8f3cfcedaf845387e4f7d07c77db62ad6f3c6856995ed8e0d1cdcecef17e0bbc

Analysis

max time kernel
145s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 09:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Right Click Enhancer.exe
Size

830KB
MD5

bd07d69edbc4779b65f837798cfce2d5
SHA1

002a487831267ef2bfb6e4a312690ff3be1181e0
SHA256

319433db5c3a38d2a5641fcb0e66874deb3b3eb8ec93ce5123bda06f77f165f5
SHA512

2b0732d23a060e1e0a4c617c147027cbdaea235d383b830e99be93583c3dace0d98d2e32f7aff712715d9bfa9ff375863e158eb6b18fe162e828da7bb5fc5ad7
SSDEEP

6144:Xl5nQMLV6yW76jThLN2haW6y8gGmycDC+yvqaSXKW7R57BOKHkss7aTuiz/wzT6W:XnQPd6jTdNs/QKtiiUz/

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3884	2780	Right Click Enhancer.exe	86
PID 2780 wrote to memory of 3884	2780	Right Click Enhancer.exe	86
PID 3884 wrote to memory of 5048	3884	csc.exe	88
PID 3884 wrote to memory of 5048	3884	csc.exe	88

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Right Click Enhancer.exe

C:\Users\Admin\AppData\Local\Temp\Right Click Enhancer.exe
"C:\Users\Admin\AppData\Local\Temp\Right Click Enhancer.exe"
1⤵
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\igpdhjrg\igpdhjrg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES545A.tmp" "c:\Users\Admin\AppData\Local\Temp\igpdhjrg\CSCD052CE0DB41C494C94E031E74C148D7C.TMP"
    3⤵
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\1F6CA761774D8006470AEEF3CBF5C3E2\autoupdater.net.dll

Filesize
405KB

MD5
4947ce53d960accc0bd807dfec508098

SHA1
ed5fae18b48abfe03055dad03c7c6961a7090ec2

SHA256
3a2de65263ce406b57adf92c7a70a8f6719bee43d2644fcc988cc4dc16ec1fe8

SHA512
503eaee029a4b879c03903873ec5a05f295535e5041ad7f22a1504ac6c98b3259d729c3406ea4c4aa6dfeb532008b2098bb1d5840b44cefc361ca4de4b0c32dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\1F6CA761774D8006470AEEF3CBF5C3E2\helperfunctions.dll

Filesize
26KB

MD5
bff23d834ece5591a51d0019e7134f5e

SHA1
a77f17537c4dcf9fd42a5efb7a4e92349368fa35

SHA256
a1edec95452f32ea1149b0f0c4d8ec16bd9affde1c448c06efa8af179d00715f

SHA512
1d1ca50d272596da767383b9637b6297522bb03ac3928c6d73c99f753044c0720c0dadb9f3610b450dd54a0b7768e9255b3379621a588a3ff3e5d23941240d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\1F6CA761774D8006470AEEF3CBF5C3E2\nlocalizer.dll

Filesize
44KB

MD5
4810d5c121e9ed033df89387f7ce9f50

SHA1
7b08ac2b56fd6355d2c7934bac863a0cd39d95f2

SHA256
edf332d48066b8b2eb852b8b8d899ee73cc48c82e87a235a3b7ca73fcbdae220

SHA512
608b8343b685876a3f0d78727ed0f1c581faac9f9a3c648e9f4c45dd9b80f1d6810600c23787fcd82761f2f937615b0cca121b35920d4e9a2c9b38a2861c881f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES545A.tmp

Filesize
1KB

MD5
aca9aa0ff2661f4d8ab586eb43740f2f

SHA1
7fa243211a68eaed92e681313a29b7e01760b5c8

SHA256
7796722954ac18245a435c7a0cdd51f50c929d9a510e91e871e10f6c3e4add2b

SHA512
0a4090313f681e11e4f3397e94a1878fa4814d781ece1d2720a6ed6f7b27069b5fb551caa9c0bafeabfec783fcd8ccc03cafebce62cc856fe81ff2b1b0b100e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\igpdhjrg\igpdhjrg.dll

Filesize
8KB

MD5
82e3b06e74805bcbeaa503ca42b11e80

SHA1
725a0293c1b2acd73058965a3b26a7803c32a63b

SHA256
83bda3f77cd6fd3cbdd78a99c2c8bf1a618cebc34adba945ad21c8d95247eea2

SHA512
77914706ee8520114b72e98d33d415cfdddb3d0f12e95692a7fca5016e08ca25b201cde9e075cc344e6aeb687e9744ad86147a800159191d37a75662ebdee7ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igpdhjrg\CSCD052CE0DB41C494C94E031E74C148D7C.TMP

Filesize
652B

MD5
55cecbd123a8c7faf13b1b7e41428073

SHA1
74c037a4cbb786dac83cc494fb7d0257051f05aa

SHA256
6246f03a59dc8bf4afb78a787be513fde1d6f04fe6b83487f2c0892209ad8149

SHA512
9062bcc4e82a08dd010d73bbc4aba18e0e21b5f5382f6eb7c313f265f50d232122d21217d079f12ebc229305e5d709f672d32cebb89cbe070490431f1e435527

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igpdhjrg\igpdhjrg.0.cs

Filesize
15KB

MD5
5386c7e1be6533fa552a6e00abe27f77

SHA1
9f5de4c9068e01e76b1436ddc770846b74a20652

SHA256
6338e1298ba0b35be7359d845d168cb98bea0903ff1ab046dae5b686aafedaab

SHA512
4d51889368b34eafe886a26a80298c6aae4197008ac26ccaea97e54a6e2367a1a1182316583d95dc130c2eac9ff6cc41c22f289bc5567f7ae933e2c292f929a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\igpdhjrg\igpdhjrg.cmdline

Filesize
1KB

MD5
b32af1f2e7a57a82b3be1f1706e328ac

SHA1
1d341a241b5f02bd14ba0ae45d4eff0cf51235b3

SHA256
f62a5ab2d82ffe6b94c6b96b7e6c025bc76004bbfa4a0a97b395091a1dc6bac5

SHA512
5769aa10b0f9f731d84a37ba6dc6c66e19ab9eb4f1a7fce6cc107797515e9ed4fb828e32ec99cb72f86592c90ec74084a74f814bb5f029c3f80d0f64f3e08ef8

Download Submit
memory/2780-19-0x00007FFEC3D20000-0x00007FFEC47E1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-20-0x00007FFEC3D20000-0x00007FFEC47E1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-16-0x000000001BF50000-0x000000001BF62000-memory.dmp

Filesize
72KB

Download
memory/2780-22-0x000000001EF80000-0x000000001EFEC000-memory.dmp

Filesize
432KB

Download
memory/2780-0-0x00007FFEC3D23000-0x00007FFEC3D25000-memory.dmp

Filesize
8KB

Download
memory/2780-12-0x00000000031A0000-0x00000000031AE000-memory.dmp

Filesize
56KB

Download
memory/2780-1-0x0000000000F90000-0x0000000001066000-memory.dmp

Filesize
856KB

Download
memory/2780-40-0x000000001CB70000-0x000000001CB78000-memory.dmp

Filesize
32KB

Download
memory/2780-42-0x00007FFEC3D20000-0x00007FFEC47E1000-memory.dmp

Filesize
10.8MB

Download