8a33cc7af2cf926411f45236cb841d1b5ab667aabff7c85c102a0edb2baa2534

Analysis

max time kernel
51s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ruler.IRule.exe
Size

153KB
MD5

ccc7b44c7bc889ded016b7f28a828980
SHA1

d4ddaea201cb60acc86450dabe4c41cb0eba83a9
SHA256

492f1aedf4893e90bdb64afdc1e2cf19d4e0f1f6849921c6562460cbfbf00461
SHA512

8391e1890583d8985b4cf2fce1882f1f5a224790e9ccb0938cfe6b2f81fe5fdd94bb3f4a0bff6247b78f2fef05a9bcebd84c0469c9300e2d57b0f4a5f8545487
SSDEEP

3072:gwLEVbLoEZlKk7611VBzNkDqrB5bGEAd9/i3s:gRuk7611VBzhEEua3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ruler.IRule.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Ruler.IRule.exe

Executes dropped EXE 1 IoCs

Processes:

IRULE.exe

pid process

400 IRULE.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

21 raw.githubusercontent.com
27 raw.githubusercontent.com
42 raw.githubusercontent.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4316 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4316 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

IRULE.exe

pid process

400 IRULE.exe
400 IRULE.exe

pid	process
400	IRULE.exe

flow	ioc
21	raw.githubusercontent.com
27	raw.githubusercontent.com
42	raw.githubusercontent.com

description	pid	process
Token: 33	4316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4316	AUDIODG.EXE

pid	process
400	IRULE.exe
400	IRULE.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Ruler.IRule.exe

description	pid	process	target process
PID 2560 wrote to memory of 400	2560	Ruler.IRule.exe	IRULE.exe
PID 2560 wrote to memory of 400	2560	Ruler.IRule.exe	IRULE.exe

C:\Users\Admin\AppData\Local\Temp\Ruler.IRule.exe
"C:\Users\Admin\AppData\Local\Temp\Ruler.IRule.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\IRULE.exe
"C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\IRULE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pvz_isaac\iruleGlobal.dat

Filesize
311B

MD5
2a75df90590557bee42bb3eec2156e1d

SHA1
4147d8b7c79bf9435ff5a2fc359cc4c3cdd452a8

SHA256
f29838a82186464a8f574fe8c527afb44d0e311d570c2ef3a7cb68a81a19f24b

SHA512
32c6fd55dd836ac259c1832d0112835d3d298018c287abd58d991414276265bf0e231799e8c19551616b16dfed94c88dce10b7cb7c54ee65d41031ed8cd5337e

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\IRULE.exe

Filesize
11.6MB

MD5
c7a0fd576c134d147fa66c8a90505f77

SHA1
a268c94e49d2761cca81d31ed82c43f2fe287be0

SHA256
ebd8af04fcf051166882a3c5c23920a730f8fc6cba8e3cabb9160fb4ef0a9a52

SHA512
04da64b26d7f0b050da0ce8cda4ddcdcc687c48b582659cb55af275e4db9cbb8985e6e740467b7bb5f26f77a97afa04b9e0dd37abd824cba9e4c0e0bc689b33f

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\data.win

Filesize
6.9MB

MD5
5367ea0cf839725d5f370e427aafd96f

SHA1
9ce291289dd20da520d65485b5af93da5b1998ae

SHA256
bf6a2dd179f9c1d9e8be1707039cbe3d59bce383509366b0e32f24ca36aed34d

SHA512
209c1b650cc96fa4c3b4dc29738943cc9dde5c7104dff06331832bc1b97f18a9f0cec1b94926c4adcc8709f59805eef4a7ce7f3ab698c1f9561a597ed17b3070

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\locales\en.json

Filesize
18KB

MD5
4b4513e9d6ca834d15ccfb5b75fb3b22

SHA1
dec603287bd05553106fc40b84815ad9467d93d8

SHA256
fdc28aa91a86c17c91ed5b994d6aa26c38942fccb6672fa8ee2c7d440c390d91

SHA512
7df54efaa2b0eb3a3635be887cbe0580841b1394b116ea2df3d55f6e151ce4570927bdfd530b7c4f5b0c14b52abddc0722067f0a4ebf71b3088b41fedeed46e4

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\locales\ru.json

Filesize
27KB

MD5
cd22f671dee2c4cfc431a1047dfbf5fe

SHA1
ac7cc862416116bf7c67cd904f59a83dabe3392b

SHA256
3bb4d3027b96271d900170f2269fe02c8c67c02857ba321672ca15dbd18c44ad

SHA512
a1634af3d2ab468bb356693f207dd254d9dcd66ec15c3414083b654ea189eb783a47806ccf2d6e4786d3fff7dad5dde30a725b9c00ff0939ac8d5fb72f09ef04

