6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b

Resubmissions

02/08/2024, 15:39

240802-s3t49svclf 8

02/08/2024, 15:32

240802-syqlaazcmn 6

02/08/2024, 15:28

240802-swdhyavalh 8

02/08/2024, 15:24

240802-ss9rzathna 8

Analysis

max time kernel
100s
max time network
101s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/08/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AndroidSideloader.exe
Size

4.1MB
MD5

b7fa8a83dd1c92d93679c58d06691369
SHA1

0cff7bb71ff43ee92172f30566d8ee1b043129fc
SHA256

6cf2bcdb1a463fc69eddb125eba8cc12854ee23effcd7c65b968667c668a7f0b
SHA512

d74f8450f1fda260d0176ceba347bde6ad58b24a09eaac3cc921e20236a11707cab2f5eaee3bb10907c387d67efbcb66d823ae052b1317f3e953c4984a2b94b8
SSDEEP

24576:JUjV//Ppn/JcDJ7bdukqjVnlqud+/2P+AXg:S5//Rn/QJ7bYkqXfd+/9AQ

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2268	7z.exe
4504	7z.exe
2216	adb.exe
3596	adb.exe
3892	adb.exe
2364	rclone.exe
988	rclone.exe
1268	7z.exe
3484	adb.exe
4772	adb.exe
5016	adb.exe
972	adb.exe
2520	adb.exe

Loads dropped DLL 16 IoCs

pid	Process
2216	adb.exe
2216	adb.exe
3596	adb.exe
3596	adb.exe
3892	adb.exe
3892	adb.exe
3484	adb.exe
3484	adb.exe
4772	adb.exe
4772	adb.exe
5016	adb.exe
5016	adb.exe
972	adb.exe
972	adb.exe
2520	adb.exe
2520	adb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AndroidSideloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9	AndroidSideloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9\Blob = 030000000100000014000000ca7788c32da1e4b7863a4fb57d00b55ddacbc7f91400000001000000140000003ae10986d4cf19c29676744976dce035c663639a04000000010000001000000042f8529fe545103fdd848980a8647f290f0000000100000030000000ed080184c5a30d366162d70be6fbb98ed70ace8650c3b7bccc7687cddaffb50f7d12eea1a961cc6f7fd0da9b3422f9fa19000000010000001000000076935b5c5a037216daaf8aac76df42c15c0000000100000004000000800100001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000d7030000308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f726974793076301006072a8648ce3d020106052b81040022036200041aac545aa9f96823e77ad5246f53c65ad84babc6d5b6d1e67371aedd9cd60c61fddba08903b80514ec57ceee5d3fe221b3cef7d48a79e0a3837e2d97d061c4f199dc259163ab7f30a3b470e2c7a1339cf3bf2e5c53b15fb37d327f8a34e37979a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604143ae10986d4cf19c29676744976dce035c663639a300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010019eceb9d892c200b04801d18de429972991632bd0e9c755b2c15e229406deeff72dbdbab901f8c95f28a3d087242895007e239156c0187d9161af5c0752bc5e6561107dfd898bc7c9f1939df8bca006473bc46109b93238dbe16c32e08829c863374763b284c8d034285b3e2b22342d51f7a756a1ad17caa6721c4333a396d53c9a2ed6222a8bbe2556c996c436b9197d10c0b93021dd2bc697749e61b4df7bf147803b0a6ba0bb4e1857f2fdc423bad740148ded66ce11998095e0ab36747fe1ce0d5c128ef4a8b44312604378d8974362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff7	AndroidSideloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AndroidSideloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AndroidSideloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AndroidSideloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678	AndroidSideloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678\Blob = 0300000001000000140000007f95276d4951499fd756df344aa24fb38ceaf6781400000001000000140000000f6be64bce3947aef67e901e79f0309192c85fa3040000000100000010000000ee39380f325cf0c51f4c6f7be0a4c8990f000000010000003000000011634607adf75b5e2bb0c3f38525f19b8cb00415cf48940a83e1da5b90dbf3d251de3a2659675838654f1705ba8fe7411900000001000000100000007818fd06fa225d60f1172f1ef2efcebf5c00000001000000040000008001000018000000010000001000000076935b5c5a037216daaf8aac76df42c1200000000100000089030000308203853082030ca003020102021023b76de3c1bb2b1a51961e08eab764e8300a06082a8648ce3d040303308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f72697479301e170d3230303133303030303030305a170d3330303132393233353935395a304b310b30090603550406130241543110300e060355040a13075a65726f53534c312a3028060355040313215a65726f53534c2045434320446f6d61696e2053656375726520536974652043413076301006072a8648ce3d020106052b8104002203620004364161172b5325edaaca94e4d6da4857ef50ba846482d7bb051bd61f0624f6a5339d8ce7f10b5568638230105f8d65ecaaa8af97cab586ce30018974dee34e5e016eee267bcc53fa23a4f7441d3e4d1e5f66a6ad85f6f2e3bc8e099880248e20a382017530820171301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604140f6be64bce3947aef67e901e79f0309192c85fa3300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102024e3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374454343416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300a06082a8648ce3d040303036700306402302470540f01c940ddc854d96d54cac808ca984374d83ff4d7a95f6df261b9700a261b6330a88b319cbf77ec67b07fa588023025adaba4b0ee8d52e0dd0d7c9ddf7d1daee25c649c74f87e63e5c14e601686b0a75e196eec08c691d8fb0314a1a595ab	AndroidSideloader.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2364	rclone.exe
2364	rclone.exe
2364	rclone.exe
2364	rclone.exe
988	rclone.exe
988	rclone.exe
988	rclone.exe
988	rclone.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	AndroidSideloader.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	AndroidSideloader.exe
Token: SeRestorePrivilege	2268	7z.exe
Token: 35	2268	7z.exe
Token: SeSecurityPrivilege	2268	7z.exe
Token: SeSecurityPrivilege	2268	7z.exe
Token: SeRestorePrivilege	4504	7z.exe
Token: 35	4504	7z.exe
Token: SeSecurityPrivilege	4504	7z.exe
Token: SeSecurityPrivilege	4504	7z.exe
Token: SeDebugPrivilege	2364	rclone.exe
Token: SeDebugPrivilege	988	rclone.exe
Token: SeRestorePrivilege	1268	7z.exe
Token: 35	1268	7z.exe
Token: SeSecurityPrivilege	1268	7z.exe
Token: SeSecurityPrivilege	1268	7z.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2268	3104	AndroidSideloader.exe	73
PID 3104 wrote to memory of 2268	3104	AndroidSideloader.exe	73
PID 3104 wrote to memory of 4504	3104	AndroidSideloader.exe	77
PID 3104 wrote to memory of 4504	3104	AndroidSideloader.exe	77
PID 3104 wrote to memory of 2216	3104	AndroidSideloader.exe	79
PID 3104 wrote to memory of 2216	3104	AndroidSideloader.exe	79
PID 3104 wrote to memory of 2216	3104	AndroidSideloader.exe	79
PID 3104 wrote to memory of 3596	3104	AndroidSideloader.exe	81
PID 3104 wrote to memory of 3596	3104	AndroidSideloader.exe	81
PID 3104 wrote to memory of 3596	3104	AndroidSideloader.exe	81
PID 3596 wrote to memory of 3892	3596	adb.exe	83
PID 3596 wrote to memory of 3892	3596	adb.exe	83
PID 3596 wrote to memory of 3892	3596	adb.exe	83
PID 3104 wrote to memory of 2364	3104	AndroidSideloader.exe	84
PID 3104 wrote to memory of 2364	3104	AndroidSideloader.exe	84
PID 3104 wrote to memory of 988	3104	AndroidSideloader.exe	86
PID 3104 wrote to memory of 988	3104	AndroidSideloader.exe	86
PID 3104 wrote to memory of 1268	3104	AndroidSideloader.exe	88
PID 3104 wrote to memory of 1268	3104	AndroidSideloader.exe	88
PID 3104 wrote to memory of 3484	3104	AndroidSideloader.exe	90
PID 3104 wrote to memory of 3484	3104	AndroidSideloader.exe	90
PID 3104 wrote to memory of 3484	3104	AndroidSideloader.exe	90
PID 3104 wrote to memory of 4772	3104	AndroidSideloader.exe	92
PID 3104 wrote to memory of 4772	3104	AndroidSideloader.exe	92
PID 3104 wrote to memory of 4772	3104	AndroidSideloader.exe	92
PID 3104 wrote to memory of 5016	3104	AndroidSideloader.exe	94
PID 3104 wrote to memory of 5016	3104	AndroidSideloader.exe	94
PID 3104 wrote to memory of 5016	3104	AndroidSideloader.exe	94
PID 3104 wrote to memory of 972	3104	AndroidSideloader.exe	96
PID 3104 wrote to memory of 972	3104	AndroidSideloader.exe	96
PID 3104 wrote to memory of 972	3104	AndroidSideloader.exe	96
PID 3104 wrote to memory of 2520	3104	AndroidSideloader.exe	98
PID 3104 wrote to memory of 2520	3104	AndroidSideloader.exe	98
PID 3104 wrote to memory of 2520	3104	AndroidSideloader.exe	98

