Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
Patcher.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Patcher.exe
Resource
win10v2004-20240802-en
General
-
Target
Patcher.exe
-
Size
680KB
-
MD5
39ab727f9310c4ba315a4fe5465a20d0
-
SHA1
ba9bf74cc2c5a94cf5ba88536443b12815d329ad
-
SHA256
d6cdbfa51e730c53860d5897438910f5f6a543a24bf6a4d14eaf1395bac0a371
-
SHA512
16e9d1e1334defb8cee8e2dee611ab083c4ec7069347b3fe4129041d9ddd5286839243a6f752680829de0dd06671249fb81225eba3e96b24de55aff7f9da6eb2
-
SSDEEP
12288:md9de9z5CaDnzGyNPlT2OoyNLQ9/scXNDgv//2jG:G9o91nNFpLqs1v//2i
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Patcher.exe -
Executes dropped EXE 1 IoCs
pid Process 1196 rxbot.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\taskmgr.exe rxbot.exe File created C:\Windows\SysWOW64\taskmgr.exe rxbot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Patcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxbot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3848 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3848 taskmgr.exe Token: SeSystemProfilePrivilege 3848 taskmgr.exe Token: SeCreateGlobalPrivilege 3848 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe 3848 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1196 2880 Patcher.exe 86 PID 2880 wrote to memory of 1196 2880 Patcher.exe 86 PID 2880 wrote to memory of 1196 2880 Patcher.exe 86 PID 1196 wrote to memory of 3848 1196 rxbot.exe 96 PID 1196 wrote to memory of 3848 1196 rxbot.exe 96 PID 1196 wrote to memory of 3848 1196 rxbot.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Patcher.exe"C:\Users\Admin\AppData\Local\Temp\Patcher.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\rxbot.exe"C:\Users\Admin\AppData\Local\Temp\rxbot.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe 1152 "C:\Users\Admin\AppData\Local\Temp\rxbot.exe"3⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5eb279ebb903ac0b5a65d1377540621aa
SHA103edfd022a990937c5d6f69b27ca5c89e58ea0e1
SHA25689d78f183920b42e703f2bca05c9ed9ae36c68f4b55c540d1aab77549690e88a
SHA512240c592f1b8659c09169aee082e8d5f3264c85d25b5a0e26d4a45795e327b86b649c02a0c50442e28afc70be76d3e7ba51f2c7c392c25aff6ab5085f4dfbad08