07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe
Size

1.9MB
MD5

e313218796f47af030d34e60590eb180
SHA1

2d22bec5d653d2dd4e2f6e6bd6c17da9892ff1b9
SHA256

07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435
SHA512

062dab0cbbe847a38349846e7f241f1c99f72cb317113509d6aa42f24ef07267138e91cf29876a9760cf28f7859915e8fa970d60fe0e2d9657cfdaa25538b34b
SSDEEP

49152:oTl+Ffl0KCV8rEKbhHJikCz/NqoNcugBhnem0Xy:oTl+xLRHAVLVNcpipi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	RAVEndPointProtection-installer.exe

Loads dropped DLL 1 IoCs

pid	Process
744	07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	RAVEndPointProtection-installer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2632	744	07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe	83
PID 744 wrote to memory of 2632	744	07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe	83

C:\Users\Admin\AppData\Local\Temp\07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe
"C:\Users\Admin\AppData\Local\Temp\07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\RAVEndPointProtection-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\07aab4b73e6ddfdc331481b36c9ec94b0da42cac81eb50f6c50aeb0fd211a435.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\RAVEndPointProtection-installer.exe

Filesize
538KB

MD5
31cb221abd09084bf10c8d6acf976a21

SHA1
1214ac59242841b65eaa5fd78c6bed0c2a909a9b

SHA256
1bbba4dba3eb631909ba4b222d903293f70f7d6e1f2c9f52ae0cfca4e168bd0b

SHA512
502b3acf5306a83cb6c6a917e194ffdce8d3c8985c4488569e59bce02f9562b71e454da53fd4605946d35c344aa4e67667c500ebcd6d1a166f16edbc482ba671

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\rsAtom.dll

Filesize
156KB

MD5
16d9a46099809ac76ef74a007cf5e720

SHA1
e4870bf8cef67a09103385b03072f41145baf458

SHA256
58fec0c60d25f836d17e346b07d14038617ae55a5a13adfca13e2937065958f6

SHA512
10247771c77057fa82c1c2dc4d6dfb0f2ab7680cd006dbfa0f9fb93986d2bb37a7f981676cea35aca5068c183c16334f482555f22c9d5a5223d032d5c84b04f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\rsJSON.dll

Filesize
217KB

MD5
afd0aa2d81db53a742083b0295ae6c63

SHA1
840809a937851e5199f28a6e2d433bca08f18a4f

SHA256
1b55a9dd09b1cd51a6b1d971d1551233fa2d932bdea793d0743616a4f3edb257

SHA512
405e0cbcfff6203ea1224a81fb40bbefa65db59a08baa1b4f3f771240c33416c906a87566a996707ae32e75512abe470aec25820682f0bcf58ccc087a14699ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\rsLogger.dll

Filesize
176KB

MD5
4ece9fa3258b1227842c32f8b82299c0

SHA1
4fdd1a397497e1bff6306f68105c9cecb8041599

SHA256
61e85b501cf8c0f725c5b03c323320e6ee187e84f166d8f9deaf93b2ea6ca0ef

SHA512
a923bce293f8af2f2a34e789d6a2f1419dc4b3d760b46df49561948aa917bb244eda6da933290cd36b22121aad126a23d70de99bb663d4c4055280646ec6c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F9F.tmp\rsStubLib.dll

Filesize
248KB

MD5
98f73ae19c98b734bdbe9dba30e31351

SHA1
9c656eb736d9fd68d3af64f6074f8bf41c7a727e

SHA256
944259d12065d301955931c79a8ae434c3ebccdcbfad5e545bab71765edc9239

SHA512
8ad15ef9897e2ffe83b6d0caf2fac09b4eb36d21768d5350b7e003c63cd19f623024cd73ac651d555e1c48019b94fa7746a6c252cc6b78fdffdab6cb11574a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8F8F.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
memory/2632-71-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-74-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-64-0x000001DD78600000-0x000001DD78640000-memory.dmp

Filesize
256KB

Download
memory/2632-69-0x000001DD78840000-0x000001DD7887A000-memory.dmp

Filesize
232KB

Download
memory/2632-70-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-68-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-62-0x000001DD769C0000-0x000001DD76A48000-memory.dmp

Filesize
544KB

Download
memory/2632-73-0x000001DD78880000-0x000001DD788AA000-memory.dmp

Filesize
168KB

Download
memory/2632-61-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

Filesize
8KB

Download
memory/2632-66-0x000001DD78640000-0x000001DD78670000-memory.dmp

Filesize
192KB

Download
memory/2632-75-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-76-0x000001DD790E0000-0x000001DD790E8000-memory.dmp

Filesize
32KB

Download
memory/2632-77-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-79-0x000001DD790F0000-0x000001DD790FE000-memory.dmp

Filesize
56KB

Download
memory/2632-78-0x000001DD7ABF0000-0x000001DD7AC28000-memory.dmp

Filesize
224KB

Download
memory/2632-80-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download
memory/2632-81-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

Filesize
8KB

Download
memory/2632-82-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

Filesize
10.8MB

Download