b0729f86a27d429bbd1d10ce633b43ca2c60de8f0a59ed9f48517caab1d7a080

Analysis

max time kernel
301s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFSL_6617.html
Size

952KB
MD5

82f42fb8a5089ec93b62bbd6f6ce01c9
SHA1

25808c912e26461e234dd786f345525cb8914134
SHA256

b0729f86a27d429bbd1d10ce633b43ca2c60de8f0a59ed9f48517caab1d7a080
SHA512

3c1a65b96c895c896afc68a3175d318e593bc18bf78d9edff7b9a2dc1e96d78169cb677010b4f63931c5da9e71213d020563b3091407b490f92a2d6ecdafc54b
SSDEEP

12288:Yva4lvoWCJju7lEAd55XjTuwYyo0OR3MkrQ6zIzkVAY/gH34LEp4NKWIhN:x4loORBd55XvCSOukBzVVAYC4R4XD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2404	win.com
2496	win.com

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\attachment.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	regsvr32.exe
4760	regsvr32.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe
988	wermgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	OpenWith.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4760	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeRestorePrivilege	5092	7zG.exe
Token: 35	5092	7zG.exe
Token: SeSecurityPrivilege	5092	7zG.exe
Token: SeSecurityPrivilege	5092	7zG.exe
Token: SeRestorePrivilege	1188	7zG.exe
Token: 35	1188	7zG.exe
Token: SeSecurityPrivilege	1188	7zG.exe
Token: SeSecurityPrivilege	1188	7zG.exe
Token: SeRestorePrivilege	4716	7zG.exe
Token: 35	4716	7zG.exe
Token: SeSecurityPrivilege	4716	7zG.exe
Token: SeSecurityPrivilege	4716	7zG.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeDebugPrivilege	3684	firefox.exe
Token: SeRestorePrivilege	212	7zG.exe
Token: 35	212	7zG.exe
Token: SeSecurityPrivilege	212	7zG.exe
Token: SeSecurityPrivilege	212	7zG.exe
Token: SeDebugPrivilege	3684	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
5092	7zG.exe
1188	7zG.exe
4716	7zG.exe
212	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 2692 wrote to memory of 3684	2692	firefox.exe	81
PID 3684 wrote to memory of 5056	3684	firefox.exe	82
PID 3684 wrote to memory of 5056	3684	firefox.exe	82
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 5048	3684	firefox.exe	84
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85
PID 3684 wrote to memory of 4940	3684	firefox.exe	85

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\RFSL_6617.html
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\RFSL_6617.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3684.0.1345287389\340648748" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3684 "\\.\pipe\gecko-crash-server-pipe.3684" 1780 gpu
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3684.3.2071215378\30982036" -childID 1 -isForBrowser -prefsHandle 1540 -prefMapHandle 2276 -prefsLen 112 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3684 "\\.\pipe\gecko-crash-server-pipe.3684" 2480 tab
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3684.13.1566086115\1505520831" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 897 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3684 "\\.\pipe\gecko-crash-server-pipe.3684" 3424 tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3684.20.844315338\36677803" -childID 3 -isForBrowser -prefsHandle 2368 -prefMapHandle 3680 -prefsLen 6894 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3684 "\\.\pipe\gecko-crash-server-pipe.3684" 3724 tab
    3⤵
    PID:1300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4080

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\" -spe -an -ai#7zMap1021:82:7zEvent22206
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\RFSL#6278\" -spe -an -ai#7zMap12949:102:7zEvent7325
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\" -spe -an -ai#7zMap11458:82:7zEvent31273
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\RFSL#6278\" -spe -an -ai#7zMap3621:102:7zEvent4860
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\japonica\obstructiveness.cmd" "
1⤵
- Enumerates connected drives
PID:1312
- C:\Users\Admin\AppData\Local\Temp\win.com
  C:\Users\Admin\AppData\Local\Temp\win.com japonica\disfiguration.dat
  2⤵
  - Executes dropped EXE
  PID:2404
- - C:\Windows\SysWOW64\regsvr32.exe
    japonica\disfiguration.dat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4760
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\attachment\RFSL#6278\japonica\obstructiveness.cmd"
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\win.com
  C:\Users\Admin\AppData\Local\Temp\win.com japonica\disfiguration.dat
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3164
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tmpaddon-67a568
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaddon-67a568

Filesize
4.9MB

MD5
96698f7eafa0d19026177d2d1594b283

SHA1
c6456d18c6e7adaa34c3f3be3744c7dd025871bf

SHA256
36e84e32aad8963a66b0b2178c6a33c4b12af17aa50756c0a1d79ad28a34727d

SHA512
8054294ad328f0b32e7474448e77fb4c56dbe4e7100920461508dd18cab94f69b13dbc1e9776800f49993d478827b4a65732a9bc39a3940251d9cb96ffffddd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.com

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.com

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.com

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\Downloads\attachment.zip

Filesize
464KB

MD5
c8b142ad218b3171b573c62101421f24

SHA1
81f37397697363eadf9381897642c17ba9350198

SHA256
f6d8b8d91b63cda9a208f6469d119364c2759440092abced8367a0a1bbdcf305

SHA512
cd262781801d9b21e073e9862d6cce3a9da80e565102e7dd01329f165411abc37c8ba2b394659cdfe4d9b0ae69c7be1c5c2ac49bdc069b2998c886ceb0279a98

Download Submit
C:\Users\Admin\Downloads\attachment\RFSL#6278.iso

Filesize
1006KB

MD5
857770d5d6923a48ef2480e97dd759d5

SHA1
ef3b4dd7aa5b848981a5c965f7b70aae05cdee97

SHA256
5863df411680d0a70476ca533455b5b89f6c7f4701549ff4f55256fa3774b47a

SHA512
e4cd3e56822a205b8fc6a7d5ece4c620989e27ef243e29a9e3829b5dd6059e09fc43d218c0e831407eab13f1d1e4cc42acbdf02b619d289a81556b7012b125c3

Download Submit
C:\Users\Admin\Downloads\attachment\RFSL#6278\japonica\obstructiveness.cmd

Filesize
302B

MD5
5ee7f52c044174f597fedd6ba809011d

SHA1
ff10430328192e6f2d5e15928b543b8336f27dcd

SHA256
698c74eae553cf270815c5b0fa596c1d1e1446afd40a9ffbff2b6a65b0948e6a

SHA512
99fef418f42119e7e8502dab692cd9fa96da2b594ca7d69f7db1b05cf2b81d894a53d359313eae03dadd9cc6d2adb68c22d5f6f9dd7e4c4a5c855544d43cce4b

Download Submit
memory/988-144-0x0000000000160000-0x0000000000189000-memory.dmp

Filesize
164KB

Download
memory/988-143-0x0000000000160000-0x0000000000189000-memory.dmp

Filesize
164KB

Download
memory/4760-142-0x0000000003320000-0x0000000003349000-memory.dmp

Filesize
164KB

Download
memory/4760-140-0x0000000003320000-0x0000000003349000-memory.dmp

Filesize
164KB

Download
memory/4760-139-0x00000000032C0000-0x00000000032E9000-memory.dmp

Filesize
164KB

Download
memory/4760-138-0x0000000003320000-0x0000000003349000-memory.dmp

Filesize
164KB

Download
memory/4760-137-0x00000000012A0000-0x000000000135E000-memory.dmp

Filesize
760KB

Download