Resubmissions
20/07/2024, 17:01
240720-vjk4cswbkp 720/07/2024, 16:55
240720-ve8nvstgkb 720/07/2024, 16:53
240720-vedtgswamn 7Analysis
-
max time kernel
113s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 16:55
Behavioral task
behavioral1
Sample
RVVNfAFuoPUg.exe
Resource
win10v2004-20240709-en
9 signatures
150 seconds
General
-
Target
RVVNfAFuoPUg.exe
-
Size
20.5MB
-
MD5
e5bb4ca071b4a7f32467d4260fef5610
-
SHA1
7e950adae620544f07a3b455546e498a6ac2c4d0
-
SHA256
f9cb65c4d208ba89805850d0ea1e2d9853236ac21ad1f93a4f263f377ddd614c
-
SHA512
065cd30ca5bd18bc9d7be0c3700f1f6282b2525f59d741e3a0476d0572b4b0c90f077ecedc0aea4df7eded285948a9ebc54b8192fc2260862b9999c564ab7ca2
-
SSDEEP
393216:HNZI9KZ5ikvL+rWGtlqSfBI5xX4LH4pYZv7ugs7G2pWCL6o+DhUOvNR:U9KZ4kvqrh/hfBI5xXoH4KZviTGDaOvf
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/4960-21-0x0000000140000000-0x000000014296B000-memory.dmp themida behavioral1/memory/4960-24-0x0000000140000000-0x000000014296B000-memory.dmp themida behavioral1/memory/1952-55-0x0000000140000000-0x000000014296B000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4960 RVVNfAFuoPUg.exe 1952 RVVNfAFuoPUg.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4960 RVVNfAFuoPUg.exe 4960 RVVNfAFuoPUg.exe 4960 RVVNfAFuoPUg.exe 4960 RVVNfAFuoPUg.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 1952 RVVNfAFuoPUg.exe 1952 RVVNfAFuoPUg.exe 1952 RVVNfAFuoPUg.exe 1952 RVVNfAFuoPUg.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4960 RVVNfAFuoPUg.exe 1952 RVVNfAFuoPUg.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2348 taskmgr.exe Token: SeSystemProfilePrivilege 2348 taskmgr.exe Token: SeCreateGlobalPrivilege 2348 taskmgr.exe Token: 33 2348 taskmgr.exe Token: SeIncBasePriorityPrivilege 2348 taskmgr.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: 35 1248 svchost.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe 2348 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1952 RVVNfAFuoPUg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4960
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248