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_boss1.ogg

Filesize
1.0MB

MD5
7301cd97c9ff3676ad96f6ba52b3ecfb

SHA1
e1efff2dc77372ecdeb456b1eb63afadca62f605

SHA256
5730ed72fea86e3b99fb96c9feda54ade9c70635526c880944add3d091082eba

SHA512
7112afc4d528cde2e87ceb1ff713b094ffd2625b66c67310f59846741752d02a43d12e3056b2f1869476e060704ec6a68d6c9d76582f80c12d98d54e69c1b126

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_boss2.ogg

Filesize
805KB

MD5
4d0dee7fd9e340ea2c708349fd847223

SHA1
4c0895e2e15c388f0888105fbbb95f14a7dae66e

SHA256
332a671cb8df213032b7d55e58bd7388fb57e5f7d90c847efa5446fd24157bac

SHA512
ed2974e200200cb05de6757f34d0b0ce59d4092c737b1e64bd8ad3e61f3e714c8544b26d3a5daf7a237c6f3681d7c2ad33dc689b06f815b0cec98fbe94c66ee6

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_boss3.ogg

Filesize
750KB

MD5
703652d0aff8f82f7bf6e65af4f735db

SHA1
ccc3076cfea60e66cfa42f4e73db7b7a2ff2f818

SHA256
f7853f4ed9f4aed1bc74c15a1b3dd0ce67156b3622aec1274f13b124d0af312f

SHA512
52734cfd8535670234e68de3f8316ce4a8e505900227567696cef8b847fd362d183630af1b042c7e8686dab27c2609d33de9e6ff106e65f7f3e64037d1d8a677

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_boss_win.ogg

Filesize
70KB

MD5
a7b5d7365002624b952b1f964a6bd5e9

SHA1
1ab54817d01ddefbfdca6985c366a6afb14d5da4

SHA256
158866c506e8a5d7d6981ebbaa74e875d9e7296fe6e5cd064913a2270c7675db

SHA512
35008f9f805a03685e1ec5f67469bab55a60c0fa21ff566e076f1758794c5433fce57dcf1da40210f795df80228ab3ad9c5c67643c90dc48675401236e22f5bc

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_calm.ogg

Filesize
824KB

MD5
924c715df65d85e454c27a15db4e46c0

SHA1
b2b9b2ffae42efe56d14a52ad785a2d8e8ac3768

SHA256
67a81227d29fa06cadb4dd707edca2efd744c0c89b32ac2a54812f728ca78b63

SHA512
6f4576d003e639c9141a402db33cc0db7a99e3bcf4a86206e85626b3231e042a08e51266fbef47951be49bda467e4dcfeb389819feae07a16837fce7132f8d86

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch1.ogg

Filesize
844KB

MD5
ed985503815a1f3ec232449173137277

SHA1
89e72bb6f3ee8cb0b73a8da51c78570123ddb037

SHA256
8b61e84a4e8b6a7d0677b53d18229dcc269ee61b52d8b4f16bbaa275ad411a44

SHA512
8d1490950ad7548b6735d0fc23e396e6514c728baa0ec2de40a98ed1b72dbd8dc6e450181a8f6399a4f30eeaa9b15bec2f9506fad5d87d1b59af73cd9534e954

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch1_layer.ogg

Filesize
939KB

MD5
1d911211144147f95359658aa2474627

SHA1
e46518f0d13d94da28dc863b268a110f7773c0ce

SHA256
c364c1c83bf94459f26441cf792629acd83a8d206c55210267eca4b02126675b

SHA512
b55977dd4d1abb566b4a6c7928394912c7f3e47fb39847de6d04834b49f6ad7eec9b776978df830ecfc314673c8e427c0a607d674560e6c1947f8c92bd209d21

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch2.ogg

Filesize
994KB

MD5
dd5a4a6233cb961579c641e341403aa3

SHA1
0672d727fa0a8918faf50d38dbebc3ee74c03a2f

SHA256
e40b6140d92289189f250be80d9fe36d7f1a604111f5039eb25e3de8106e3e63

SHA512
d40cf5143e134c1a3723ca29790591966ca473aca0a17dfa15752154b0cf4392b278bcbcf40622dd56e34b1b1cf6c04663ae5e9b8b5cee6697c709ed3b691271

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch2_layer.ogg

Filesize
1000KB

MD5
1ece7083b99f4cb4f39a88d35764ca51

SHA1
e517df84cf674f53cd3c908d884b288962017f10

SHA256
a465c95d6cc41e2edb3a9c6d77f3e38f614d50e8d128dc661a8002c702d0e8d6

SHA512
0ddc5d72133d22dbec09f607cb70ffc1b45d266a5bc2ea42efc2a3cbcff390e07b8b228bb7d3934a52754dceeee1ba82f362d99b18593cf0e5ff9b8686fb6b6d

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch3.ogg

Filesize
1.1MB

MD5
b54a4d69681df0b68b183759c5235a93

SHA1
9c7ef04273774c0816d2328edbc7001f5b51e9ac

SHA256
eaa2ba5f18136be17aa6b0849e8818ddd612442b821ef83893929ca810fc4d89

SHA512
4f9e6517056d1811fe70e0acf8d71dbf3781dc7e430877ab98d28df7acfe183c91d9613026ccdc0d34ec136754f6dd4b20f380590deb4c759e85e70ee9bba3ef

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_ch3_layer.ogg

Filesize
1.0MB

MD5
930f240725b6b70fec742ec787e0066b

SHA1
b9b91b1236893a0adac5b50b55701b86bd86c817

SHA256
3c6daa5925ac74ce778ec4e6a36f29bb90aa5f0db72a99cf9b100d697154450f

SHA512
03fdca9f9cd2143fb3df8bd7ee4cc8120a80adb851afe1ef886bdaa51c3421a577b7289c6144cbc6f8f5d839e626bea9eb66daf4c2465add1eb0ee63d578d0e3

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_echoes.ogg

Filesize
443KB

MD5
db8f9df92685104c611e5fa0028f1a68

SHA1
949bb609cf3ffe4020fbb3959f06824ef9f30f87

SHA256
6f7dfd0c0d9953250b8c1f027d12d2b8b01bb3712f25136317437b7f09791969

SHA512
42d371b05c6e271c7ec1e92e118e3a7b8f027ccc1ebf0c3812daf6f5f3873ca3898a0ac8c30b0ede7d78319c94d81b31bed0011dbd8344451b691d8c897e5379

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_game_over_real.ogg

Filesize
519KB

MD5
c2d5daf6784928775f9bcf3d8dd46859

SHA1
0757138b9591db1867ffdd1c9c3ddf6645022abe

SHA256
37975e6930e6d259a87025fc6d50054aba852ee137072e3ede7a401de5d92679

SHA512
cfc978248cc18b257358388b98f305d955a15036ad5010f189b35169d9d1410c1bc14f7d3c6bb1a837027d3855ca0e68e7169186c5f167c5d5f0e5d94797545e

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_lalala.ogg

Filesize
39KB

MD5
b6644c4ca09c91019e7da7155ee3e8fb

SHA1
71311f57b58d2c09f81297b90e04128a31a7713f

SHA256
9bfb9704569ce60e15d5fb05fcc9e4cc305ca4a81edde3ebc6db5b41c78f176e

SHA512
80e8261ffa353fedb09d6cf4eb8bc3dc0dd9e67a689478845f08540cc564bd3bcd209d97f3c949a16497cd9062f32d35aaeb2cb784dc3734090dc2f74b4c1861

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_menu.ogg

Filesize
703KB

MD5
591c2a3ede9efb075780114a40b482b6

SHA1
ce7962649100f1cb3692be37ad8df8e7cb37afcb

SHA256
20dd7b384a2c2531014941a6f903c0c63fff5c891fddc5963603f0448bbe0dc3

SHA512
e7cad34d4b68040b03c3aa8a3f4b45417f5c347990a97814a5096765e808160117217e4d82af662d3b06470d3e93483c74ed113737b010ff06930ad9325b4da9

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\mus_shop.ogg

Filesize
519KB

MD5
45381b93e4c41040719feaa5ae9387bb

SHA1
ab85e2fadd6581c52942dcfb5f35898e2e52859b

SHA256
2501681d0e20884a83b3309d49f24692016a6ab4ea9b3010b635c62162d9df10

SHA512
b89427a11e98b76891bea6d79fea8102e178170e0f1ce0cf4be976337a82ed84859ce8de2c7a2253992f50a6b1ee47c214f415d861ee1b6c9c447ab01ffca007

