f064e8f5b259eb2a4021e91be062580417ec5cac568f3542dcc67dd93b39f0df

Analysis

max time kernel
115s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RCO2InstallerGui.runtimeconfig.json
Size

372B
MD5

d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA1

04855d8b7a76b7ec74633043ef9986d4500ca63c
SHA256

1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA512

09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\json_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\\ = "json_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\βᖹ᣹蠀뉘翿\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.json\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\춀뷂ˍ\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\json_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\json_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.json	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\βᖹ᣹蠀뉘翿	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\춀뷂ˍ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\json_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\json_auto_file	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3932	OpenWith.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1008	firefox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1008	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe
3932	OpenWith.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3468	3932	OpenWith.exe	102
PID 3932 wrote to memory of 3468	3932	OpenWith.exe	102
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 3468 wrote to memory of 1008	3468	firefox.exe	104
PID 1008 wrote to memory of 5084	1008	firefox.exe	107
PID 1008 wrote to memory of 5084	1008	firefox.exe	107
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109
PID 1008 wrote to memory of 3912	1008	firefox.exe	109

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RCO2InstallerGui.runtimeconfig.json
1⤵
- Modifies registry class
PID:1064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\RCO2InstallerGui.runtimeconfig.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\RCO2InstallerGui.runtimeconfig.json
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.0.1907241239\537674854" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71c42d77-b4fb-4d79-99e3-5bed587769e5} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 1940 20ebd080e58 gpu
      4⤵
      PID:5084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.1.208242249\507923490" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc54e283-0559-4575-87ba-902af46ebffb} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 2360 20eaf073258 socket
      4⤵
      PID:3912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.2.1225935520\1292889629" -childID 1 -isForBrowser -prefsHandle 3360 -prefMapHandle 3356 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e88b5eef-389f-4781-83b0-1eb228d8db6d} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 3096 20ebfcfcf58 tab
      4⤵
      PID:3468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.3.1318449068\1081179914" -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b3072a-f05e-45eb-8b53-b9f0dcde1355} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 4016 20eaf062c58 tab
      4⤵
      PID:1144
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.4.1791188660\172466853" -childID 3 -isForBrowser -prefsHandle 4552 -prefMapHandle 1684 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a511ab2-57ce-4e31-a608-ea6fa4348a18} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 4644 20ebe6c7758 tab
      4⤵
      PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
7d207c83f6f34ccd253c60fd2c16e78b

SHA1
c36ddb1286795128b381d139b4ff3e6b754c5613

SHA256
4ee36748a9d3379a60d367a4ab9c1c0699f8a335c0c9784952bd18d46059b280

SHA512
2baed267dd55c2e2219c50664eb074efd650625e04f5219857b57560d4ea5e55e96f97bc0efca1ab41e0901dc9747268df3e37bb6400fbb6916acd57afdc6fd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
5bbce631c5a8c7a0367b153a83dd6f73

SHA1
b15f048ee38c3bb8fbe7f8d6e2b4055349a84bc9

SHA256
0fb7bb4afe0bfe661400f40dd81ca61931e3da1f8170234a4d10ce72d47cf986

SHA512
309575d55876b885f53573acbc6d96ee131331bb2de9603917586c68c9123804fc697406f2a26d031ad544736899c5c197a9181be7029778c57a90b9fecab696

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit