754a1194c21c5f50675f0025927d6fcd8eba11047b9fc6a1c028f4855052c1b0

Analysis

max time kernel
146s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X1 RGB.exe
Size

1.8MB
MD5

0f58576b89ed4fbc469fb50e1de0b132
SHA1

b455cf634d174382a9f38e98e769cb6194e3c26d
SHA256

11b8cbedd2b4e2d1d96f3416522efada40d524ae45e734d0e6fac83980b86a53
SHA512

b020501021db99ac44f0f70c26c90b261d56c12ac6187d555a343726571f29ff3857ac49044f4d389f0562fc00b212132f1c76192490453ee54c26b51962f070
SSDEEP

49152:2MU6aQEeTTPrGFO97TbjdQ5gKCGXwGqKUzIZiLiu6QK7d3:XlRT6FO97Ta5gKCGXwGqzzIMLi3

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS	X1 RGB.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	4988	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X1 RGB.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4988	X1 RGB.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4988	X1 RGB.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2684	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4988	X1 RGB.exe
4988	X1 RGB.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4988	X1 RGB.exe
4988	X1 RGB.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	X1 RGB.exe

C:\Users\Admin\AppData\Local\Temp\X1 RGB.exe
"C:\Users\Admin\AppData\Local\Temp\X1 RGB.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1348
  2⤵
  - Program crash
  PID:1864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\system\x1_log.ini.lock

Filesize
21B

MD5
5fd905c933c0074ab4a9d9af9e3adc7a

SHA1
890b41cb511c52ce1a51a1f83c7832c37c9a24de

SHA256
843bde256c350f22899a769808285919ae6a5477030de3a7d9d6862471cd2057

SHA512
cbd6e5ffa74ec0bf3f40ac43cb0f427f9c7c0afa1255d4bb216f4c7b925af9d4d2003c0cd3d122d83e8b64a79d4f9247f1c4cef7d3e568fe6ed83a342216f8a9

Download Submit
C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS

Filesize
26KB

MD5
ef558a02d734a1403583e95cceec2487

SHA1
799bd9b507484bd02c6795f463609f65540a6400

SHA256
f0d052daf48a62e4a90d067bfcb5ee9563804de68d0ea82e0e11c8d16ad19d29

SHA512
22d1869be7b9acf62a266df42c750feea905265d48b642c6de04ae61485eed0454b3f04b658152d6495f7c1c8498ea545f4069ce6131d526a758bcca03a64753

Download Submit
memory/4988-56-0x0000000004920000-0x0000000004BA1000-memory.dmp

Filesize
2.5MB

Download
memory/4988-55-0x0000000004920000-0x0000000004BA1000-memory.dmp

Filesize
2.5MB

Download
memory/4988-85-0x0000000004920000-0x0000000004BA1000-memory.dmp

Filesize
2.5MB

Download