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\options.ini

Filesize
40B

MD5
f561f2b3e4e0438915c77790648c66ea

SHA1
f684b62a1408960673d1aa590c796932ec3ef19c

SHA256
d2b6d2ed327bcec3e24ba0d814db911b9497ad63c69325d2b25c98b60d03a54a

SHA512
ca107ddb1b69107eb5387a96cb0a8ac577afec9bc1e2e085cc1287273fd938e6cec8701e041670a8a2f36788d87d7c73d1c624152d2e821f461c01f1a4996df6

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_punch1.ogg

Filesize
6KB

MD5
933089d424759f562c025ba13acd8507

SHA1
08e7a400b82118f1b33812590c103b90e550ea5a

SHA256
c742edbcfd6035eb70d544988a8ef695ed9dba0f17b0ce1a3e692e76492cca1f

SHA512
ecf486b840cd7dcda8c8360d41fe105caeb491d3074b56345ab8cb7b2f68ce0da848aa3c7ce69f9e04975b813f985c08d1f0e8424c03cd44436ea052c530a692

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_fullhealth.ogg

Filesize
12KB

MD5
b1a3a64b868f7040a6b9b5ee8ad19aa2

SHA1
44f9c1519e810a144f49ed7f663143b076dfb65c

SHA256
eb8fa4d9905903f321cd7a6c11a6da32c87fa6e6c23c25bfa10f62ab9eff97ba

SHA512
730b6cc5e8f99139ad3be5014d17b4124c74d47551f0db154555e31cc1271685a25be665417a172f6562c705ac0a3028523a5134e7cb97fa6d4a209c9af945c7

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_percs.ogg

Filesize
9KB

MD5
968203083fc4d97c04e9f4fa20b76508

SHA1
e177f45f0af3b7ec720faa03806eea5859f2176b

SHA256
1630fc17c49357383129b060a82053e93ee0d248d6259298fbc1a2e3806ecb11

SHA512
235e4b6717bf8662442b3352d7be48965fe288d60d43b1ea98cd0c7efa1b38abc30bde53e8437294a8454d7d2afebc0a42f3fb9e49cd087367193b3dc2206c2e

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_powerpill.ogg

Filesize
17KB

MD5
2132b550cce1fe880ff8f8b9fb724ddd

SHA1
c8e99e3d90aa1079d8621bbcb140178a68f0b7e9

SHA256
5468148095637d28bd787e223bfe32d4afb45ed8a80b7734a6abaaafb0283e3e

SHA512
a4b9b39cc3b3fad81e0a4d78439f96f89da9a86b2a238ff928fabcc6703c288940d358e85cadac015b05956d8e30b3a7352e9d8c514d1284fd3bd08478343c76

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_speeddown.ogg

Filesize
18KB

MD5
47a236c5b5f55f02488a52d63b055951

SHA1
9293c19ebe752bd118f697870dc645e46e3d17ff

SHA256
80241379db8d1fa1013e8b8fea0a07ff76b69b234bf5374711e476600e9131fc

SHA512
afd8e1c0f2963ddd3265cd7bc7d0a6e115a4158d7008d580d4b0ca9c8e6f45e183750cd7c9d85c173ed87937745284dfa567a38136ec6ff495a4a987169e56bc

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_speedup.ogg

Filesize
16KB

MD5
283b4ef96cfb9b5a23f43c495352ea6c

SHA1
6bfd969f332190d3f72d0ddd5e9fdda38490f70f

SHA256
d635a730d388b7e2e42049bff076fb52e92d0a32089bf61928a1491239260edf

SHA512
8cad89eee6340b8811fdca1ac57275a1b575ad51c8ab142971c220576458b20816d0ef30dc495118c8cdf768f8202db3512444117e3a0518d8bde72ba6203fd8

Download Submit
C:\Users\Admin\AppData\Roaming\I.RULE\version-0.2.0.77\s_voice_wrong.ogg

Filesize
15KB

MD5
9b26d6f5b040afb78e6384b1e5eba1f5

SHA1
4b661e4b1b4500f3771a52973622fa5190413920

SHA256
a442e55d593b262c2a1d4d30e690fd637303ea0a643e0c796d2f3887c2debe68

SHA512
8cd1c3b153b8c1367c69c8dd1f59b24d4073882082d77b15cf8ff1bcd1473ad8406c97b446377a3a1e12ae8e99e061006078f57aca016d1fbbb8a9ba12c9ba41

Download Submit
memory/2560-0-0x00007FFBBFBCB000-0x00007FFBBFBCC000-memory.dmp

Filesize
4KB

Download
memory/2560-2-0x00007FFBBFBCB000-0x00007FFBBFBCC000-memory.dmp

Filesize
4KB

Download