C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe
"C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dependencies.7z" -y -o"C:\RSL\platform-tools" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\rclone.zip" -y -o"C:\Users\Admin\AppData\Local\Temp" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" kill-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" start-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\RSL\platform-tools\adb.exe
    adb -L tcp:5037 fork-server server --reply-fd 556
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3892
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" listremotes --config vrp.download.config
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" sync ":http:/meta.7z" "C:\Users\Admin\AppData\Local\Temp" --http-url https://theapp.vrrookie.xyz/ --tpslimit 1.0 --tpslimit-burst 3
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\meta.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\meta" -p"gL59VfgPxoHR" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" devices
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3484
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell df
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4772
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell dumpsys battery
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5016
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell pm list packages -3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:972
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell df
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2520

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8b552172d27f454b972c58d6d802100d /t 2948 /p 3104
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RSL\platform-tools\adb.exe

Filesize
5.6MB

MD5
64daf7cca61d468d26a407d79a7c26a9

SHA1
51b451089e73c9a03e2f24ab2fc81896d48c6126

SHA256
997324a38d89e3b282306bf25ccaa167c49a35850ac0ab4a169e7a15afa82fc8

SHA512
5a7bd06326e8ee868a2e6c724bc74bd290acaa00f3442807d3f69489a374a13a3cb41fbaf929c79525bdac319bd9a64ecfaf3cbdb6585ae332a485e911d8370d

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\bvqu15zy.newcfg

Filesize
2KB

MD5
37eaaf95b5a321d3656b57171a8ae170

SHA1
b419b6eb085277f3be9b02c638f3e842e97c3f5d

SHA256
16d8cdd04327af20c20507e3c2bca6f9f39fdc2329e5f10273e53961e0dff71b

SHA512
165e849c4e8e0f858b77993d6757a984e5aab608cab9858e8378a3d2b5198f718fe47668c10228041017ed550ddf51bb4a43465b263d8eb8bc6f4a344d984f9b

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\rnodebly.newcfg

Filesize
3KB

MD5
6e10f625d2d0d9c5e43739c534fd0ce0

SHA1
684417df5289afe7d6955cf61a631bb6abcb2b9e

SHA256
19425b5c3bb3d5e1dc5784579fe596760571b63ef1b4307cc15bbbcba66255c4

SHA512
21ebb846b6ac6681097d5790d03795b250fa29fac5d18e046a69e0dfc0bfb5ae885f20129b311c0832255d0ffcf8d96b8528fa7f5d6ef646b44d1a1edd70e2c7

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\s1dipnb2.newcfg

Filesize
3KB

MD5
9755459466951f0e3e488331dc87e76a

SHA1
3a3ca15b5cc7daab61d36e0bf90c85a4e248c28f

SHA256
7833a15e4fb05ae2055da10b1915503e9c9f4e849b6a246d81079259697bb17f

SHA512
adf1f8abf853dbf80b2c9213fc332113e603dd7b9fb87b0226e50780bddc788e6eedceee5f5acefae67f0d7a9a61c91593c6eefb78dcb77fb32117be817cd4b7

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
838B

MD5
6dc22626c68e39d1f7a92bc247d064fa

SHA1
06d72094b8ccfb2cd09e3b04fa79cd2f4efbb40c

SHA256
5b1cfb327e8e4f605cdb650526ab442cc846ce97cfdc51d1da23dfecb3abdf60

SHA512
09858fce9752da51c915859873510c5f115b8d2b2ffa9b3bfe8bee20b804de1fe3ef8bbe5448b2374d6089af29e9d7914e0098df675e5eef240d4f1649a0db72

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
3KB

MD5
f9c268cc322394d5ac71882a985eac85

SHA1
54de512defa7f2aac16c7ab2cdffa72750c61d5a

SHA256
926e8dbe4c122f55c2ad68ee4b5f0188c96e6ad28c92b46e47d3f14667efb59d

SHA512
ba8f465911fc7a93789f732779c092720652be6f7e8b305c4988b7a188cb23834506ee428f0efd9ced86e01774cec1aeb007e35fb399175c57ad684081506390

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
8c39d519fb3e7a203babdcad03142604

