Overview

overview

7

Static

static

3

ruko.rar

windows11-21h2-x64

3

ruko/DONTMOVE.ahk

windows11-21h2-x64

3

ruko/README.txt

windows11-21h2-x64

3

ruko/Ruko.exe

windows11-21h2-x64

1

ruko/RukoConfig.json

windows11-21h2-x64

3

ruko/resou...er.exe

windows11-21h2-x64

7

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDIR/app-64.7z

windows11-21h2-x64

3

locales/af.pak

windows11-21h2-x64

3

locales/am.pak

windows11-21h2-x64

3

locales/ar.pak

windows11-21h2-x64

3

locales/bg.pak

windows11-21h2-x64

3

locales/bn.pak

windows11-21h2-x64

3

locales/ca.pak

windows11-21h2-x64

3

locales/cs.pak

windows11-21h2-x64

3

locales/da.pak

windows11-21h2-x64

3

locales/de.pak

windows11-21h2-x64

3

locales/el.pak

windows11-21h2-x64

3

locales/en-GB.pak

windows11-21h2-x64

3

locales/en-US.pak

windows11-21h2-x64

3

locales/es-419.pak

windows11-21h2-x64

3

locales/es.pak

windows11-21h2-x64

3

locales/et.pak

windows11-21h2-x64

3

locales/fa.pak

windows11-21h2-x64

3

locales/fi.pak

windows11-21h2-x64

3

locales/fil.pak

windows11-21h2-x64

3

locales/fr.pak

windows11-21h2-x64

3

locales/gu.pak

windows11-21h2-x64

3

locales/he.pak

windows11-21h2-x64

3

locales/hi.pak

windows11-21h2-x64

3

$PLUGINSDI...7z.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/06/2024, 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ruko.rar

  • Size

    72.4MB

  • MD5

    93ceb3606f19b66d22826ffd6c2d3445

  • SHA1

    6fa541cc87267d14020982e9c9d20cdd91f85f93

  • SHA256

    02be913e8c2565202481c69f8827e813dccbc1611ec3d7cc97c47dc9c8a8273d

  • SHA512

    361bde7989cc0b1c387cb0fa048de609f55bace6ce770c8a6749c6dd50fdb9a8a55d69b91ccd4d452e4ef51d06a3126a2127b05bdbf2cc1ae7c45385ad8cc928

  • SSDEEP

    1572864:yE0a+riAfyK7XmIiavAJ72cEUMCYMYiUtJb3wmkNU8t+AJPQMc:yRPfyKDRKaUMMYHLbBEQl

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ruko.rar
    1⤵
    • Modifies registry class
    PID:1460
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\ruko.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\ruko.rar
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.0.1388076135\979182716" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {129d0120-5ba8-48df-9e04-b3f99e64dc0a} 668 "\\.\pipe\gecko-crash-server-pipe.668" 1896 128e9c30858 gpu
          4⤵
            PID:2504
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.1.448568147\1211581128" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e2e25b2-8f07-4ccb-981e-ed6bd3c2b068} 668 "\\.\pipe\gecko-crash-server-pipe.668" 2440 128dce87358 socket
            4⤵
              PID:3052
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.2.162474870\1766259769" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3064 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb62146b-e30d-4393-8310-8a1018c90bb9} 668 "\\.\pipe\gecko-crash-server-pipe.668" 3044 128e8b95758 tab
              4⤵
                PID:3452
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.3.1942881668\734372384" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a16634ce-1aae-48fd-8c05-f9389237ee3b} 668 "\\.\pipe\gecko-crash-server-pipe.668" 3556 128ef4fe258 tab
                4⤵
                  PID:4424
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.4.1701802261\354026639" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5176 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2867b0-4acc-42f2-999e-129720e43ba8} 668 "\\.\pipe\gecko-crash-server-pipe.668" 5248 128f1ae7a58 tab
                  4⤵
                    PID:652
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.5.799856260\396273556" -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1043a9-3576-4799-b66b-e78129b277d8} 668 "\\.\pipe\gecko-crash-server-pipe.668" 5376 128f1ae8658 tab
                    4⤵
                      PID:1864
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.6.1963502038\732463393" -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1224 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {353b8a70-3cbc-40b3-9996-d731f949f400} 668 "\\.\pipe\gecko-crash-server-pipe.668" 5580 128f1ae8f58 tab
                      4⤵
                        PID:3376
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\ruko.rar"
                  1⤵
                    PID:1424
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\ruko.rar
                      2⤵
                      • Checks processor information in registry
                      PID:4412
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\ruko(1).rar"
                    1⤵
                      PID:1888
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\ruko(1).rar
                        2⤵
                        • Checks processor information in registry
                        PID:3148
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\ruko(1).rar"
                      1⤵
                        PID:3068
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\ruko(1).rar
                          2⤵
                          • Checks processor information in registry
                          PID:4668

