Overview

overview

3

Static

static

1

Rebel.7z

windows10-1703-x64

3

Analysis

  • max time kernel
    77s
  • max time network
    84s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/09/2024, 12:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Rebel.7z

  • Size

    8.1MB

  • MD5

    4a8429dd823216bda95f67f85483a8d9

  • SHA1

    77640784d85848c945820d37794839f346f138d2

  • SHA256

    cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de

  • SHA512

    1d4d41cee280c62657b17c2ddc11fc7ce6bab42204d94fe05eed263d139765c19dfd16f2fde4b4e5e8b925c39945c3208600a2bfad941e4723d3bfeb7c30b91a

  • SSDEEP

    196608:15bVwZ4n4D4PLSFpJah2Hc4sEYcGijKseRAKvpZheSaE:155EAWpSt/DcFjqRAKvnhpd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Rebel.7z
    1⤵
    • Modifies registry class
    PID:824
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:600
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.0.1093809278\137687721" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afbd791a-ca8b-463e-bc13-e8eea73a1b2b} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 1792 172910f8858 gpu
        3⤵
          PID:2332
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.1.2024856345\1885234256" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a69c3426-299c-45f5-85b0-2632d9893b04} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 2144 17290ff9258 socket
          3⤵
          • Checks processor information in registry
          PID:4804
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.2.65810045\297182036" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2884 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04c66701-0956-4fce-8a42-ff7cdfcec068} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 2832 172952b2358 tab
          3⤵
            PID:2016
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.3.974889318\2110973272" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 3360 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83e90f3c-0412-4dbd-b0ba-0f0f4726ce35} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 3388 172fdf2ff58 tab
            3⤵
              PID:1692
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.4.971733013\306219224" -childID 3 -isForBrowser -prefsHandle 4216 -prefMapHandle 4212 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {290882f5-8319-41e5-8287-7eb33e033980} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4228 17296ff2058 tab
              3⤵
                PID:3324
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.5.1654201252\602183310" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {557d0312-4fde-42d4-b8b3-396ec69376d4} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4784 1729771c558 tab
                3⤵
                  PID:1336
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.6.215107644\4828248" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0c0382d-b289-48e6-b8e2-7d08a1126c92} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4928 17297aab758 tab
                  3⤵
                    PID:4764
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.7.1218949276\1058624633" -childID 6 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab5d3ce-174d-42f9-9a01-fd31a8b6fb46} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4916 17297aaa858 tab
                    3⤵
                      PID:660
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.8.755773681\1244787896" -childID 7 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb30275-2a9f-4d10-a351-84e036046d6f} 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 5656 17299225b58 tab
                      3⤵
                        PID:5092

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          e0a7e990e4025351d9c75317acb8c953

                          SHA1

                          3afffe77e695ccf8b2c8f90f97ce4481ef22a718

                          SHA256

                          029020b7acbe9e2b84d62b73bfe40e8a7672fb23ed0f90c41d28e413d1874bc9

                          SHA512

                          487262b818977bd2f7d6b5a37fbc4567e70b11af37eba3bbd61448007fa8f952873bcf83178c149ebbb87314e39c4edbfc2c961b517eefbaf569d8b3e02c833c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\0fb2854a-189d-4e34-b7df-a9f494d87d46
                          Filesize

                          746B

                          MD5

                          a7387d50b215506a721a584644de27f4

                          SHA1

                          1e2d7b3f6c6aac5ad377fe086c47db2fbfcb6769

                          SHA256

                          28373f5a3cfc2cc14059ba1857bddda45a54bcea649be92383f6356900d95a5d

                          SHA512

                          6f797781debb760843b8837f9c57a472c14b22e678fe2ae860313d3de65f4a42a061f1d4475a17ed0ce15dcca9ee8e742cf7225af03aaaafe9ed3079da91ff5d

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\ea584e1d-48e3-4082-a823-124c46d4de7c
                          Filesize

                          10KB

                          MD5

                          104df126ba139c91aadb261b93d089aa

                          SHA1

                          00e862eecd99dc1add662bb029a75fa196289854

                          SHA256

                          483352361cc3057344b55ac8154cd78a579d95ea7fcba7d0391638e0e1f1a67e

                          SHA512

                          92b37e07fc98d5e26c9e3fd26f2aa92f228aa061c30f04935d4caec2ae1da971ff7fdbbfb828b0abad95f25628505c5d52f239ab1aadc2662c8d57321e480465

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          1a32af928fe8ab97cff919617b78c464

                          SHA1

                          3e997b2f3e18e9eb989157f74d83f3ba8ad805c4

                          SHA256

                          6fd09d433b634ab45508bdbb60965856b5c6b432a37a38eeb3a6cbae2e35f96b

                          SHA512

                          713b040f6615d1b06600bf0828478ac31901c52c548b49f46074b88ce38fde02315e21c7d788a61e8bf2c70f5e3576a1f9a018eb06ca45b0c7a76be2815c87b6

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          871b48691ce9584801d7b2a9833c3e99

                          SHA1

                          1aafe8262e49c8c600f3dbcdfb9c623e412000fe

                          SHA256

                          cb0f03e77cec249c23701a45dc9a8612abf4933a6fa53860a1202834f742bbf4

                          SHA512

                          e15628805726e6cde3f828b0506988ba76709863d5e94a80e5a3c77f9b91b1bffb04d8cbf6cd46ce34268b8d8d4f2fd3424f273f3576f0441b4142b22818e5f4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          af495d9608b139e78d53e87a904af199

                          SHA1

                          08626609c8d989c091899194a749de225efe5d92

                          SHA256

                          94a0e86bc57bc0d88632ac237578e20318c297196773c56eccbeb42db8c6c693

                          SHA512

                          86bfe61f29e2cf5e80da625b4b1a80e70e8a64ad6dce01d27455601caa317f39791eba9476956ff384d5f68ab26b5b12b65a37859b8bc86b5bb071280087de09

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          77f3b8978033996b7aa7e32281e21682

                          SHA1

                          edb08d13d9e540623a9e4646db4bec862581c914

                          SHA256

                          58be655db2e7d5e4b95d5b9a66dd70c65e5f190486edd2fd647a7e509932bd1a

                          SHA512

                          6c8aa9b17aab155e77963703508f98abb01c883d0b2d4a90906a10677fea1c707859d20bad728e79183cff30621c0b9d62b18e6df1494d07c3a53beda7210095

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4
                          Filesize

                          4KB

                          MD5

                          588dac8722b5140d57ba5562a31f0143

                          SHA1

                          2f21c5e307f6596b1fadfe128726fcaebafd8dd8

                          SHA256

                          8398b1e1a0046c6a1988ebed59732d619626099adb66dd255af580f94112e6c4

                          SHA512

                          d8c6edaa1959cd0f017f3b3dea7b1d7fd37945f893e7b6a00db3c3256b970778e321f18a16d07cba2972afc17791b7a4856d761192aa4dfa89434e6ad29f6723

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          3fce64c3cf23f070dbe67b544cebc92b

                          SHA1

                          84d5104a0aedcb8c73e2ce79598ae97d8190fb8e

                          SHA256

                          21679f659e81fa16d78fb675003b34c8cba5d361da34399b1938ab1a86e4590f

                          SHA512

                          8f99e44cbc39b256ae6087d962cdc1a31dc674ea3542eb48e55dbcd2ff8c3602ea8940373d8429036e86b2340e3d1cb267dee7bd97890c861601f212f6dde2b3

                          Download Submit