10e152c85056dd228882d39be0b23176fa5f2ca7412ac0adb987a85204acdb58

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AiRoboForm.exe
Size

7.5MB
MD5

2034c619eb718fc32d61097035e6861e
SHA1

a65286f3dce62fe70016ed27c869f3140a7f95e8
SHA256

2e329001d8a663c8167d2e2a228a53914ecd63d6a60edcba15e47285dde0bdc7
SHA512

aa1fabd6ef0cd8aa79506704b642a195c8f1dc40f66ff55e28bca92927803ec7557419c7dd9ccfad058bd6872234863f847458d3ab4855e24cda0d7ab0d710dc
SSDEEP

196608:IEaIO7cIHvkGnzbzg6g0AxtrT6Vyt4lqlkRgpz1rjy6f6IBgEes:5O7cIHvkGnzbsl0AjPt4Mlkupz1r22DF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	rfwipeout.exe

Loads dropped DLL 1 IoCs

pid	Process
2632	AiRoboForm.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Siber Systems\AI RoboForm\_x.xxx	rfwipeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.Class.1	rfwipeout.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.Class.1\rfw = "38291808"	rfwipeout.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	rfwipeout.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	rfwipeout.exe
2220	rfwipeout.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31
PID 2632 wrote to memory of 2220	2632	AiRoboForm.exe	31

C:\Users\Admin\AppData\Local\Temp\AiRoboForm.exe
"C:\Users\Admin\AppData\Local\Temp\AiRoboForm.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\rfwipeout.exe
  "C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\rfwipeout.exe" ii
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\_rf.log

Filesize
4KB

MD5
18c02e5c678295cf7ecff673b8c69cf1

SHA1
d7fd0bcafe3c8a47a3aad6909026572339dec38d

SHA256
9ebc93331e50126f3fe0a1ed6955b0be0b2d52ebfba07beac0257c49fe4c7e87

SHA512
e81f6bfd6afcb366f0ab862a78fb484b0a2b7dff9303e7ec5f0cbd58264757200a53db7b2fc1fcc227d36027b96d2899b9ea34d13f3ad9a9e387e81e954ce223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\_rf.log

Filesize
6KB

MD5
d3f5754fba80ef18e9f1c2622a11dbfa

SHA1
bdbe23b8ed64eeb95b2124b64041943653183a3f

SHA256
63cf638a6217ad47e652ab064a11b7842a6984343d030b71b20a5ef5d7aca53c

SHA512
bd7202bb9fb5f179bc7bb580c66dd767d160a3e36a20aec375673a2fb6f92b27a39dd55215f594e1504cf0d126ea4b9b19e42f9832243a5290284e77dd6300d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\_rf.log

Filesize
449B

MD5
986729384bee18fb4d7f06d81ba613a7

SHA1
4e2896f4e9b8181a2d7067cf8dcc20614c4937fe

SHA256
3c1d812c28c922e8348483dcbc2d24ea6bf3e8335c990f64b35495b9d1b8d7a2

SHA512
a36bc5adaa3f72507c818c44ab6f2e884cb3caaa3b6d6e4312b7a5cb5002310bb52f93766b3178f3e8b18233052a6cc6c04aad0a4acdca92fcff9ed9d4ed6a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\affid.txt

Filesize
80B

MD5
8fb5783f253424594eb573cbf20e19f5

SHA1
cd79cc4df30e0af55df1a6bd53ff0550a299267a

SHA256
1dc1590f3592160fff4bb471ac396afb0e16407436d3e26a1ff1be66fbf45d4e

SHA512
48fbe35122e47c56fc34e6edc9bbb8faecf687a1d6ec33c70a0b769652f53e3d32e6f6ddfa8151e7df4fa6db88ade1fd0914fbc096f1709d876bcdb75015b267

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\ar-Arabic.rfi

Filesize
125KB

MD5
7cdb1b72b80450aaa0910165d87952f7

SHA1
da1d88929ad8d94839848d114b66a867be612e07

SHA256
6b71914e32bf6fc81da3a248690e915b017912b465769f392eaa305dd4462507

SHA512
c1fe200909c8567ec96c3053c3961d408ad18023c85b821199b3a68e467a7078884542440b66293138b780d6825f8ce221004d4e08740e1dba663f3aef608c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\br-Brasilian.rfi

Filesize
90KB

MD5
ef288c9fdc4e2d14cf67c96e678b7c1e

SHA1
6e61accb6e0b4ce04fd43eb15d8b25bc96d1ce1e

SHA256
da9a65297af19e36e32e128ad4023d3e95205d8ea3c0f448cbd6af65830e9f38

SHA512
c7fc077d450382629f6ee6ccbcc70b422b4c31039858502d52c0fd0f16026c598505f767767bcf7ef1a33eae4ab7674dae6c625ca35161e8def7a8b364eee04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\cn-Chinese.rfi

Filesize
126KB

MD5
45fd875e64808b7d69ba83a4e1631a42

SHA1
5ca1f451ccf53af9f1e641e85a3871b1a14a54ab

SHA256
fdfe0c61c52a53bfbaf84cbf2a396270e6654202919bcd6a8cbfb3e7c413d2d6

SHA512
b61a5ee664b57a85611ffcb2ce428c0ea4f086ec55cc7ba1d1f6813c7e364710955e0dd7d7b5f6bc3f930abf1bd5c93edcb7db3e6d172ab28864e31425bc7769

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\cz-Czech.rfi

Filesize
69KB

MD5
6be9c66c9bbacf6181632c52d63b6fe4

SHA1
ad39c898ab514569b6ec77886d86fb0776f3e8e5

SHA256
12dc0c42189a1adcc6ea1db80e993d73895b237554d92a2f69beee6eca247190

SHA512
ed70b54c8bbde5f36c0f1439ad319173175f43b572ed63fa78d5477a84fe77b738cf0f64ef589d3e70566622b4fdf8f74ca4885f2e4355dd6d7745278d27e04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\de-German.rfi

Filesize
161KB

MD5
c009f438f5c3598d970c2ed8ce7959d7

SHA1
4ed8651e0557495ad56581e56a6d2076219331fc

SHA256
53d4b9bc876a14450282e90b90d8aa016030ca863eea0191a9d88d34186f2f71

SHA512
ca87781ef29b83be00406aac0dd1dbe3ceffb2988fafcd20b1420be627255b1be9f38d6d157d932cff57b777b66cdc4f2488c7668d30e992416dadd7fca815f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\dk-Danish.rfi

Filesize
127KB

MD5
2ff24d4e867fd33698f0820b69071db9

SHA1
0e3186e05dff61d870be955c385d2a97922f50f5

SHA256
d566220064382fa29b7aab35d19e3a1425d3d885e56bcecd6a1807ff13a413ac

SHA512
a04208bdc602a8cff1813c6929a2b4486ab48fee73ae927a7698fcc8562f85ae7d57d7f2e889b348c8074e0529733f1720a7283e0e0fedd647f930607685e439

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\es-Spanish.rfi

Filesize
151KB

MD5
50e46bea9fcd7ca41ccc202fe0fa11a1

SHA1
fab3d1fb870211c6e765710ef3221e116da1be8f

SHA256
5c01becab3e252a3e14bc4a453298ea3b27593aa4c1c454f1b413d4a202f0319

SHA512
60f765fd50981857ef98dc5a8b95ff8236101b81b1cf9a3520ff9371bc8e27cee2fffbd5020b612a5828789ef686edb249a0f7681348dcc4d99a7542ff567dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\fa-Persian.rfi

Filesize
210KB

MD5
3095fe92bf76af69d75340e356acbca9

SHA1
b20174656deee71677b30819182afc86eeb4656c

SHA256
a5489c8ebc0f8cca7b09e9f270e242db5f65e79c5801e81796376bf113f9a228

SHA512
fae5471f3701546f73163082a61ce2d8b0558427cde24b45478d2b8d870551b3db2d5601e17245cadcb50db111be3ab496b04d3d35b00810b80b060f7539f5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\fi-Finnish.rfi