SHA1
3dc53bd284edd9917586dedd5b71f27255cdae1c

SHA256
063644efeac893b9ab1f08c0740b9e72656d3b21a0c0e50f303ea061af5a0444

SHA512
367a572086174822ee0f3c9783092035fcfbf6630f8948e5dd9f3782f5d9a1a23d75a0a492143e5fd007c612a4facef430d912c6b0815df7985bc9a9799320f8

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
3acb840234590aaf5fea1c4d407620a5

SHA1
94b34faa229a359491bf83cd92ffe922f33a5473

SHA256
dfc30bd71ee147f506f2358e1940359ec003df0192efd1683f69815626eafbfb

SHA512
119dc8f9f6c0eae4d031d957969cda06e58dab8bc8ce08c485aaad16d4799ac7d1f2213be85ff8fc6afb6bf4e6d65f841c84bb77f32aa8975ea95ed87c3ac3a1

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
976b88126d43dfc4f37b4e9a758a34f2

SHA1
51bc037d1cfcbb43dc6f745be644846254a54fed

SHA256
734fce623c01939f25843b2e81575e709103ee4a4b6fc3af445eb22fa3fa819b

SHA512
9fe7221cdd22557179624ab2ac4727ec576bbe51b0d0cf469d521d7fcc34724e49a26e4138a6a3dcacc997e8ca18095e559784be9aaf0307ca151cc5e5f05d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
1.2MB

MD5
1a7eaa1dab7867e15d7800ae0b5af5e3

SHA1
9e6d344bd8724aa1862f4254d8c42b7cc929a797

SHA256
356bea8b6e9eb84dfa0dd8674e7c03428c641a47789df605c5bea0730de4aed2

SHA512
a12373ec7ec4bac3421363f70cc593f4334b4bb5a5c917e050a45090220fab002c36ba8b03be81159fd70955b4680146c9469e44ddf75a901465d6b1231ee6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dependencies.7z

Filesize
5.5MB

MD5
54850eca0050c5468f712187828655ce

SHA1
30607a286efe050f9387f3127888b4073595d1a1

SHA256
06e1523a9cc9be6bd9d7a33c2720519d1a071747222f044bdf0c4d590a508575

SHA512
40d575da0d48f6b0ab7dbeabf68a4b40551157671e34f5669fe2627fe51d8f623e00adcff24df6abf9ea765dd02ffdcca2783b73f617ee0fb1fca1a88f0d4675

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta.7z

Filesize
28.8MB

MD5
8c12c1d81c3ba5477893b0578877a515

SHA1
85b9556829b41b165ac4e8e1ca1975e659441119

SHA256
492d2e4d0e013a5792dd68dbc7793383745e9d0a52863c3108eef280add70b00

SHA512
2ce9d55d207801ad3005b39029ccc55235e99d77556bc9e68cc2f44e7501bee3e6472411bf120a052072ee383610cdc8a82aa0b07abe9e6874215fadcbdf1665

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\Fix-it Ralph VR v2+2 -ByteUs.txt

Filesize
24B

MD5
95ecadb6472bf8d2b5e29c19ff7b6aec

SHA1
d418d8d05f1cac3547d233744d765c2100c53f26

SHA256
922180290a957b2db5cbd885f952df998245de0cbc9c0795a58c93c86f20c530

SHA512
c8c31b23989f5392a25d32b2fd1c14c8ad3cdb58117c509ec33ff7a70b3551a5914c0882c593b27ef36e6e96ce86b490d96d9bf5261b9094799ebd874864e3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\ForeVR Pool v926+2.0.926 -NIF.txt

Filesize
12B

MD5
5db92c491778fc426d102a6cdccde39d

SHA1
725c01af9d4fe1f53a8f22da3185c6fb0fbfa417

SHA256
124a4f8420dae0a5ebf04ce715399de35dbc8817143225113e4f6f05f6c6f524

SHA512
ecd97119339b44c8e7eebcbf4604ef40edca13edc5ade502def9b840e477943c401acb2ed420f13c4e9091d00e88639b327924dde2ee60c9abb3c68b09e06214

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\Holotanks (BETA) v169+1.102 -VRP.txt

Filesize
83B

MD5
a013a807855d864175a73f8db56eaf05

SHA1
ccd8405bcfb4d5b83d3aa6b51c56f3707b534e97

SHA256
77a3b8cdee01f86f3a7043296253215c4e05fd1b27a836d17c03fee0b3ec2c80

SHA512
7eed4b8422b5e63e8bab01365b42cacb8f1c16a70000de22e4e2879ca13d044e1c7a04974c4bb9ebdd7b7ba1eb5f4fb061260662e9216190b7677a843d0360a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\XRWorkout v15066+1.1b -VRP.txt

