ec4eb14e72654eb14002e1eb67b212c0109ec5e0057b0f9a1e9d8535eab8137f

General

Target

RBX Alt Manager.exe
Size

4.4MB
MD5

db3a0207dd39b1692cbd150500e09f44
SHA1

fb68e8a9b61c9d1d4b4eabbb4e9130913758805a
SHA256

ec4eb14e72654eb14002e1eb67b212c0109ec5e0057b0f9a1e9d8535eab8137f
SHA512

f347302572881e476ca3c629f608ad98252aa85f3b1472e638fb1cf6db6cd9735d7d8b491aff2a43016efc2f4a592b21c5b1fd7ef45ff780bc3f3e734f9db623
SSDEEP

98304:R2bT1QzcmapX3TJcKGFjy4uJkqXf0Fk7WSgyO9W7:SQzWNdcKbdkSIk7DgyO9W

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	RBX Alt Manager.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 5048	4536	RBX Alt Manager.exe	87
PID 4536 wrote to memory of 5048	4536	RBX Alt Manager.exe	87
PID 4536 wrote to memory of 5048	4536	RBX Alt Manager.exe	87

C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
"C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RBX Alt Manager.exe.log

Filesize
1KB

MD5
49dba8ccb51a2b61192f2d0d076a9a94

SHA1
4d8a8fd2024145fe92decadfc0571344b7309e12

SHA256
239831e68c7d70c4712d4b6e0ef47f646e764b5cd259c97b4e8d25a9ef8f67cf

SHA512
76a7ebc2351cda876cf5b25f0d74514a2a74f0199df58cb31d5da340abad67959bceedd7aa9c4cdb2c4e97ae215b9c595bbb4ac1ec16fb6344b16e561eba2706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
307B

MD5
2a40dbc9b944150983d9e1fc489660bf

SHA1
6ddc216f371c65d0c9a0aa740dec5a2dc52bd425

SHA256
ce43e6b7695d95fe16a61fed950a40e86b8b7179ae15af812375b8b2b15c7899

SHA512
12a1aa7fee2629d6d215c16199b7e267b28e0f405a1b014e97db584d371e629e1619804a3c09c7d45cb09fb9d76a0dbaf55bcb4374c807f5916db9d54bff3bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe.config

Filesize
2KB

MD5
3af58cc4ea567ff23275857a7662903b

SHA1
14cc53e5aaf65da4315436c9b85768ae04e94569

SHA256
b19b7fdd8aa951e1ad15cf5f2c901f1c0a2c9b86a87added6268a72c97d1aa88

SHA512
6d277743a1ac3fd520aa3e9dc2d3b6c8346d7f0dc2742ed716ae55ebd660e1cbe9bb754639cbda0d31561982bb89efd44c2328f382c27eb092339d0709dad253

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
933B

MD5
083c9613bea87bb1dcbf9bfee2c666fe

SHA1
7d310e72288eb118f3930664f835028084d999bf

SHA256
1480054437115d21b16e161d0b58bb8670831abf2aa5f21fc59b46afc01dbef9

SHA512
c9163d1802c5b53fe5fd57fa3ecc7e37d082fd6cb6d31fc98b8fe045ff422ee54cd0ebc43848cf823795f41aaaf0bd9cc775f652ed5bf7822bed49e66c69f360

Download Submit
memory/4536-17-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/4536-6-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4536-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/4536-8-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/4536-12-0x0000000006680000-0x0000000006806000-memory.dmp

Filesize
1.5MB

Download
memory/4536-4-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-1-0x00000000005F0000-0x0000000000A50000-memory.dmp

Filesize
4.4MB

Download
memory/4536-5-0x0000000005460000-0x0000000005474000-memory.dmp

Filesize
80KB

Download
memory/4536-3-0x0000000005410000-0x0000000005456000-memory.dmp

Filesize
280KB

Download
memory/4536-7-0x0000000005A80000-0x0000000005B96000-memory.dmp

Filesize
1.1MB

Download
memory/5048-18-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-20-0x00000000057C0000-0x00000000057D4000-memory.dmp

Filesize
80KB

Download
memory/5048-21-0x0000000006C70000-0x0000000006CE4000-memory.dmp

Filesize
464KB

Download
memory/5048-22-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

Filesize
40KB

Download
memory/5048-16-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-24-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-25-0x0000000007B60000-0x0000000007B94000-memory.dmp

Filesize
208KB

Download
memory/5048-26-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing