Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 00:20
Behavioral task
behavioral1
Sample
Ro-Byfron-1.0.exe
Resource
win7-20240221-en
General
-
Target
Ro-Byfron-1.0.exe
-
Size
2.2MB
-
MD5
2d1ee30378ae7634acc1b4558cfc170d
-
SHA1
8442725a2528e8bb849110987580ca9c110b379b
-
SHA256
8f6787371c660aa144c6521491afe4bc05252874c623cec155dac5dae9777ca9
-
SHA512
733786a5968e5e552fe18d199424992d745408bac2f206bbc3ea7a8ac4589eeb67e47ff0941c3389691edd1286b5007b629024f1bc1a88e0a0f62f0f48459785
-
SSDEEP
24576:OOfsfKozBKHAhRh3KzPSA7R7Bt28SVSVlzyQOQZ9IEb68vL4R+2pYJeCYMXABtW:PBozBdhEV7q8bOQnIFWY+3Je0w+
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2036 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ro-Byfron-1.0.exe"C:\Users\Admin\AppData\Local\Temp\Ro-Byfron-1.0.exe"1⤵PID:1340
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_W0_wE0_aE0_pE0_GB_{97df183a-9b7d-11ee-bd17-806e6f6e6963}_8ezxxBWQVL.zip
Filesize1.1MB
MD59dd9b63405e59ec81adf9f8bb5eb3c92
SHA186f0e9acc0bbdfe356653d36f5c8bccacd70790b
SHA2562960396efaa9474ead5f7ccf9aad0ba2593cb62a65fa89ccea027c7ee6a1f04c
SHA512717c5825d34cfbe563a043824174d30fea7accd57409668c32a36f651c5f62d1e3c30e89a0e808ceb31e52e88a01f173d179dae63010de546b17e8f1ea7c0999