Filesize
50KB

MD5
f4b7eb8eb19456659f8ee203097cb83c

SHA1
63ed5b6b20f427c8248c7ec50c0d70d03e142f34

SHA256
3a28076a19da04f99502312b419163bb255308537da85fea6175f1c118a28408

SHA512
78a61fdaf082cd493bbdf4bcfb0e993669192fd8004649346a3bfb5ca810e49821132a1781b39488ae6e1efe542d261898349159b39d5886e57b85cd12c363a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\fr-French.rfi

Filesize
154KB

MD5
e4d755aa68274baaecfd4d247a05bd1b

SHA1
ee4e7643086922bf677e65416d2658a93517b827

SHA256
24c3ace826096523a4e88b8bdd930861452c48656b8c9a8c40352c0ffaee42d8

SHA512
f30a56de3fd0c2bffb4dbb58e556d0920558b17b604371ede2aa18e541422cfb80cff657c5949b8d3454136dfab72759e6d5e632fb2e5e1616a6daf5519f2e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\he-Hebrew.rfi

Filesize
88KB

MD5
aab2db7cf58faa6489ada69d30553b9a

SHA1
6409e4dce5ad92333a77ff8eb4e2b11d113d50c1

SHA256
9e59b4aaedd5eb9ff15642ddef767236d96497cf844759b1b7af12705721eb77

SHA512
b4dea4cb504095af6ecf81d8233c5e4cc4454717d08210406b16f70ce3aabb9e875b69ea2414506d367ffbaba5b7ac66d5c3f78ee3287bae5db243a804dd9649

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\hr-Croatian.rfi

Filesize
84KB

MD5
c53d814907f5dc154e67d13ca017717e

SHA1
e5ab14a797704310d3f4408d72dc0829af97ed1b

SHA256
e7b4cb4a6212181da49c6cbf2fa0d4402c4f7e89752be63c0e7e51a9b5414e94

SHA512
05982ef391b466786cc5b13b3b8df0a2bcf7f72f74175dadaa5780f10d1861efeba39d3e2243ed3cf2308ca0d9d42a0782079f1da581c756e43416ccb8348872

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\hu-Hungarian.rfi

Filesize
28KB

MD5
0517d02de66eb6b2246f5844537b0d35

SHA1
cd5fbafd8779d1ece0fac842d444d06626c8a7ee

SHA256
722daf7f2db016a19a293650f3e7f4d197ff320ba44ec3363bf27be3f7b1bc01

SHA512
64ac70e2b481d77b0964536e5adfb3c6d1a5c62a85453bfbb12405aa3093c3095764bcc0ab4cff9836391167bfe4dc7ba5cb94b4c931af1a5c06ae6cef3fc95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\id-Indonesian.rfi

Filesize
145KB

MD5
3c0c630fe717d5ceac2bea36f0c9370b

SHA1
5c0990d331dd0ff1f735006c8e8949e0160895fd

SHA256
2811173ad2566ca015d8a24354709feecead13741b138cf873b41696f5f90925

SHA512
8981a74e55ee7961c246824e81ba5bc1e9c093f66608874e1931f7d8fce660a6802f7470a2e2c9aaafa65cebcbe296fac1603017ca0a9eb23e47e4ad16e5dea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\it-Italian.rfi

Filesize
128KB

MD5
f4c8ed17c6511e534bc86eae77a6d080

SHA1
3d332a9314d45770d33b71c92df51f97e862025b

SHA256
e0446f7358d173460da23eb0ee2ea4e6762449549724af3d86cc9c3d220d5ad8

SHA512
db8c293cceadae1e11ee127f19ae0933bab5cd81cca97ed4d146f7145ee507e5950b6cdd40738632dcbc56722efc1d3b20e086bf8675fecc76c583473bba62f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\jp-Japanese.rfi

