Analysis

  • max time kernel
    135s
  • max time network
    161s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/11/2024, 08:12

General

  • Target

    RPGVXAce_RTP/RTP100/Setup.exe

  • Size

    571KB

  • MD5

    f3a1050bac829eebf38a553db08c02e1

  • SHA1

    8a6a2a4e825b1b9de88791c03d7404e181fb0241

  • SHA256

    3b178f718655dab3c444857b5e6fd755dc611de72dc229de486b3e06d8548fd2

  • SHA512

    9e52b8e46192f72eb06971ee06bad397304db7714df4fd0b8397e2bd9d23c1aacdb10667ec1dfeb3b03b600875656f2a60e3b8582ccb6e86aefcae4a38a895f7

  • SSDEEP

    12288:Z3Mjhv8888888888888W88888888888H09+kjn3bVNyRvh6QoqJh5+B+98LApiag:dMjhQ09+miWQpJh5n98LAoa58h5j

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp" /SL5="$70220,140800,0,C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:4424

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp

          Filesize

          1.1MB

          MD5

          394289faec0a43faea574588cb367018

          SHA1

          b02982a816782c3c16ad5a321dce0a79cab124a2

          SHA256

          89c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202

          SHA512

          e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4

        • memory/4424-7-0x0000000000400000-0x0000000000526000-memory.dmp

          Filesize

          1.1MB

        • memory/4424-78-0x0000000000400000-0x0000000000526000-memory.dmp

          Filesize

          1.1MB

        • memory/4424-77-0x0000000000400000-0x0000000000526000-memory.dmp

          Filesize

          1.1MB

        • memory/4424-1480-0x0000000000400000-0x0000000000526000-memory.dmp

          Filesize

          1.1MB

        • memory/4424-1582-0x0000000000400000-0x0000000000526000-memory.dmp

          Filesize

          1.1MB

        • memory/4860-0-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

        • memory/4860-2-0x0000000000401000-0x0000000000417000-memory.dmp

          Filesize

          88KB

        • memory/4860-76-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

        • memory/4860-1583-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB