5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 04:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe
Size

1.5MB
MD5

ff98bff64c9ee3eeba76b3052165921e
SHA1

18b3c3664444e6877167bbdc325a22cc3f17339e
SHA256

5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd
SHA512

96baa28d54c0ade04701a228e19bba3a95e997001898d67177e644b3f45a3e2ecbba1b1ac3e2ece2cb7b0daf1f530be7a684b6a5ab9d2d514f265cf0f2acfee4
SSDEEP

24576:bN2lE+POJedCeVX7e0Nnjg6kmjwutG80/cTvssF5P/LL5M4KlNxQ5DS:B2l9PBdjq0NjflRY/UosF53LONfxYm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	RAVAntivirus-installer.exe

Loads dropped DLL 1 IoCs

pid	Process
2652	5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	RAVAntivirus-installer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2576	2652	5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe	28
PID 2652 wrote to memory of 2576	2652	5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe	28
PID 2652 wrote to memory of 2576	2652	5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe	28
PID 2652 wrote to memory of 2576	2652	5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe	28

C:\Users\Admin\AppData\Local\Temp\5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe
"C:\Users\Admin\AppData\Local\Temp\5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\RAVAntivirus-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\RAVAntivirus-installer.exe" "C:\Users\Admin\AppData\Local\Temp\5edf82763a3b79627af5456f1c678b136a3cb700d1d8221ed2aa1f19a53028bd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1190.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11F4.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\rsAtom.dll

Filesize
183KB

MD5
20f598dfbe293fb6b8011f3479ea69e3

SHA1
90fa1787319eb0e1e67b8fcd52fa92a33615fb55

SHA256
36463e1b20ca93c24ba0504b762ba2ee8bf526d17b6e63d6a585e5ff942af3ab

SHA512
5388b35c3aeb9f68ed0a2b42234c1f63c08013254accedae7f57b9e248f0067ada0928e730bb3a0660d7b0357d594644c10b34aa26463a268f86dfdd02bf2d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\rsJSON.dll

Filesize
227KB

MD5
161bd6d14d8c04744139b56fe36f0f10

SHA1
237579cde6443653ba27ed67e7f7bd3cc7c4724d

SHA256
6b07f326170cd420ec0caae9659010192f6ac628d95bdcd9efb84828b050c25b

SHA512
42d5b507e17df2b5f0ab43f5ca4ab9151699b6b4e99a7347e54ea4aa029c85228c3c21e3e970a1fe67ad3aacc6a891d4eea209fc7e5103473c358e3346ab84be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\rsLogger.dll

Filesize
185KB

MD5
206efa88946a8667fe6b9ba4a3975956

SHA1
46ffc85986b13b4f6a2be9c3077c6ffab57e71ac

SHA256
1ea7b9b4d389ddcdffe7e417940f69637241b9799b4d134ffe5b2ac174944f48

SHA512
5292e70f3465a4e5418bd761402c17d4cc6f3d2df368e7daf441fbb4923dec631d1e97570af29b1cfc476c7f4ec37357ffdb7f91fa6b4d5a8dd08d02b1a65c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd742.tmp\rsStubLib.dll

Filesize
194KB

MD5
7ac7a95b09b33fb03398cddf684d362e

SHA1
b267109944e0eaffd29a972ee736e8f677309c42

SHA256
02b261ce0fb3695c17029d06dc98c23b245184f462171640abb6f79e99930d02

SHA512
0e3806c3dbf2ec27bcaab2edb4efebcefa7e33af10cf196b70c3dcccbdd93475db689b54b10237c819010cd7880b978a9f4591f5a14b0f43d5070fd9ebb63cfe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd742.tmp\RAVAntivirus-installer.exe

Filesize
526KB

MD5
8a1393c7b22bf756706d03c454f54850

SHA1
34121b55f2140bb2b6bd941edda91e273cd6163b

SHA256
2aecb7a6e46e142344cedbe166bc416cb6167a4023f97f706764336b16d54573

SHA512
ed10a536abadb6d782b85b344e813f32cc664ff00764548f6b16b5d9cba02f937eda02c6dbb36e6cb5812faa5c916fba22f99d63d0a8f8f376c6bb213a75820b

Download Submit
memory/2576-48-0x0000000000500000-0x000000000052E000-memory.dmp

Filesize
184KB

Download
memory/2576-58-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2576-51-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-52-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-53-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-46-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/2576-55-0x00000000020D0000-0x00000000020FE000-memory.dmp

Filesize
184KB

Download
memory/2576-56-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-57-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2576-50-0x0000000001FE0000-0x0000000002018000-memory.dmp

Filesize
224KB

Download
memory/2576-59-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-60-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-44-0x0000000000340000-0x00000000003C2000-memory.dmp

Filesize
520KB

Download
memory/2576-43-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/2576-125-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/2576-126-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-128-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2576-127-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2576-129-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-130-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download