Filesize
183KB

MD5
e441194a7a7396b92edd920934c24486

SHA1
3c3769767c012eb5101fee704de74a28268eb6d2

SHA256
dcdb4c8cb8a7b94669c4874f61ade39d0ce4fe13522b298ea7112bcf4f094747

SHA512
a4caf72c5603907584a39ca9586d83bc7b168e4d122c46954f6c56abc32e83313fabae8113705c5d45fa4b8b7dd1a4f025f5822c9c54df340bfc74fac6a1cc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\kr-Korean.rfi

Filesize
155KB

MD5
c7c2af94b4863ec96b202974e3f7d651

SHA1
3713ddd8b65b1b83ad3a038ffde13e946bc8f2ac

SHA256
702d41e2d626049332c7ed2ce94e16bbe3d4b3f6087558a562dd89e264e9564e

SHA512
2b047921d4af59ca321615ee4b0204d0bdf98335f495ea45697c0443324daf337896efd9ae4bd6c9ec26e708413be9f0db838be74e1a8ecb9205d564788a0232

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\lt-Lithuanian.rfi

Filesize
101KB

MD5
71ced922964314bcd1b97c0568c0d4f1

SHA1
901e6acb52604a9d7a09a681f2a9041f8bdebd33

SHA256
b91a3afc41c028a51ed01382ac76e9a90a117edf3c8b29935fb10c4cef0e98f2

SHA512
85b47f7f719df46db6bf2681dc3869b4764e02bd2a1cf126cbaec6766f6d3c308be4ce8c8f0e7fd2296714d06a77b366fe29d9efb066f9ff8a857f898c7acd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\nl-Dutch.rfi

Filesize
129KB

MD5
e4cca166e26627557e7f34eebf4831aa

SHA1
fc12f5f8d0563858a6552ddedbbfe5f6247d899e

SHA256
8e62e7789e68beab8501768b07aec46d88e6ee553c8dc1a30a81828fccfd2a67

SHA512
05ba4d8a095b5d4ba4b99751467585664005956313df82621093b949338a74f1c03de0d4e3710131af62740ad2700097b500d8f3e98e1467c212ff3fb6e3a0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\no-Norwegian.rfi

Filesize
85KB

MD5
f3dcfeb62b82235dc0f16064f3197a81

SHA1
18f1b7ec5993b80d5d0595259fdc20c8f45d4ff2

SHA256
2f3ab77ad0c9f02d291ce6ea83f48c6a277f65a26deaafb9a813482192ce902a

SHA512
1a4d0f4dbfeff9aaf7d469f9f01d0c9666397debbce87596fa55dfacc4e2c3ada165cd6dec047650c83ac1ee79e337d8698fe95382ab4987f4a4d09b26f66ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\pl-Polish.rfi

Filesize
94KB

MD5
a3c70e023808159f4ad5838d2be09814

SHA1
8417729f0c6a49e88eb9178efb49d8b3c36d3412

SHA256
ed6088f7a187572afee0797a73f29a86207fe60b2151a67c0828e3bf62309c69

SHA512
78a9eeed85ebbc63b7a6f3e1eb0697d99e0a1300bc4cea811b16381bee883f21ac65c99b6f8150b97e67570d3ed564a532b9b0f1da7d526f08db8e900ffa93ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\ru-Russian.rfi

Filesize
218KB

MD5
3604384dba834419524d9e85bbc94e19

SHA1
5b6b8d6c4097c67d342ce72fbd9fb5d10c928e1d

SHA256
a195391724af1a866fb413414ade0f4bc9c2df95da3efa6924fec2813a1e0c9b

SHA512
85c0339b454acee7dcac144b592a58b71d53277ff98745fef9b0afd3a2be880309fdf3cb1543aee8dc7f2e449220cc95dd9c56d3144eda167193f4adccd3da3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\sb-Serbian.rfi

Filesize
122KB

MD5
3c65919899eb950003f7d0c491c18b52

SHA1
bda35450797eb1537e0ebee6c9ffa716e69312dc

SHA256
423534d7f8d3dbf650136426fef797cb4c3790aff3c382d77ca40e7d71d423e6

SHA512
1cd51bbc929a1ae8ea09c59776dfbe2da695e6e8420553b53d02129ae554a3e886bb9b0c4b8f36881f0215675204a3bee04f92acf6a72ec241f80b3b1b2656bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\sc-Serbian.rfi

