Overview

overview

7

Static

static

3

RSI-Setup-2.0.0.exe

windows10-2004-x64

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows10-2004-x64

1

RSI Launcher.exe

windows10-2004-x64

5

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...64.exe

windows10-2004-x64

7

resources/elevate.exe

windows10-2004-x64

1

resources/...rt.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...er.exe

windows10-2004-x64

4

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$TEMP/VC_r...64.exe

windows10-2004-x64

7

$TEMP/dotN...up.exe

windows10-2004-x64

7

$TEMP/dxwebsetup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    61s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RSI Launcher.exe

  • Size

    158.5MB

  • MD5

    fb745b1faa76fb33d0c7f665835a2613

  • SHA1

    5a3ede67f1025e4528b60e557b5df67820ee0efc

  • SHA256

    8a0a9690e03d03cf36b78142319c92408fad4c7c01a3d85083ce94f03c545905

  • SHA512

    970dbc1b91345096d8abfcfaf5bf7c4d09b8a6ea5a0035338d8fac36b679521d5fa9d7efe977f5bb462a91f3f826bff7d8808c3e7f36ae3924e01e985075c9e0

  • SSDEEP

    1572864:Sqlkf5pFz1X7SBT4Oj3tdOS69YvkSpjwy8Oz/jf2xzQf+f5KvAKNtnJHUOWm5v:IcUkHaov

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\rsilauncher /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\rsilauncher\Crashpad --url=https://f.a.k/e --annotation=_productName=rsilauncher --annotation=_version=2.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=26.2.1 --initial-client-data=0x458,0x45c,0x460,0x454,0x464,0x7ff718241ef8,0x7ff718241f08,0x7ff718241f18
      2⤵
        PID:1244
      • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\rsilauncher" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1720 --field-trial-handle=1724,i,16562626183965830945,3694559994466872631,262144 --disable-features=HardwareMediaKeyHandling,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        2⤵
          PID:3692
        • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\rsilauncher" --standard-schemes --secure-schemes --bypasscsp-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --cors-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --fetch-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2020 --field-trial-handle=1724,i,16562626183965830945,3694559994466872631,262144 --disable-features=HardwareMediaKeyHandling,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
          2⤵
            PID:3124
          • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rsilauncher" --standard-schemes --secure-schemes --bypasscsp-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --cors-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --fetch-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-experimental-web-platform-features --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2288 --field-trial-handle=1724,i,16562626183965830945,3694559994466872631,262144 --disable-features=HardwareMediaKeyHandling,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
            2⤵
            • Checks computer location settings
            PID:4972
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\DevDiv\VC\Servicing\14.0\RuntimeMinimum
            2⤵
            • Modifies registry key
            PID:4256
          • C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\RSI Launcher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\rsilauncher" --standard-schemes --secure-schemes --bypasscsp-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --cors-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --fetch-schemes=rsi,rsi+local,rsi+qa1,rsi+qa2,rsi+qa3,rsi+qa4,rsi+qa5,rsi+qa6,rsi+qah3,rsi+uat,rsi+staging,rsi+ptu,rsi+eptu,rsi+prod,status --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3148 --field-trial-handle=1724,i,16562626183965830945,3694559994466872631,262144 --disable-features=HardwareMediaKeyHandling,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            2⤵
              PID:6412
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x45c 0x4cc
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:6468

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\74193af1-5a7a-4d34-b58c-db2975272b5a.tmp.node
            Filesize

            1.3MB

            MD5

            229186dfc4505d1c70b63597a4df0b31

            SHA1

            2fe895c33b86245b04bba27f91d0c811c8efef66

            SHA256

            db22397d50afdb8aaa55e4aa4c43df9662431b8eea5e6d278f17c4e167db20bc

            SHA512

            9b6f269b8d5291205f1d1dc25dd4f9b1cee7bed7603fe64517c8736e0ec4eec2571f65f7a603fce6bde988caf4dca3329a3c7b1c72d038c35e5c73d1b04cebe4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\df5507a0-3c9a-4783-9066-c0bbb8bb3e5b.tmp.node
            Filesize

            165KB

            MD5

            581182d57f6ccec2a0520479a9c72160

            SHA1

            4cf92ff7a0e1ecf07b867931744f28d929e5ef07

            SHA256

            6c8e870cffb22f4616a88e013f44840b6bd6f2fc23f58f6ffc60d0b85bfa34d1

            SHA512

            d8de973fac15437c6125e5cc15adf4ada5108fad87ccbef6da793a8abbebfb5f58209b3cf6ad09e27379e6db924cb7d7ddf38ef989bd468f68c80a3a857208c1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit

          • C:\Users\Admin\AppData\Roaming\rsilauncher\Preferences
            Filesize

            57B

            MD5

            58127c59cb9e1da127904c341d15372b

            SHA1

            62445484661d8036ce9788baeaba31d204e9a5fc

            SHA256

            be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

            SHA512

            8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\rsilauncher\Preferences~RFe5785ba.TMP
            Filesize

            86B

            MD5

            d11dedf80b85d8d9be3fec6bb292f64b

            SHA1

            aab8783454819cd66ddf7871e887abdba138aef3

            SHA256

            8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

            SHA512

            6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\rsilauncher\Session Storage\CURRENT
            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

            Download Submit

          • C:\Users\Admin\AppData\Roaming\rsilauncher\launcher store.json
            Filesize

            217B

            MD5

            19a8d2dfdba76b806dd8dbb42db07576

            SHA1

            ea8fad3781fc8838faf04b9a208f9d4beef9efde

            SHA256

            4ba4c1bb2a3d352a98eeaca1b72b4408565d38cf76b61110f3466c259e182012

            SHA512

            a57521288c81c59ced12a4bcf64b35028d268887bd29f86002d93a521ccda899c776145ae739509314768af70411b80cf31e30bfce63876a07a489742f54826e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\rsilauncher\launcher store.json.tmp-652234584226cd83
            Filesize

            345B

            MD5

            a9480ac0531e8ffce86f987becd6b2c8

            SHA1

            9b267b2696705403504f40ca9c009538dd50a27b

            SHA256

            465f7e2290d004401f1583dda4c0760f6c40ea8eedca02304781fc1bfa327a96

            SHA512

            958b2c2d59cf346d6420f18788f5aab56b9ca0eb3f723e379f514bd207c337778b62d6a4f5a9a0eda0a1bdeb5adc141986815b9d7a771e71d885f9884f21e5a3

            Download Submit

          • \??\pipe\crashpad_1408_UGHBDZPIVLVQTHKU
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit

          • memory/6412-599-0x00007FF808970000-0x00007FF808971000-memory.dmp

            Filesize

            4KB

            Download