Filesize
40B

MD5
441cdaca186f101873ef0c671fde2d09

SHA1
e35c737a520fa4254718fdd3d93061635ff90948

SHA256
277e5de7af35dfcac250238a9fa211a4653c9cec84af371ed0bf5927bcece784

SHA512
3410fd95390c1c8095e5b24dac5bfaa7f9cac32b9ad25a06d1b9ff8a8af9aa4400429736f24bff8bfba765995d41990b8f4f3794d30f570accae764c7f59f1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\VRP-GameList.txt

Filesize
179KB

MD5
e337ef7830cd4d7875962f3a79bd8c60

SHA1
5ed7b224d8bd474044105e1417c63821580b15e3

SHA256
c4df73df4b1a5aa451dfd1b5c1ccfa3f1cb7201514e2bbf1511bc1aea839e8cc

SHA512
a28534e0ae445c0af80be4760d0a47ac20bc2a50a48193ef3526bedca8e736b6e56e110f15102cecc4c49ac32fb8165dd8996d0ffa3dd06a727d3f19e7af5d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouns\blacklist.txt

Filesize
265KB

MD5
56beb39a23e0bf6bcebeb4f94eb7f08a

SHA1
73294d5582ac4fdbc3c6928cf54414cb55a6fa71

SHA256
01e9beed0d7443c2b979b60b72780d8df20e79dcfba64f3afe09235147c5bd20

SHA512
eb46cb36c12ee549135c5426a9fd94fa4d7e9efe8d6748b0642e42a6f00381aa6f80c6457a9801f16054cbacf27e21cc88e41cf9c9049c082be2c0d403e18b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone.zip

Filesize
20.1MB

MD5
10babe225d85f3da58ee8cc260b63793

SHA1
900da981ad757c5b8696b71475341c9228e84be9

SHA256
8e8bb13fb0d7beb316487ecde8ead5426784cdcdbf8b4d8dd381c6fe8c7d92a0

SHA512
d771c4631b607fc447be37d2ee266859dec4e09aa5544559edff2dea6d277ac9a28792ef1d12875c51b48773e155a983633b9f7ad59e14a36fb36de4d7fe9246

Download Submit
\RSL\platform-tools\AdbWinApi.dll

Filesize
105KB

MD5
d79a7c0a425f768fc9f9bcf2aa144d8f

SHA1
3da9e4c4566bd6d4efeeaf7ceab9e9e83f2f67e5

SHA256
1ad523231de449af3ba0e8664d3af332f0c5cc4f09141691ca05e35368fa811a

SHA512
ff650b98ecc55df6c2cb1b22221b1e71d63c01324f8a8b0f05f1497f5416131f7c33ef2ea17ed323cb2bfdbe7ae1824474544434899d2cb89e9c8c00db7dbb15

Download Submit
\RSL\platform-tools\AdbWinUsbApi.dll

Filesize
71KB

MD5
e6e1716f53624aff7dbce5891334669a

SHA1
9c17f50ba4c8e5db9c1118d164995379f8d686fb

SHA256
51a61758a6f1f13dd36530199c0d65e227cd9d43765372b2942944cc3296ca2c

SHA512
c47392b6f7d701e78f78e0b0ddce5508ab8d247a4095391e77cd665e955f4938e412ffcb6076534dcad287af4f78d84668496935e71b9bb46a98401522815eb9

Download Submit
memory/3104-41-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-2-0x00000000059D0000-0x0000000005ECE000-memory.dmp

Filesize
5.0MB

Download
memory/3104-6-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-3-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/3104-8-0x0000000005690000-0x000000000569C000-memory.dmp

Filesize
48KB

Download
memory/3104-0-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3104-162-0x000000000A610000-0x000000000A6C2000-memory.dmp

Filesize
712KB

Download
memory/3104-165-0x00000000083F0000-0x0000000008412000-memory.dmp

Filesize
136KB

Download
memory/3104-166-0x0000000008420000-0x0000000008770000-memory.dmp

Filesize
3.3MB

Download
memory/3104-7-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/3104-10-0x0000000005800000-0x000000000588E000-memory.dmp

Filesize
568KB

Download
memory/3104-40-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-38-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-37-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3104-34-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-33-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-1-0x00000000007C0000-0x0000000000BE2000-memory.dmp

Filesize
4.1MB

Download
memory/3104-9-0x0000000005780000-0x000000000578E000-memory.dmp

Filesize
56KB

Download