54b40015f685bceaffb29dfb8d0b13fe941ebe3428ccf0a8afe9539875d01179

Resubmissions

26/04/2024, 18:41 UTC

240426-xbsvcahg48 3

26/04/2024, 18:39 UTC

240426-xaprasaf5x 3

26/04/2024, 18:16 UTC

240426-wwww3ahc88 7

Analysis

max time kernel
56s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26/04/2024, 18:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rz_launcher_setup.exe
Size

103KB
MD5

c3083e7101f215f163d791d4319a4c36
SHA1

24f046315e17986009b2c358600c375be29f1505
SHA256

54b40015f685bceaffb29dfb8d0b13fe941ebe3428ccf0a8afe9539875d01179
SHA512

8f5b703b9218585c04e49f0d9e41e10b44175ef14576d2d14c0b100c2fe5c77f3e0ffa7844119b0915992c405dd9d1fcd45954ea0e0196e2e06fa6664c76ef56
SSDEEP

1536:VaORz6O1TgJVeMN87YPZNvMM9ri1WhAVWlGr5jzh:suzvchaYxNv9YR7zh

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4100	icacls.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 2260	3220	Rz_launcher_setup.exe	75
PID 3220 wrote to memory of 2260	3220	Rz_launcher_setup.exe	75
PID 2260 wrote to memory of 4100	2260	javaw.exe	76
PID 2260 wrote to memory of 4100	2260	javaw.exe	76

C:\Users\Admin\AppData\Local\Temp\Rz_launcher_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Rz_launcher_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
396da2fc9e6ab01d8cc91e0676abc9f3

SHA1
45b130f61664492f51609829310972569234a848

SHA256
f76b3025d4926d513fee65a69902dbaa7a27dd2b9ce8c4f234464379c570d2d1

SHA512
c35b10efd0ca3d2cc6f17b3256a028ea497d866dcedf5c444daad4294d881a3d05bf70fe7f02a1498bfa54e45027416ebee7c7004c98ce48a9963241dfa4adc8

Download Submit
memory/2260-5-0x0000024A90510000-0x0000024A91510000-memory.dmp

Filesize
16.0MB

Download
memory/2260-14-0x0000024A8EBF0000-0x0000024A8EBF1000-memory.dmp

Filesize
4KB

Download
memory/3220-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download