Overview
overview
7Static
static
3print.exe
windows10-2004-x64
1printfilte...vc.exe
windows10-2004-x64
1printui.exe
windows10-2004-x64
1proquota.exe
windows10-2004-x64
1provlaunch.exe
windows10-2004-x64
1provtool.exe
windows10-2004-x64
1prproc.exe
windows10-2004-x64
1psr.exe
windows10-2004-x64
1pwlauncher.exe
windows10-2004-x64
1rasautou.exe
windows10-2004-x64
1rasdial.exe
windows10-2004-x64
1raserver.exe
windows10-2004-x64
1rasphone.exe
windows10-2004-x64
1rdpclip.exe
windows10-2004-x64
1rdpinput.exe
windows10-2004-x64
1rdrleakdiag.exe
windows10-2004-x64
1readCloudD...gs.exe
windows10-2004-x64
1recdisc.exe
windows10-2004-x64
1recover.exe
windows10-2004-x64
1refsutil.exe
windows10-2004-x64
1reg.exe
windows10-2004-x64
1regedt32.exe
windows10-2004-x64
7regini.exe
windows10-2004-x64
1regsvr32.exe
windows10-2004-x64
1rekeywiz.exe
windows10-2004-x64
1relog.exe
windows10-2004-x64
1repair-bde.exe
windows10-2004-x64
1replace.exe
windows10-2004-x64
1resmon.exe
windows10-2004-x64
7rmttpmvscmgrsvr.exe
windows10-2004-x64
1rrinstaller.exe
windows10-2004-x64
1rstrui.exe
windows10-2004-x64
1Resubmissions
09/07/2024, 13:39
240709-qydwdayanf 709/07/2024, 07:52
240709-jqdr3swdle 609/07/2024, 06:42
240709-hgkzcs1bjl 509/07/2024, 06:34
240709-hb2d6azhjn 309/07/2024, 05:47
240709-ggxgqa1crh 4Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
print.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
printfilterpipelinesvc.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
printui.exe
Resource
win10v2004-20240708-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
proquota.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
provlaunch.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
provtool.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
prproc.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
psr.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
pwlauncher.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
rasautou.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
rasdial.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
raserver.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
rasphone.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
rdpclip.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
rdpinput.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
rdrleakdiag.exe
Resource
win10v2004-20240708-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
readCloudDataSettings.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
recdisc.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
recover.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
refsutil.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
reg.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
regedt32.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
regini.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
regsvr32.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
rekeywiz.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
relog.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
repair-bde.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
replace.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
resmon.exe
Resource
win10v2004-20240708-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
rmttpmvscmgrsvr.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
rrinstaller.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
rstrui.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
resmon.exe
-
Size
128KB
-
MD5
f13575a9e5c327a66d2767ee8f051866
-
SHA1
b7735194fe05f53d58ea4fd56fe4a96fa8fdf247
-
SHA256
173d896fdee281ebe88eea03d045b1420d0becd9be8049db4d917f2a85c9c836
-
SHA512
16dda5a048fd86ae81742b51e31d112084514beb85216db9edcfaa1eba803af2ff54a700de1fec7f2b5492e0d1f343cbd445c9c8fb7c7cc39b2008a7b07c275f
-
SSDEEP
1536:QCFIABqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:Q0IAghtYIo9piswTogiqQKy349
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation resmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe 4244 perfmon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4244 perfmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4244 perfmon.exe Token: SeSystemProfilePrivilege 4244 perfmon.exe Token: SeCreateGlobalPrivilege 4244 perfmon.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3156 wrote to memory of 4244 3156 resmon.exe 82 PID 3156 wrote to memory of 4244 3156 resmon.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\resmon.exe"C:\Users\Admin\AppData\Local\Temp\resmon.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4244
-