8f6787371c660aa144c6521491afe4bc05252874c623cec155dac5dae9777ca9

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ro-Byfron-1.0.exe
Size

2.2MB
MD5

2d1ee30378ae7634acc1b4558cfc170d
SHA1

8442725a2528e8bb849110987580ca9c110b379b
SHA256

8f6787371c660aa144c6521491afe4bc05252874c623cec155dac5dae9777ca9
SHA512

733786a5968e5e552fe18d199424992d745408bac2f206bbc3ea7a8ac4589eeb67e47ff0941c3389691edd1286b5007b629024f1bc1a88e0a0f62f0f48459785
SSDEEP

24576:OOfsfKozBKHAhRh3KzPSA7R7Bt28SVSVlzyQOQZ9IEb68vL4R+2pYJeCYMXABtW:PBozBdhEV7q8bOQnIFWY+3Je0w+

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\Ro-Byfron-1.0.exe
"C:\Users\Admin\AppData\Local\Temp\Ro-Byfron-1.0.exe"
1⤵
PID:1340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_W0_wE0_aE0_pE0_GB_{97df183a-9b7d-11ee-bd17-806e6f6e6963}_8ezxxBWQVL.zip

Filesize
1.1MB

MD5
9dd9b63405e59ec81adf9f8bb5eb3c92

SHA1
86f0e9acc0bbdfe356653d36f5c8bccacd70790b

SHA256
2960396efaa9474ead5f7ccf9aad0ba2593cb62a65fa89ccea027c7ee6a1f04c

SHA512
717c5825d34cfbe563a043824174d30fea7accd57409668c32a36f651c5f62d1e3c30e89a0e808ceb31e52e88a01f173d179dae63010de546b17e8f1ea7c0999

Download Submit