6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be

Resubmissions

13-07-2024 19:37

240713-ybzhkawgrd 10

13-07-2024 19:35

240713-ya59qawgmf 3

Analysis

max time kernel
416s
max time network
418s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rostrap.exe
Size

3.8MB
MD5

3da3fa7ef74e6912844e3b7eea44c475
SHA1

b8078c6b01a37c6b3bce3bd93eb11b8d5b88d37e
SHA256

6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be
SHA512

a64cc30dd4f1c44f630bd91ffa6426ddc9af94fc85d40c7c30ec1869748b828362be4efadb6e54fc21f739217d1d587c24d37225f72a0dc4ed09a4a296e99136
SSDEEP

98304:O3GM47lTHdcFcNQBUb4vzWsyQj0jvDeug4WGR/JvY3csQ:O3GTp9ZyS8asyQjaLeugYR/JicsQ

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rostrap.exeBLOXST~2.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	rostrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	BLOXST~2.EXE

Executes dropped EXE 2 IoCs

Processes:

rostrap_setup.exeBLOXST~2.EXE

pid process

4324 rostrap_setup.exe
4620 BLOXST~2.EXE

pid	process
4324	rostrap_setup.exe
4620	BLOXST~2.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rostrap_setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	rostrap_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BLOXST~2.EXE

description pid process

Token: SeDebugPrivilege 4620 BLOXST~2.EXE

description	pid	process
Token: SeDebugPrivilege	4620	BLOXST~2.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rostrap.exerostrap_setup.exe

description	pid	process	target process
PID 3780 wrote to memory of 4324	3780	rostrap.exe	rostrap_setup.exe
PID 3780 wrote to memory of 4324	3780	rostrap.exe	rostrap_setup.exe
PID 4324 wrote to memory of 4620	4324	rostrap_setup.exe	BLOXST~2.EXE
PID 4324 wrote to memory of 4620	4324	rostrap_setup.exe	BLOXST~2.EXE

C:\Users\Admin\AppData\Local\Temp\rostrap.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
Filesize
10.1MB

MD5
2c752edef5b0aa0962a3e01c4c82a2fa

SHA1
9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

SHA256
891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

SHA512
04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.EXE
Filesize
3.5MB

MD5
be5d8f72e1a5fdddf6f16de1c71e83a9

SHA1
df4c647b0be4ec82e14e6775bdd1418b24263e68

SHA256
18fc1de44a6e2886e845e94acf0df1c25e73276bfae587fedd8221b9544c89ef

SHA512
b7a1cef87df06a463f060f6e8d84ec7317a526580106e049b4d5b699116c155bc358efb926d2393c764a8dc5c5aa4ca78def8deee93e26bcc260709c9f020528

Download Submit
memory/4620-19-0x00007FF9A030B000-0x00007FF9A030C000-memory.dmp

Filesize
4KB

Download
memory/4620-20-0x00007FF9A030B000-0x00007FF9A030C000-memory.dmp

Filesize
4KB

Download