Overview

overview

7

Static

static

1

$RSYBGF0.rar

windows7-x64

3

$RSYBGF0.rar

windows10-2004-x64

7

Espana/A Meeting.txt

windows7-x64

1

Espana/A Meeting.txt

windows10-2004-x64

1

Espana/A1 ... 1.txt

windows7-x64

1

Espana/A1 ... 1.txt

windows10-2004-x64

1

Espana/A1 ... 1.txt

windows7-x64

1

Espana/A1 ... 1.txt

windows10-2004-x64

1

Espana/A1 ...rs.txt

windows7-x64

1

Espana/A1 ...rs.txt

windows10-2004-x64

1

Espana/A1 ... 1.txt

windows7-x64

1

Espana/A1 ... 1.txt

windows10-2004-x64

1

Espana/A1 ... 1.txt

windows7-x64

1

Espana/A1 ... 1.txt

windows10-2004-x64

1

Espana/A1 ... 1.txt

windows7-x64

1

Espana/A1 ... 1.txt

windows10-2004-x64

1

Espana/A1 ... 2.txt

windows7-x64

1

Espana/A1 ... 2.txt

windows10-2004-x64

1

Espana/A1 ...ol.txt

windows7-x64

1

Espana/A1 ...ol.txt

windows10-2004-x64

1

Espana/A1 ...om.txt

windows7-x64

1

Espana/A1 ...om.txt

windows10-2004-x64

1

Espana/A1 ...gs.txt

windows7-x64

1

Espana/A1 ...gs.txt

windows10-2004-x64

1

Espana/A1 ...gs.txt

windows7-x64

1

Espana/A1 ...gs.txt

windows10-2004-x64

1

Espana/Basic 2.txt

windows7-x64

1

Espana/Basic 2.txt

windows10-2004-x64

1

Espana/Basic 3.txt

windows7-x64

1

Espana/Basic 3.txt

windows10-2004-x64

1

Espana/Days.txt

windows7-x64

1

Espana/Days.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $RSYBGF0.rar

  • Size

    5KB

  • MD5

    d3a2b1c8828617cf2270a9c719a3c7e0

  • SHA1

    cdd54d80d1c1ee4c3eb3ace9d7524d2b6f65ba55

  • SHA256

    4ac9761254127d3f61e1b0721c016076f9b82ff97b9cd018bfac2958c6d4b379

  • SHA512

    9e578bd19a085663171c1b72982a15630d10c5d4679dae7c0f8b99dbc91bb7dab07dfa62db9b729e8c1be4cee0ada48ccb340790da58caedee6b93f3d80344f7

  • SSDEEP

    96:ZSnCkzB2E5b/bq6F7HdercecwYVG192bWphdcl9ty9AHu09OZHvSE7JJfmYW20DH:xktfRBFB/eKE1MihdcrNHavSEzeYWOo