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qt190sk.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        23KB

                        MD5

                        e1cc7f919170e950ab9e498681eeddf9

                        SHA1

                        94144e8a5bacf49a5bbf795c20290814a68d05e3

                        SHA256

                        93adea62ae5ff8d6b97f05248036ce38d481d047dc295ffc28d0b789f59c20e3

                        SHA512

                        2b1e69358a5d333540bc57ac71f2ad874e9a26236eee5cb1e4e6bda7c1ad6d3e1b93d481e299b6e5716cfb327ac295b9d8bb879b6cb0d7094308661e1b1ccdc4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        95c40f08f6eda255b887e59789fe9dee

                        SHA1

                        0f983e68c485b98e7a472bab573ad73661047c03

                        SHA256

                        ca1f47e3cb374427194fdfd09f81741703ab22d0ea162ccaf59eb00c776e1f4a

                        SHA512

                        5163d6a54372f486ace834f801611b71a8c8429c77360ba4b3bb72a3621d64c0882530e32a04a29da971aae80220394dfd20cc2b636eda82d46ca3fab84b5c46

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        13b138f020e626c1c146126474adeb4e

                        SHA1

                        93e78433b989884b4d26f32bdaa3f6039216f547

                        SHA256

                        1fd36a6166ac36599249e16bdf638dd880ae906c0a1bf55040c43d03985ce0d4

                        SHA512

                        61c7ea5c5de9b6ab95e40a7d70d233bfbe5511f8d359ac182ff888d769ad214eb3833b288a28e32a97131be2dc2bf965a907c14d10791c47b25fe1807ad1cd4e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
                        Filesize

                        8KB

                        MD5

                        9f551ac1405e07d627da1c838b1108a1

                        SHA1

                        e4eda6eeedb81ea7d3ac47979159f6979c8c047e

                        SHA256

                        30cad21261a77600728070604f358d1ddd586000ede2883546808d0e6935e40a

                        SHA512

                        8c5af11872c98737c7cf9dedfac3d88c6b9fa7e70acad104d1a04f6889613dfb3ab85cae38af1d3d36a9a33c7f2826252e9f71e0ae18284b48b2489ecbaacf1d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        3698e4efea8edc915519a25394fd7732

                        SHA1

                        07366c7651425e7a2387d1b340b0392728ba5146

                        SHA256

                        116cb89b65ae03a138bfd80adf192d2bcfe10c3abb33eae04c5e26483515227b

                        SHA512

                        5b97f159d80a5774ec69638afa1c9126969611992abe616355ffaf7d9f31f4fe418e0cc4e0ab8d558a9d750cb34390fda698a0127b7981f6eb696e8587016b92

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        15afd19f1ebefd4d5cb9be0244bc9a14

                        SHA1

                        2e99d9e1120b96d87ff4217128548666997f4c54

                        SHA256

                        d62dd85f2fe1c6d76ffc0f29e100fc2f9759bb42a46b724f78ae6da8548b5efd

                        SHA512

                        6c51c6d62f8bef984f79deb027e4eeee59da94204c128f527d9fd918180213eec12634dc4685a87ebee064b026b83c60497953ec5b21a0cc58ba088a293427c7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        1f592311a710e8a414d56879461353ad

                        SHA1

                        2fa76d13d3af2d58275f5f4631699e821c8ce43b

                        SHA256

                        76e2238e7d26778a0aa7bc999020f590226d632927e96fabd34a733b1dac7ddd

                        SHA512

                        846bb638cde1e17637dd0359689886d727f68e4e0f9e8e787d24f5f6ee13ce25dc60aab085430cd5d19017245a8221ca3287f53cc0f05255c50acacb5921203e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        115f488cb0308ad56fbd14603e7c0ef9

                        SHA1

                        e467cce69efff1db66ebb47493cc11bbd5b9d811

                        SHA256

                        b29dabfd44de16c667b51ba2a0ddb89488544b9b56dd112c707f8b8b316a1049

                        SHA512

                        d8dce162fbac0347c81ee51a04bc11d45841e725b9293d7517b28cecfa6499503cfb88d15d6b2073e5d071c106ee6ee3e07bed9b953f206d59119658ae0f3085

                        Download Submit