701363ecf4b9d3d1e6f6c1ea457d834c89ea2270317a2b4850c77e80868f5bb5

Analysis

max time kernel
68s
max time network
81s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/08/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rainway_Install.exe
Size

1.7MB
MD5

ad4754db135f7eda022c773a4f11964e
SHA1

99772e856db59c805fd8b89655c58f7774b18401
SHA256

db1e4d06304ed0691430743df480a697818b8b280433010991e07e1462a27e5f
SHA512

1fcf59e62a530c31f740f5ea132fdf0532f7bec7373ff9923e123771fecab6b2e274b5034bfd6f7953fb8259fb47f51d0c8d4cc15f87ff9dde736c5c71777853
SSDEEP

24576:h7FUDowAyrTVE3U5FrBhJN/4QRdZ+Ile0d4JnlfJQzT3Nr1WRB0t9nC6kzPG:hBuZrEUP/RdFgo4JlBUTh4vrdzPG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3668	Rainway_Install.tmp
1576	Rainway.exe
760	Rainway.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 1164	1576	Rainway.exe	96
PID 760 set thread context of 896	760	Rainway.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\Spitfire.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-83EHQ.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\is-7H716.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\is-0BTEO.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-EE781.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-VIUGE.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-01U2T.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\ru\Microsoft.Win32.TaskScheduler.resources.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\EntityFramework.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-0Q5M4.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-NC0K4.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-FTUSB.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-PLFJK.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Microsoft.Data.Services.Client.resources.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\swiftshader\libGLESv2.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-F85CF.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-4TS7E.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\NotificationHelper.exe	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\is-GRM2H.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-5K5KC.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\ru\is-HNMVA.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\vcruntime140_1.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-PBPUA.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\System.Net.Http.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-R0AEV.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-D6BPQ.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-L3CTL.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\DeltaCompressionDotNet.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-J5QJQ.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\it\is-8RK75.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-2M27L.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Microsoft.Win32.TaskScheduler.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\System.IO.Compression.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-NN4N4.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\is-65G46.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\msvcp140_codecvt_ids.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-G44F4.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Microsoft.Extensions.DependencyModel.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\System.Threading.Overlapped.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\is-U4VQ7.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-SPVOE.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-4T72O.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\System.Memory.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\Mono.Cecil.Pdb.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\is-6A7GI.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\swiftshader\is-4TGSB.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\System.Net.Http.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\DeltaCompressionDotNet.PatchApi.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-L6JJK.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Radar\is-O2BJP.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\drivers\is-74BG8.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\libcef.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\Microsoft.Data.Services.Client.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\is-S7LCI.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-HVBMA.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-TVL6R.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-T1463.tmp	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\CefSharp.WinForms.dll	Rainway_Install.tmp
File opened for modification	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\concrt140.dll	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-DK4S6.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-BVP9B.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-CCD7R.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\app-1.0.11\is-43SE2.tmp	Rainway_Install.tmp
File created	C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-0900H.tmp	Rainway_Install.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rainway_Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rainway_Install.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3668	Rainway_Install.tmp
3668	Rainway_Install.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3668	Rainway_Install.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 3668	1868	Rainway_Install.exe	82
PID 1868 wrote to memory of 3668	1868	Rainway_Install.exe	82
PID 1868 wrote to memory of 3668	1868	Rainway_Install.exe	82
PID 3668 wrote to memory of 1576	3668	Rainway_Install.tmp	92
PID 3668 wrote to memory of 1576	3668	Rainway_Install.tmp	92
PID 1576 wrote to memory of 1164	1576	Rainway.exe	96
PID 1576 wrote to memory of 1164	1576	Rainway.exe	96
PID 1576 wrote to memory of 1164	1576	Rainway.exe	96
PID 1576 wrote to memory of 1164	1576	Rainway.exe	96
PID 1576 wrote to memory of 1164	1576	Rainway.exe	96
PID 760 wrote to memory of 896	760	Rainway.exe	97
PID 760 wrote to memory of 896	760	Rainway.exe	97
PID 760 wrote to memory of 896	760	Rainway.exe	97
PID 760 wrote to memory of 896	760	Rainway.exe	97
PID 760 wrote to memory of 896	760	Rainway.exe	97

C:\Users\Admin\AppData\Local\Temp\Rainway_Install.exe
"C:\Users\Admin\AppData\Local\Temp\Rainway_Install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\is-7MUOJ.tmp\Rainway_Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7MUOJ.tmp\Rainway_Install.tmp" /SL5="$B02F8,882176,0,C:\Users\Admin\AppData\Local\Temp\Rainway_Install.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Program Files (x86)\Rainway Inc\Rainway\Rainway.exe
    "C:\Program Files (x86)\Rainway Inc\Rainway\Rainway.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164

C:\Program Files (x86)\Rainway Inc\Rainway\Rainway.exe
"C:\Program Files (x86)\Rainway Inc\Rainway\Rainway.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Rainway Inc\Rainway\drivers\is-74BG8.tmp

Filesize
6.2MB

MD5
63fa7f73aec46c60f6eebbb359faa77e

SHA1
65c30d226fb4b0ac36f4164b1a2b19a45afb34ba

SHA256
bbaacd4552aec4788e09564f37c960d9662fe0a65ace1b0425f06763e1f18a53

SHA512
f149577314076a10131465ab180dcd626755c7a011ff2a941d5e659631a0b2412bc0fd0d91b826a36f28eafa0c7d31d25b87d3e26cf945450d14a49e308c46aa

Download Submit
C:\Program Files (x86)\Rainway Inc\Rainway\locales\is-UNVHC.tmp

Filesize
5.0MB

MD5
806d33a8300e885c3c1a00c6107af8eb

SHA1
123fe310d1d035932b65fac5006209c4dcd692bf

SHA256
9c20fb2ad86a760b0c6aebd9301c9009891d02ae14720a93926c0b535b8ad09b

SHA512
67f10d63e09a19a1110c2c4f4abf057083757045cc8e7b08e94a9d8c46142b7e2ab01cde8783ee02a85fbb912ff9d06541f1117c1df182762207efbb7289c6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MUOJ.tmp\Rainway_Install.tmp

Filesize
3.1MB

MD5
33a23ada2b7453bb28ec9718d03b2264

SHA1
9cc6196f387f974a71e3edbba47d7c0e623f8830

SHA256
c8adab156d15a6f8cdeb85524bbaa39c274e2b29b2fd2669e5a831e1b9bcc8d4

SHA512
2d02fc1116bd6d6c0df7195a8db7b3c3d4c3e29b970854ba4feb98fba2e1e88f76d502625869ee37cd58674af4c72de3be7e78213744c1b24b2cf12630280974

Download Submit
memory/760-758-0x00007FF7E5860000-0x00007FF7E9627000-memory.dmp

Filesize
61.8MB

Download
memory/896-759-0x0000000000B90000-0x0000000000BE8000-memory.dmp

Filesize
352KB

Download
memory/896-757-0x0000000000B90000-0x0000000000BE8000-memory.dmp

Filesize
352KB

Download
memory/1164-753-0x0000000001260000-0x00000000012B8000-memory.dmp

Filesize
352KB

Download
memory/1164-752-0x0000000001260000-0x00000000012B8000-memory.dmp

Filesize
352KB

Download
memory/1576-754-0x00007FF7E5860000-0x00007FF7E9627000-memory.dmp

Filesize
61.8MB

Download
memory/1576-751-0x00007FF7E5860000-0x00007FF7E9627000-memory.dmp

Filesize
61.8MB

Download
memory/1868-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1868-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1868-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1868-739-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3668-9-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3668-738-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3668-728-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3668-56-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3668-11-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3668-6-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download