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$RSYBGF0.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$RSYBGF0.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3840
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4252
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.0.203684549\1120722440" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4012c62b-1a53-4f70-bdac-31c3fcc4b711} 996 "\\.\pipe\gecko-crash-server-pipe.996" 1964 18eddad7e58 gpu
          3⤵
            PID:4436
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.1.1168389125\1798360118" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f4c8421-0fd0-4f99-8087-8195f504822c} 996 "\\.\pipe\gecko-crash-server-pipe.996" 2364 18ec9e6fb58 socket
            3⤵
            • Checks processor information in registry
            PID:4252
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.2.1479165252\1039401906" -childID 1 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2588f134-5bcc-4fd4-b2a1-a82c74895075} 996 "\\.\pipe\gecko-crash-server-pipe.996" 3408 18ee1ad7158 tab
            3⤵
              PID:5192
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.3.1459425666\1158811945" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 3044 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa9ee432-4dd3-44e0-8d86-bb5adac2b40b} 996 "\\.\pipe\gecko-crash-server-pipe.996" 2992 18ee1ad6e58 tab
              3⤵
                PID:5300
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.4.1926670505\1257117450" -childID 3 -isForBrowser -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba6ee3eb-248f-4b90-b8eb-af0ceb99e16e} 996 "\\.\pipe\gecko-crash-server-pipe.996" 4388 18ee36adb58 tab
                3⤵
                  PID:5624
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.5.827779294\858669730" -childID 4 -isForBrowser -prefsHandle 4876 -prefMapHandle 5032 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0eb8ebd-fcf0-47f0-a3da-9cca6145b7f2} 996 "\\.\pipe\gecko-crash-server-pipe.996" 2864 18ee1a95a58 tab
                  3⤵
                    PID:6000
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.6.1635421762\2111331792" -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bac39ecf-e7c3-4722-ac5f-98216bde831d} 996 "\\.\pipe\gecko-crash-server-pipe.996" 5148 18ee4073e58 tab
                    3⤵
                      PID:6008
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.7.2114503454\1099751322" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b015f7d-319b-46e1-af96-9b522ffbc857} 996 "\\.\pipe\gecko-crash-server-pipe.996" 5340 18ee4076858 tab
                      3⤵
                        PID:6016
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="996.8.118425006\1512322163" -childID 7 -isForBrowser -prefsHandle 5768 -prefMapHandle 5748 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e820f4d9-c5ac-4467-80c3-3d52986aa2ec} 996 "\\.\pipe\gecko-crash-server-pipe.996" 5776 18ee1beb258 tab
                        3⤵
                          PID:5972
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5b6d79e2h0469h4ca4hbfd2h88ce5c6a735f
                      1⤵
                        PID:1480
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
                        1⤵
                          PID:5396

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          9KB

                          MD5

                          17a22570417ca210ca97c428373ea362

                          SHA1

                          622ae9a397b9189419373d15bed6179abc2a74dd

                          SHA256

                          fba67ce8790fa1729dd02192c58533120a25f641e988bf0428c67ba757b384c8

                          SHA512

                          8123240a16b95923e48d806d1c26d37435f6d563e630e9de4122120c0e90df6a8ddcc4b7415c1c2d1e9978c3e1bf1f8737c78a716ff9d54c2fa7f4d5a87e2132

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\75e415e6-cfa8-461f-afe8-3fea0c76f6b7
                          Filesize

                          734B

                          MD5

                          c5b1b3caa0501e089bc01d1210c0c2e0

                          SHA1

                          312863e093def31e659b4d44606627616f99a46a

                          SHA256

                          1105742d865ed6d5ff959256224a201d3865afd03f5ca2f93468e67b169a729e

                          SHA512

                          c67828635072678fc003712f1f91ce28090a9fb61a55753ba22bb8c04d15e98bcce68237efaa10023eb526884ccd9b4ca629556c97f040f13d6c7d05c05e306e

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          2f7a1470c56e2dbf0dabe19a4d5c4449

                          SHA1

                          77b9f6ead002e2550067024446a1c9cacc46cf98

                          SHA256

                          22ed4eb9a178305c1b0c41f53cc5fec8af5c7d7f56f576a7b253245b9064b9a7

                          SHA512

                          80fe0454c780b69b68fa7c5f08084050057c150042cf254c02b51a252312fae12348e2f6c8dfa0113f4b1cfd37450d73486b0782b6ca72106ecca6c2270a62bd

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          4c473241422c52d60af92cd1807510ca

                          SHA1

                          5fa9efcf29ad6f92c0ebc4a2e3beb1800e2bf393

                          SHA256

                          a44e73740603c5c549830f36b21c51b4c4ea8debb25e0563345e68c3d158ed3c

                          SHA512

                          185ace25ba56af6bfa84631e0dedf77cfd268be144268a2596c1797542fb4b6b75edd7f789d8a0866cfce7abb6ae7ded47fd55c46a7aebf489a3329f02b16970

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
                          Filesize

                          4KB

                          MD5

                          547dd8c28f6d8b7bf73600427a7ecb02

                          SHA1

                          2e7eceda466684f84c71c19428bbd4daa5a38050

                          SHA256

                          2b114dfc547e1aee7397e90e0a0fa6e417b95322a3853330f58d92e8972b61c2

                          SHA512

                          38acbeb92ad73c8c6584707c6bb1f0456b7726feb2e432f7100cd0e5c76e71e57825d1abfe5721142f99935301b41ef7f49cfa65bffa1cd5fbb46c8d93d054a5

                          Download Submit