe.dat

          Filesize

          933KB

          MD5

          ff0fb3b085047f93646832a762d2a883

          SHA1

          02339f3d1ea87f4842e880054456e5ee6d38ca23

          SHA256

          3cd29b2ab246f2b5376619c41e32fd8b5fdf0af9f4970e1ccc6bfa147dec9e1d

          SHA512

          762a74ee29431462e6289c603eb99d2ede03066737de148949a44a87d6bc02180eac27a2bc7a0e136c5c751527a3593e5e33c5fae725f756ea066fca035d588f

        • C:\Program Files (x86)\rpg2003\RPG_RT.ldb.dat

          Filesize

          379KB

          MD5

          2e7f4f4656180c28f1a493191fe2fc84

          SHA1

          a9068f2d0ee2d9f02ddb03d9d51684110826e670

          SHA256

          581a44cfaa0087681e535909006aad185ee06f38439637b73f37430701e87bc0

          SHA512

          c6ca1f13de6e79f7d51fab5e4bc6949632b238025e78d7e684e9c26bb3c0c25ab06ddd61168528b5ddc3005080ba35f8becd5609b63532702e3a1da8c87e0049

        • C:\Program Files (x86)\rpg2003\RTP\ChipSet\main.png

          Filesize

          34KB

          MD5

          78d87317afa786ff410fc3abfe96d503

          SHA1

          e18eeca9674378978b392a2743d660ba9a88182a

          SHA256

          785dcb89fbfc5f864d9a466fd48dfd5273cac27d988723203ec7581b90a95d15

          SHA512

          b49f86289b3c03e74fd84dd41b8efb04b01f938ab1885bec77c3182aea788a28ce71c34b2cb8637b0b9bdcecc95265db9920f313304e6a83d193a0775a0e0716

        • \Program Files (x86)\rpg2003\UNLHA32.DLL

          Filesize

          232KB

          MD5

          26a33bcbcb4b3b9230e3374d066c5186

          SHA1

          e1f338ef9ae2e0d289f61956ece608ee56b16358

          SHA256

          1fda9015acbf708a170f3f0c6b5c5888832c5b9125da0803e598b237b5cbe424

          SHA512

          ba2323c1036039c2f6052382e017d492aa13c6f5cfe3019a7545e64395dce34ceceb224dad70cb3f223d0c631662ca652d3f7d46521c5e97c3b25ee9eb3d1f03

        • \Users\Admin\AppData\Local\Temp\INS258A.tmp

          Filesize

          377KB

          MD5

          ef80f42a048f92263f758f14b09fa30d

          SHA1

          e250058636dee689d6a935d71c0f462e10457239

          SHA256

          a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e

          SHA512

          933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

        • \Users\Admin\AppData\Local\Temp\is-FMTGC.tmp\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • memory/2716-1901-0x0000000000400000-0x00000000006F6000-memory.dmp

          Filesize

          3.0MB

        • memory/2716-1881-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2716-1902-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2716-1903-0x0000000000400000-0x00000000006F6000-memory.dmp

          Filesize

          3.0MB

        • memory/2716-1904-0x0000000000400000-0x00000000006F6000-memory.dmp

          Filesize

          3.0MB

        • memory/2716-1905-0x0000000000400000-0x00000000006F6000-memory.dmp

          Filesize

          3.0MB

        • memory/2944-1877-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/2944-11-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

        • memory/3040-1876-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3040-1874-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3040-17-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3040-14-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3040-12-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB