Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 22:52
Static task
static1
Behavioral task
behavioral1
Sample
r.rbxm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
r.rbxm
Resource
win10v2004-20240226-en
General
-
Target
r.rbxm
-
Size
16KB
-
MD5
4ba68770e1ef7c45fa91be941ad26af0
-
SHA1
10b51d3207db5b55548b6eb131918c3368e7cfd9
-
SHA256
bf2b00c0db85aaff70aef27c502fc449e04101db4c267fa0bb2f4bc8a6896d7d
-
SHA512
7f5385813d19c025283aa3114df982b8603e9b5623057206dff08eab7b35e5a8012a6b139072b60c50cf48d0b4dff3ae3216101ab8a701a3ef58c7ec311fee97
-
SSDEEP
192:53Ehhj8/wPIlZIfb9meCa1W002ISOjY9b4en9zbqgyuFhgQbI+CJ+LUCaU4t+:wq0IIfpCao002ISOUbXvqgyujNdLUlt+
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\rbxm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.rbxm rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.rbxm\ = "rbxm_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2028 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2028 AcroRd32.exe 2028 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2648 2860 cmd.exe 29 PID 2860 wrote to memory of 2648 2860 cmd.exe 29 PID 2860 wrote to memory of 2648 2860 cmd.exe 29 PID 2648 wrote to memory of 2028 2648 rundll32.exe 30 PID 2648 wrote to memory of 2028 2648 rundll32.exe 30 PID 2648 wrote to memory of 2028 2648 rundll32.exe 30 PID 2648 wrote to memory of 2028 2648 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\r.rbxm1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\r.rbxm2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\r.rbxm"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50421309ba9f70e23d7f87839744517ff
SHA174f00c12934c56bcef2c399c107d247c8189f454
SHA25676c61c201fed045a594b80a34580f95fefeca5b07424c96c2b998a2773536004
SHA512f2170b45d66b4daf8ddd15e5ef0033982db5982c7484e3c7919d51a3984679c0d95c8cb0347e9713a77b9efb92e5795ae6b7b0e5711ef421301ae7a7dd74f401