7cd1ae2db35db94a69542b3dc80b1bb2c4b575b046080924fed4c41a5810ea29

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R2day.exe
Size

2.1MB
MD5

2e0324f62bd0465d890d3b2a269abd8f
SHA1

9d494f771662969c34262bc9deae4493c1ccd2d5
SHA256

2c9082bf3ef8e01b0a9c107166c03d66503c5d7c854175fc1f4e1b6cc91b3dc4
SHA512

f25b12c19fb92521112b69ed3111a8b0749450837f570b930b55556e118645f24322cc1f3651292a15dc13641e48a6e2f8cd746faa25e7ff7bb0f8746f2bc322
SSDEEP

49152:GrX5E3ZnH9qsU43MM7JjPo/0F9fBY2k4gRWlIX9RQP1aJ+4SQMj:GS35MsU43d7xo2SmMWuKafMj

Score

7^/10

aspackv2 discovery persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000012117-5.dat	aspack_v212_v242
behavioral1/files/0x00080000000156a8-11.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
2880	R2day.exe
2684	roky.exe
2868	srt.exe
2608	gt.exe
2196	gem.exe
2236	hk.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	roky.exe
2684	roky.exe
2868	srt.exe
2868	srt.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d0a-18.dat	upx
behavioral1/memory/2868-25-0x0000000000400000-0x0000000000890000-memory.dmp	upx
behavioral1/files/0x0006000000016cab-39.dat	upx
behavioral1/memory/2608-42-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2196-48-0x0000000000400000-0x0000000000890000-memory.dmp	upx
behavioral1/memory/2608-51-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/files/0x0006000000016d4c-59.dat	upx
behavioral1/memory/2196-56-0x0000000002370000-0x00000000023D3000-memory.dmp	upx
behavioral1/memory/2236-65-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2868-63-0x0000000000400000-0x0000000000890000-memory.dmp	upx
behavioral1/memory/2196-67-0x0000000000400000-0x0000000000890000-memory.dmp	upx
behavioral1/memory/2236-70-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvirS = "C:\\Windows\\Nore\\Brt\\AvirS.exe"	gem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvirS = "C:\\Windows\\Nore\\Brt\\AvirS.exe"	gt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvirS = "C:\\Windows\\Nore\\Brt\\AvirS.exe"	srt.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Nore\Brt\AvirS.exe	roky.exe
File created	C:\Windows\Berta\vir\xeks\VektN.pas	srt.exe
File created	C:\Windows\gt.exe	roky.exe
File created	C:\Windows\Fort\Boy\gem.exe	srt.exe
File created	C:\Windows\R2day.exe	R2day.exe
File created	C:\Windows\roky.exe	R2day.exe
File created	C:\Windows\Berta\vir\xeks\VektG.pas	srt.exe
File created	C:\Windows\setnol.dll	gem.exe
File created	C:\Windows\hk.exe	gem.exe
File created	C:\Windows\Modl\Mn\srt.exe	roky.exe
File created	C:\Windows\Berta\vir\xeks\VektM.pas	srt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2day.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2day.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R2day.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2880	R2day.exe
2868	srt.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2316 wrote to memory of 2308	2316	R2day.exe	30
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2880	2308	R2day.exe	31
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2308 wrote to memory of 2684	2308	R2day.exe	32
PID 2684 wrote to memory of 2868	2684	roky.exe	33
PID 2684 wrote to memory of 2868	2684	roky.exe	33
PID 2684 wrote to memory of 2868	2684	roky.exe	33
PID 2684 wrote to memory of 2868	2684	roky.exe	33
PID 2684 wrote to memory of 2608	2684	roky.exe	34
PID 2684 wrote to memory of 2608	2684	roky.exe	34
PID 2684 wrote to memory of 2608	2684	roky.exe	34
PID 2684 wrote to memory of 2608	2684	roky.exe	34
PID 2868 wrote to memory of 2196	2868	srt.exe	35
PID 2868 wrote to memory of 2196	2868	srt.exe	35
PID 2868 wrote to memory of 2196	2868	srt.exe	35
PID 2868 wrote to memory of 2196	2868	srt.exe	35
PID 2196 wrote to memory of 2236	2196	gem.exe	36
PID 2196 wrote to memory of 2236	2196	gem.exe	36
PID 2196 wrote to memory of 2236	2196	gem.exe	36
PID 2196 wrote to memory of 2236	2196	gem.exe	36

C:\Users\Admin\AppData\Local\Temp\R2day.exe
"C:\Users\Admin\AppData\Local\Temp\R2day.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\R2day.exe
  "C:\Users\Admin\AppData\Local\Temp\R2day.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\R2day.exe
    "C:\Windows\R2day.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2880
- - C:\Windows\roky.exe
    C:\Windows\roky.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\Modl\Mn\srt.exe
      C:\Windows\Modl\Mn\srt.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\Fort\Boy\gem.exe
        
        C:\Windows\Fort\Boy\gem.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\hk.exe
        
        C:\Windows\hk.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
  - - C:\Windows\gt.exe
      C:\Windows\gt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\R2day.exe

Filesize
163KB

MD5
4bef74182e4d6b4550c601b5b049d166

SHA1
58ad727a3abaaeb7260535d6f5688cb8c3312fcf

SHA256
224d412a0244453abfb6d853489d4f29d98a4218df869586b88be6873505aa70

SHA512
63cc0378e473d33b74314bfaccd0de8ed4f8038acbc7390fa745beb9c8a834374d8b05ee7ddda5e800d4a9c4d23f0789a437a4e238afcbaf2578ea76973aceb4

Download Submit
C:\Windows\gt.exe

Filesize
157KB

MD5
195b47b76f7cf3ed6bf49e2af6f70860

SHA1
3cf5e663c02ca867ce21401571bf3cff7f5b03c4

SHA256
3235f720055cd57af34d7f99ddb5d02f0db2c56eb5613fab0b57ff17cfc44b6e

SHA512
c90f4b8464b241fa8f86f311d732802465670370dc0dad8213e521a6a97cc87cd652705f48180b00788c3cafd0aaab74c4fa408460fcc9483e71ec4c125a0e3d

Download Submit
C:\Windows\hk.exe

Filesize
149KB

MD5
a9cfb1b7a445cb2f43e06aaf8d7f9222

SHA1
3bd44f45097dfc924d208b9a7559108d74c9e7b5

SHA256
6dee55ad77c57b8a2c59de0e7bae5a2b010f99001c2a12a9cac245b20740aff0

SHA512
fd621958d2d05fb7e9e64f329cf34fa0106e96b5120afa19fb64a5dc275b1796d29beab355201da257b2e596f88e8b2df6db742cb609c850ff4cb19c6da70a49

Download Submit
C:\Windows\roky.exe

Filesize
1.6MB

MD5
d46947c01e8231971c130532d10e34dd

SHA1
891fba9369e91711c6ba33af1111b5bdd675b0db

SHA256
d70c16c63d51ca70d2695e3cf1e374b690ef7cdf8c4f1cc168b63838b551aa44

SHA512
267599f55e6c5d767e855213c52c2a480b774c50e4b9937bb0f14a7dc54fb0575ff1c80475a5939e53e720720d5d50f4cb072dfeb64dcf0ef69e9985f2be1259

Download Submit
C:\Windows\setnol.dll

Filesize
39KB

MD5
237e226454919a417ff1ffcbd2fbfa42

SHA1
589dcc1a96a9fde571522dd0e578e89eceed68fd

SHA256
426001396439254baac79669521864740d74aaa931530cbf053888d2f943085b

SHA512
5be5bc36f40bc28b3e8dae138514d35ab5df19427b1bfb7de7edf62779514a0fa095a6703aab09e6a6fc8366a75b4a730541860b39844700d234f1bf8e2088cc

Download Submit
\Windows\Modl\Mn\srt.exe

Filesize
1.0MB

MD5
39796666097a7fdc86c4f413a441e044

SHA1
2b37e15dfc94e99879071832a7692e5174d604e2

SHA256
f8699157a7dc212e0a3da7500fbe9ffe23accfffae83b294e47f808b14c38253

SHA512
f2b07e8f8e8eb17e56862c9e990c73b9332d42d64b06d5be567043098a186c0e4c90d62e5fe410c171bc3967cd0472246a098930f2a37df43c08ffb2399b46f1

Download Submit
memory/2196-60-0x0000000002370000-0x00000000023D3000-memory.dmp

Filesize
396KB

Download
memory/2196-67-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2196-48-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2196-56-0x0000000002370000-0x00000000023D3000-memory.dmp

Filesize
396KB

Download
memory/2236-70-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2236-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2236-71-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/2236-64-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/2308-13-0x0000000000400000-0x00000000007DF000-memory.dmp

Filesize
3.9MB

Download
memory/2316-26-0x0000000000400000-0x00000000007DF000-memory.dmp

Filesize
3.9MB

Download
memory/2608-42-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2608-51-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2684-22-0x0000000003450000-0x00000000038E0000-memory.dmp

Filesize
4.6MB

Download
memory/2684-52-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2684-37-0x0000000002160000-0x00000000021C9000-memory.dmp

Filesize
420KB

Download
memory/2684-38-0x0000000002160000-0x00000000021C9000-memory.dmp

Filesize
420KB

Download
memory/2684-23-0x0000000003450000-0x00000000038E0000-memory.dmp

Filesize
4.6MB

Download
memory/2868-63-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2868-49-0x0000000003EF0000-0x0000000004380000-memory.dmp

Filesize
4.6MB

Download
memory/2868-25-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2880-66-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads