2af29a5f99c8ab0654dbece76b2e046f66703a4ae8b4ffa9b4071f9aa74523d7

Resubmissions

10-10-2024 02:19

241010-crx4sazhnm 10

Analysis

max time kernel
119s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-10-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples - 10-09-2024/4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe
Size

1.3MB
MD5

ff70a1f34a79565782615cafd20b1b4c
SHA1

580f98f22de58ae61168687a27b1ce82a2d6c4ef
SHA256

4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc
SHA512

3a38f06464dc1dccd5f700dd408f9fe1df8ec1e01006e8ddf6234e8cdde7c41ef18ac763b3a01ddc21226eb91c61c7feed2b9105bbb490388274ba90343f01d6
SSDEEP

24576:tt882ZnrOFvTaphaPKlvwPfzUMLAPw2Eqi/b2fdQMwnk9ZL96/hpyzm:DPFvTGhvlvorUMQBEq62fdZwGpE66

Score

10^/10

discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 232 created 3284	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	52

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hzgyrc = "C:\\Users\\Admin\\AppData\\Roaming\\Hzgyrc.cmd"	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 232 set thread context of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe
Token: SeDebugPrivilege	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80
PID 232 wrote to memory of 2196	232	4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe
  "C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4f43043ac4f71ee0f3416e75534ab2616ae90eb887a083b6f2e39995b334c2bc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmcs\logs24.dat

Filesize
144B

MD5
9e8db588baae2f95565d0f2abf3784e0

SHA1
877a6a5837a4e3700d4d6ab51407d72f64d123b0

SHA256
75fce9de32386b48ca7b97627d289128af7d1cb1ac64614593a40637c69080d2

SHA512
c19e9a91401eea74cdd6c1c7007474ab881a6ee21b79c8f01a397837c8766a05e514ef7126a721ab93646f37561da8751e8a5ee083be67b8247642330d0ecd76

Download Submit
memory/232-42-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-1099-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-6-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-10-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-8-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-24-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-38-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-26-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-36-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-65-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-62-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-66-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-60-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-58-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-57-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-54-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-40-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-50-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-48-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-46-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-44-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/232-32-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-2-0x00000000050E0000-0x00000000051FE000-memory.dmp

Filesize
1.1MB

Download
memory/232-52-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-30-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-28-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-20-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-18-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-16-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-23-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-4-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-14-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-12-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-3-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-1077-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-1078-0x0000000005230000-0x00000000052C8000-memory.dmp

Filesize
608KB

Download
memory/232-1079-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-1080-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/232-1084-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-1085-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-1086-0x0000000005E10000-0x00000000063B6000-memory.dmp

Filesize
5.6MB

Download
memory/232-1087-0x00000000054F0000-0x0000000005544000-memory.dmp

Filesize
336KB

Download
memory/232-1090-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/232-34-0x00000000050E0000-0x00000000051F8000-memory.dmp

Filesize
1.1MB

Download
memory/232-1-0x0000000000470000-0x00000000005C8000-memory.dmp

Filesize
1.3MB

Download