8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe
Size

8.4MB
MD5

aa86e014b2ad328daac5513e5e2623fd
SHA1

b57a1f0ea51c48c156b1cd59eb899e4db3efe32a
SHA256

8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f
SHA512

fc9f37a1c09ee3c267611a14189549c3dda38e39c45450a6098f239e328e287db1a1c9652219477043fc258a0e2ac256f23d01dd596f435811c5334267edaf00
SSDEEP

196608:EqN0XWwylcJUP8rwvfrtIpErZ/dq7JbzroYmgdhafb+GJPpixwPucv3buM:E2s1q0rwvxIpErZ+wLjfFocfH

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\RtsUpx.sys	FirmwareOneKeyUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe

Executes dropped EXE 1 IoCs

pid	Process
436	FirmwareOneKeyUpdate.exe

Loads dropped DLL 9 IoCs

pid	Process
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe
436	FirmwareOneKeyUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 436	1544	8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe	85
PID 1544 wrote to memory of 436	1544	8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe	85
PID 1544 wrote to memory of 436	1544	8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe	85

C:\Users\Admin\AppData\Local\Temp\8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe
"C:\Users\Admin\AppData\Local\Temp\8038841f700f74da89d828951022bc4c2d5bc744b9db37cd764ddc9846ce5a6f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FirmwareOneKeyUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FirmwareOneKeyUpdate.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ASUSConverter.dll

Filesize
906KB

MD5
5633149e12605d1daa1d31f1119707e4

SHA1
9fb0392e257a9df990c69f96dc094ff120de65c3

SHA256
a8ebf83a0bae7309ebefef18523bcf078c38ff4bbfbf08bd13c7a0a2388a5607

SHA512
77555914e126edb6fe1b7b077a520c24038a4bf3398ac0094bf84026b38b1fa81c361806ccf345d38e0d13489b3c1c8d076994cc260e29cf4c7ec44e9f9efef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FirmwareOneKeyUpdate.exe

Filesize
73KB

MD5
f59694688b675f3e0d282fb904d1ae0c

SHA1
b2af3a734d1f82028baa30929a7db9b599c4d7a1

SHA256
5ade7bc7c5c312f78bdfac37f3fe732ea883fa9fecff8871365d0aee08c88648

SHA512
f55e98b047aecc631ccce8aa80c57838da31f5ca0403d24a1299b72f6b1a2a94e7077503a7cad3d82f01b8cfc4328f052678e0e0e8ba8afdd143a37ef3ddd388

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\Comm.dll

Filesize
2.1MB

MD5
b6f4206da8249609ae5c5ff15139bd99

SHA1
da56be55bc2e9de505ea070018c4f8d04a6bc845

SHA256
2dfaca5620efcc9cc6e13f0a4767d02a08da23f8bc11add8c8df88865c4db0fc

SHA512
5a049e56de133d94a099f2c1cea3695135e5ca6245ededf005d53bb8acb2dd77215862c1644d02799e39b95405ebdab505432ad10b7a91275fd55f817ecc3dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\Comm\Comm_TypeCI2C.dll

Filesize
2.0MB

MD5
3f3c95cc596ddb994ce42a58aff80164

SHA1
75f0bbaad58c3e84b2efe6d09d2c97e4faab5f72

SHA256
97e11733996f4e7cd23ee1bd8afb0362d16e306b22d463928ced3b393e71d4e3

SHA512
e2dced316c96898b929f2b6627f00f67021c4006158af9dc86f94c64bdb1b1ba5daf24301929f8fc6001890cdea7ab822b5ef390123043145027cdfa838a85c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\Comm\Comm_UsbHubI2C.dll

Filesize
2.0MB

MD5
dd0fb0b0e9da2ad272c7f94d88641af6

SHA1
55b79487ff68d68b3ed0a3d74425d0240267091b

SHA256
9b688bed1391d742713ad680a40e3347107cb25b5a16c3bbdc567ef8564ffcda

SHA512
719d704c92d96de8511a8381b875b30860affdc747527d74c2bc48a1bccc5618c53f912b210a93d29a8989e305212615873699762083ad1c682695a2a2d077bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\Comm\UsbHub\Rtshublib.dll

Filesize
516KB

MD5
e04a5e607e61039e5adaa5e7b57e9f19

SHA1
45bbdc2605065ffad659d457c0b5135942bd98fe

SHA256
bb7426d6a121dd17062d25a2724454cbb8385f53953f88c228cb1008a3cae1c1

SHA512
bc781286376fc4cbb9155b041911c3579052e73b3c614e73f4aa06f923c9d6c28fb56fcd87b8968a69ec47c706372c8ff29acc36295f8ef0a194f003901e7f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\Comm\UsbHub\info.txt

Filesize
118B

MD5
e6c5d5d50d310471b5d1a743c94a046a

SHA1
cae66b00c3abd2679a72bad5d03f8d80fdf63cfa

SHA256
da544eee42143847742aa27d4730185a8907c19c86e9e3acbe2706384d3dd3ef

SHA512
ed9a4c1eff771848b98d9003251b57482fb7ff1a3dd1f50e9f9b63c537c1d1830532a0ef72e848e1f691aad4f6b29da38c4e125cf53007961581e0920b004776

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\IspLog.txt

Filesize
402KB

MD5
f48f9cd40022bbc87445d9b0247d7cda

SHA1
4c68879151878283a50fe94d87614ec43a890d31

SHA256
35e9dc94ed2c277f1d452f5cff0b0029868c83a9090b7d4fa05812ce3e897bcd

SHA512
09aa6ef592c3fb16ec67729b0cb44229230d1435408f75a40b44b82f1db96525c09e81532166c0be011387e7c919b2223a9a985b430fb27e745fc51611b05d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\IspLog.txt

Filesize
402KB

MD5
4c672461e6c6240da71776fdaf3ec438

SHA1
2ccc03c9eb8678517ce1def6ba7f01eb195f3432

SHA256
778247b2468e5c7e451b21a2f68adcdce1746fc46a5c08c5742ebe33a6cc7403

SHA512
c85fe5c6015b7bb8cfa235206037eb33c2412ebedd589376c5adf8f140017003807554512c9303334b92e39c0df7225af0825f464f4279391545d6276e255278

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\IspResult.txt

Filesize
17B

MD5
a8d2c0f8c156c94d48bd464e9f1dfe78

SHA1
b3fc292e30c84f387b440ee2ed0149f9d78b7390

SHA256
a2e56f1fd732c459c9fbade549dfa34fff02f3475456f40c97d8685d20476a11

SHA512
251fd652920b15f86659d0e1e9543207017841baf61ce2dbe8f8b3962591b05074b3782dfcd15983562b5d3aac74243ea83c6fa08815ea8307761dc20e80e885

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\IspSetting.ini

Filesize
725B

MD5
db141d6ed524c394a38dbcb40c66803c

SHA1
9435f001ab42a372d6d0d461d7e090ba7fef6c88

SHA256
df1cbc6b7e4fb48a32ce74b694c2dc5b7c5e65295b1813b01de383b0a992879a

SHA512
4605e23307c2e5c57db9004489e1ba4958b755bf5762c2937b59c6af093e8239da42d5e6008446aff1a457325aa08fd9143b64ee0109743fe5cbeef8d1c5fea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\IspUserDefined.txt

Filesize
158B

MD5
c88c92e2864bde00045c7d88e940801a

SHA1
0d49b2f80b0d672a8ad0fe666d08eeb9f5b364b5

SHA256
f5b8e6ae86714a959549076f419008fe5787fc309ac8d056872b3a29c82d1544

SHA512
b1afc1fe3962c26de829239f183550cce5707c94bafdae1c5f38799f0fbc9848c13550ac5330d2da983a82e48dc32e6d5ceecc9b8b93f14ce54705aa74ca1e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\PlugIn\WinIspPlugIn.dll

Filesize
2.5MB

MD5
96d3e558d5732115cc3c20a80bb9e6fe

SHA1
97b68836d7a111fd30a524fad5a6b81c56ed5a43

SHA256
b054fe8894ec154c29bec5bf971aa19c63f678eaa7bd3b86971e9fd2b4bcda58

SHA512
cb39427e4a0eb778849f0c2bcf5e3bebf9e649e432bf90af622eec77c6404f82c6983704d6b3786f4f9614b08b99e387d894ef4b9e2208c87144ae5587c2f4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ISPTool\WinOperateCScaler.dll

Filesize
2.3MB

MD5
a9a63635f4e46b45eda1ecc43229bd19

SHA1
2967b73a1353a2dc484d3a1441b3c3cdc3f0198c

SHA256
07039a5ee7c219907cc288a1a96ccc1087dd890e07ebc5b45a4eafa5304bf6bb

SHA512
0e7a66bd80622294507c003253c03491735486d58ab5c2de7fd5217c6a64cdc86dfbfe88caaa84fe05aac732a1352549a206809f0aba8b611a78f3022d67af08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\RealtekDock.txt

Filesize
49KB

MD5
b14a17762c2d8e5f9534018a4743ce75

SHA1
3bc1d4ae6a6d37ddd13111decd2c21697715ea6a

SHA256
26b4ce178840b5f916f06e8fc72285280fd420b8a824fd0c4f44cae087fb6ae5

SHA512
ca88ebcb8d9f51dc7eaf30bce95372e69adbe1ee092117214bd5af45ee42aff86990c903c94bb7b502c2640dcf790856d9997d109fdb89b029951623580516a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\ScalerFirmwareInstaller.dll

Filesize
2.0MB

MD5
8f8406aad94fc093f9296ec3f7ecda01

SHA1
db6ebe6e74dde28d465062edc1aae4c93f1d081e

SHA256
fd3fa6962c8130449ead3175e22be70fb6be1f5bee53a0d03b5ee6bff96ea94a

SHA512
e4d513f4e11bfa483234b27d5488656d6e1c3bb45c68624b1678f3e9d9eb829f7bd85a4f058f681c2ddc5453e4db3740e701dab6784b8c813fc3fedfd3e7b973

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Scaler\SettingConfig.ini

Filesize
254B

MD5
9c1244eef5859cad13530d3a97e792a7

SHA1
4e420b801f66116d75dbc9ccb38c5bdc8814e214

SHA256
3a2ce3e69e6a18112e9335a5acf14dbbfff87d1032420827cbbeca90774bb2db

SHA512
99d66694f330f2641c1771c7b43aeea58906620a6cb13d2880d26201444b28f401c4b3e1fed314f9a873afa4e47e3be3957555bd170959b90a6edf61409c65c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.ini

Filesize
75B

MD5
13f4cdea42f3d112e2d8814259aa322d

SHA1
9a4a5a95db367390226696ca90a8f106e40e3ae6

SHA256
cc87bd731f6bd7a1cd1026d6b7a20939d9cc9581f398cfe7b78ea6e912a2b7e3

SHA512
a336362c6585159a85af9a9b21ec1245a88037291cda558e75847e46486737c3f20b9729d83b2577dfa6ad40622e0b7213fc121d62bd7f0095b84ad529fb110c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtsUpx_n.sys

Filesize
35KB

MD5
b1a3b819188c976b5eaf3dd10a7ea8c5

SHA1
0d6f87bb6c417eb1260255813b3b67a4641dfd6c

SHA256
83c49f3ee1baf8e62bec2f0a9c0433cfd5e2f53c659f8a621777b1c34eb85803

SHA512
cd672d1067019ad02a86a08cc7465e25b0f83dbf07d5142728557ff03fde3cfbbf10e7f406f6f4b976934b91d6b99705c527172b5141b2a5825259de794f3fd8

Download Submit
memory/436-94-0x000000006CCB0000-0x000000006CDEC000-memory.dmp

Filesize
1.2MB

Download
memory/436-79-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

Filesize
32KB

Download
memory/436-78-0x00000000731E0000-0x0000000073990000-memory.dmp

Filesize
7.7MB

Download
memory/436-77-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/436-76-0x00000000731EE000-0x00000000731EF000-memory.dmp

Filesize
4KB

Download
memory/436-379-0x0000000009E70000-0x0000000009EA8000-memory.dmp

Filesize
224KB

Download
memory/436-380-0x0000000009A40000-0x0000000009A4E000-memory.dmp

Filesize
56KB

Download
memory/436-381-0x00000000731EE000-0x00000000731EF000-memory.dmp

Filesize
4KB

Download
memory/436-382-0x00000000731E0000-0x0000000073990000-memory.dmp

Filesize
7.7MB

Download
memory/436-383-0x000000006CCB0000-0x000000006CDEC000-memory.dmp

Filesize
1.2MB

Download