1207fda9b7bba1244e4f256f3b3fecc8656bef9c5e3ea393596d806c3aa4d434

Resubmissions

14/07/2024, 12:27

240714-pmywqssfra 3

14/07/2024, 12:24

240714-pk9kfszepn 3

Analysis

max time kernel
71s
max time network
77s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2024, 12:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RezNoxCustom Skin Manager Installer.rar
Size

1.4MB
MD5

d6708cb99d4a8a7b25216b050283fe22
SHA1

6c329344167d5e1cdd84767011c06ba4beb31f71
SHA256

1207fda9b7bba1244e4f256f3b3fecc8656bef9c5e3ea393596d806c3aa4d434
SHA512

99620275eebd22ffbabe647473b2d0e42ec1e0394783dc8b455e46935360b55d7568f9bdd11b301c00bf9b9a3cc3fb9f9b0f3353e1d32fe8d99080a178f41bc7
SSDEEP

24576:dzGZmGz9H8E76diMCFvHs8eFV+LD1fRmeZ4UcDlCyQMlGhIFsKKdd/iSaXuBdLZN:kmGz9H8E5MvX+LDFgeZ7cDEyQMlsTJTr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3372	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4952	OpenWith.exe
3372	vlc.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe
3372	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4952	OpenWith.exe
4952	OpenWith.exe
4952	OpenWith.exe
4952	OpenWith.exe
4952	OpenWith.exe
3372	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3372	4952	OpenWith.exe	72
PID 4952 wrote to memory of 3372	4952	OpenWith.exe	72

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RezNoxCustom Skin Manager Installer.rar"
1⤵
- Modifies registry class
PID:1660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RezNoxCustom Skin Manager Installer.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
117B

MD5
678e6da8bd4d48fa92f754d8e4d5dd11

SHA1
ad349f5fcafd216db76ec30fbfb177ee7369311d

SHA256
65d741f4ff532173938b555ac6a076f63599eb756bc04d1787b70cc302856cab

SHA512
58608093a5ef6aa1af8605ca6e3244662ec1b4391857a4ce6df790264191edfa3e3f0e6fa930f409fff2e18724f6f99fcb09aa9cfecf16a9caffdabf947d629f

Download Submit
memory/3372-28-0x00007FFCB4610000-0x00007FFCB4644000-memory.dmp

Filesize
208KB

Download
memory/3372-27-0x00007FF705E60000-0x00007FF705F58000-memory.dmp

Filesize
992KB

Download
memory/3372-29-0x00007FFCAF810000-0x00007FFCAFAC6000-memory.dmp

Filesize
2.7MB

Download
memory/3372-30-0x00007FFCA0DE0000-0x00007FFCA1E90000-memory.dmp

Filesize
16.7MB

Download