Filesize
190KB

MD5
381ed94f64d52eebf7ec62f5290199d5

SHA1
2f2f2b85cd4d1b9ac7f95cd544b1842d5fada69f

SHA256
a73038c8b7e99430341f47b997729b1ee35608801cfa4c6889a3af92fefcce25

SHA512
d6673ccd92ff61e6ae9110d62b4748a14be780adda70c994d233e8796e7b6479234da9be76a965e7fa9304e19d53343d3c34c6fbac8e3a6adb08d0bdb0c07c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\se-Swedish.rfi

Filesize
90KB

MD5
8a78887cfd50a4957dd982721a08aa91

SHA1
c017284371e14cd5458dea6b4527ca629b307500

SHA256
03805d079c793828b56fb1ced5f3548a8afce941468582751a1b337743df7925

SHA512
de1dd9bb082fd069944dd3f81bc39ea65add49dec1f22c9ef7cc8284197d54915e3051c9b968c3024647d4116f41dd310c9a85fe14ac9ebedc99e14e79505a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\sk-Slovak.rfi

Filesize
102KB

MD5
df9f31346a67b906a1d4e31deadf5ec9

SHA1
0ee41a1cd3a29e78679b9b1130d7fd19c793eaff

SHA256
ac719502d4ce48462f44385996c5220626ff1bfa9f5d390d988146b74df00bef

SHA512
941465486b8fb10d4636960b70d55c97bc3d00d8be10aa850eb2b6a6bdb38258c60c1486050d41d76505b8214cf9a29ea31905aa74aaed0d30b7cadb06aabc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\tr-Turkish.rfi

Filesize
152KB

MD5
7d847574f77e79289244da787a42c992

SHA1
58f9a68af09802140c795110258ecdcbe9409202

SHA256
8ffaa721e924152b9e5237ae05df1a5c5e5264799bdd7f3b81b6b2d50a4eeae7

SHA512
ebb700e1b8b95203575912354b83b5bdc354eaf525f3540c34496440d71ba03bca7ba1887a1f38666aafd791fc0c600328ec5de8d1ecbf340b17510b125fe83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\ua-Ukrainian.rfi

Filesize
45KB

MD5
e06f4e70c72a534efb50f73b6dc9c983

SHA1
c702933e04ffd0625d755f0a8fb726e85bee1473

SHA256
71206501eed79ff4f495c21ec89ae60a2d893c894244b7ebc07de0e2536d94b1

SHA512
0015676c9fb4a97110c57e939150e28c81c9542269226ca9a662d6fe2b6b6566be516a10cce4b5a5340a5b18e62ad84b35bd4f796b99e6f007bc2a74fe7d3e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\zh-Chinese.rfi

Filesize
128KB

MD5
a106c7c5ad1ae96b03fc3819fa791e15

SHA1
b69b2e79b3f20182568d80cfcec2f465cbc5b570

SHA256
cdd4b1ca49df0e9d2123ef69edd7889c713fa97515c64fedad5d568a99c38473

SHA512
5882529bc540aad6e9b372c7227f393b8f9a70cfeb3701dfc5d91397185ca0f366a3984232a99119d6196f34d51bb94bea308545f146242fe51dae15ea8ea97a

Download Submit
\Users\Admin\AppData\Local\Temp\RFSEE45.tmp\rfwipeout.exe

Filesize
3.2MB

MD5
aac5089b859a2b2dc681e870c5b44495

SHA1
57e8a2a77d6f75ae369b923a7a361048087a1130

SHA256
63660535a61778281c75d3a7516acb191af9b8efdf621579e55fdf0141b5205d

SHA512
08292adb58c17f2d501c682eeb6bf076477d012e9e209a0256c0201f563821935d6539b4954ff0d6b7606390e3bc63577db8724c10f7aa9ac2457e62bf7bf0f6

Download Submit
memory/2632-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download