Windows Analysis Report
AEAT-Notificaci#U00f3n..rar

ID:	830334
Product:	CloudBasic
Start time:	09:20:30
Start date:	20.03.2023
Sample:	AEAT-Notificaci#U00f3n..rar
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	dd05bf773b3d290ef4925014d0bd6e12
SHA1:	a26d39292e8d88b4c3efc90ea759d8a68980847e
SHA256:	c00e9a2a34c6b7a69d2ed42b92f07bfcd35134dd39fd19334b233c23da3118c6
Filetype:	RAR Archive (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Melaenic.mil	data	5674661083BA2E6903DB69C253682AD0	75C8C397677A778AA479B699F9F94F9299635561	14422C6CFC0B73AC9B882D9471F81FAD84FB8ADCA9F6AE26E5197AD96CA7D90F
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\Oversaturated.Bil	ASCII text, with very long lines (26818), with no line terminators	8F73411385AA2F4BF5CDF54248F86ABE	676D41087832C418180C206151601686AAEC6B55	D76B20E8714264A7B1099E5386D6AA8D2486C162EA70C76F5C549143CDFF2E21
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.Primitives.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	EDA04E04EBC0EBF7F8BBF30C4DAE6DE3	7BC4D50E6EEC7F04A9272BFEE4E4DB6F278DBE63	F3E55CB3ADFA93F563B09114D93062E680AB0864C220491458FBE151798B862F
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.TypeExtensions.dll	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows	F2A123183E106BB1CF19376A8079D171	2B96296BE92D5F2EF7C59A70858AF4CAABC99A9D	896D4ED138C35ECF19AE432380096562872EAB103F7E352C15D214FD875B337A
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\battery-level-90-charging-symbolic.svg	SVG Scalable Vector Graphics image	C96D0DD361AFC6B812BDDD390B765A26	71081F096719CAA70B9BAEF86FE642635D8E2765	6690799E5FA3FB0DD6CCE4BAC5AA1607C8A6BB16507854A87520C7DE53052E1B
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\colorimeter-colorhug-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	7843C38CC42C6786B3373F166AF10172	BA0163109D9B641B1312230B3F62E1E10A61AA5E	E3AF1293F8E8AB5C81300196AF55A7C15D5608291D46A2B86D4255910A7D0E59
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\media-playlist-consecutive-symbolic.svg	SVG Scalable Vector Graphics image	021A9F00A28C9D496E490AE951E8EF12	F8A6392065D07BAC72E138B0E47A24FFDCCEE74B	B420561770B77FCB47F69B6198B34B11155535F8A2E907BC4A0998CE74AFD340
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\network-offline-symbolic.svg	SVG Scalable Vector Graphics image	EFB3C780BC44B346B50B1F0DC6CF6D0F	472B0EDD1C4C3092BC7C4DF934ABE126885B1780	990859D3B2C830E23EC276BF1D38A38EE1BA3D89BF04CB138107E4CDE31167B5
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\network-wireless.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5AF147D26AD399F83825377F04FD56A1	B378A498B0DB8114C794E21D533E80CEBE5DDE04	6147A091847FCC9D9EDB22E655C4FC9DE6632C76D4252350400FA286F9791109
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\preferences-desktop-font-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	F894266AB6A933B2FDA751E6490C319A	2D2D3635198FEEFCB64D1D6B3CDCCDC4EA3DF4B0	95F533585B4C61936C369557B3B7E397E56545A4C9DB9A5BDDD0E9ABB7A7F7E7
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\task-due-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	003B524806C1CA654CAC6ED2EB883E1B	F6F6ACA125DC4DB3B33378404017B5EE7D21D334	2899E53769FA741E2C0675A2C69D2C246A8F34601BEE58DD66B16261005962A9
C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\window-close.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	7FBFE5B0A7AD2A67AACFD8481F8DCA01	21BABB6B7EC4746835DB43DC6A69A4AF0EFECA2D	0B4CD789E087F712F131FACCD754DC461774498DF3CA19B346D461D18A0AE622
C:\Users\alfredo\AppData\Local\Temp\nslCA0A.tmp\AdvSplash.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E8B67A37FB41D54A7EDA453309D45D97	96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E	2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF
C:\Users\alfredo\AppData\Local\Temp\nslCA0A.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8B3830B9DBF87F84DDD3B26645FED3A0	223BEF1F19E644A610A0877D01EADC9E28299509	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	FE2CE03E16418D24EEA8A3EB5CFE1DD5	49E3AB955C0C92FEB101CD039BC1891F950457C6	36279C5DB2A42FA7B963EE7E816AB366EA1AB370BF08C94AAFD1D0A826601C7D
C:\Users\alfredo\Documents\Outlook Files\Outlook Data File - NoEmail.pst	data	D3EB80964CF05083D399F33AAF886424	D25168E766196FFDF14821BDA3876EF8000527AF	37F68D3C5C5626F5E023D16E9257A254EF0CA37775779F1B6B8A927F2B78FCA7

Compliance

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes

Networking

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95

System Summary

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe

File created: C:\Users\alfredo\AppData\Local\Temp\nsqC93E.tmp

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: classification engine

Classification label: mal52.troj.evad.winRAR@3/16@0/19

Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\alfredo\Desktop\" -an -ai#7zMap6823:108:7zEvent2591
Source: unknown	Process created: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe "C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe"

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_02

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes

Data Obfuscation

Source: Yara match

File source: 00000008.00000002.2683502888.0000000004633000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Persistence and Installation Behavior

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	File created: C:\Users\alfredo\AppData\Local\Temp\nslCA0A.tmp\System.dll			Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe			Jump to dropped file
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	File created: C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.TypeExtensions.dll			Jump to dropped file
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	File created: C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.Primitives.dll			Jump to dropped file
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	File created: C:\Users\alfredo\AppData\Local\Temp\nslCA0A.tmp\AdvSplash.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9CFD6Fh 0x00000009 jmp 00007FDD3C9CFDDEh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C79F2DFh 0x00000009 jmp 00007FDD3C79F34Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9C61AFh 0x00000009 jmp 00007FDD3C9C621Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3CE58F7Fh 0x00000009 jmp 00007FDD3CE58FEEh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9CFDAFh 0x00000009 jmp 00007FDD3C9CFE1Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3CDF74BFh 0x00000009 jmp 00007FDD3CDF752Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9CD92Fh 0x00000009 jmp 00007FDD3C9CD99Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9C61FFh 0x00000009 jmp 00007FDD3C9C626Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	RDTSC instruction interceptor: First address: 00000000049967E4 second address: 00000000049967E4 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, 00000034h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FDD3C9C5EEFh 0x00000009 jmp 00007FDD3C9C5F5Eh 0x0000000b cmp dx, F1B8h 0x00000010 cmp dx, cx 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 cmp edx, ebx 0x00000017 rdtsc

Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.TypeExtensions.dll			Jump to dropped file
Source: C:\Users\alfredo\Desktop\AEAT-Notificaci n..exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\ftre\Peroba\Udviklers\Unsingableness\System.Reflection.Primitives.dll			Jump to dropped file

Language, Device and Operating System Detection

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation