Upon extracting the archive, the following behaviors are usually observed:
It attempts to write a copy of itself to the %AppData% or %Temp% directory and creates a Registry Run Key ( HKCU\Software\Microsoft\Windows\CurrentVersion\Run ) to ensure it starts upon reboot. Download RiS032021 rar
In a production environment, this file should be blocked by attachment filtering and its associated C2 IPs should be blacklisted at the firewall. Upon extracting the archive, the following behaviors are
When executed in a sandbox environment, the payload within RiS032021.rar generally exhibits these traits: Upon extracting the archive
Often hidden in the metadata of the archive or within the strings of the unpacked executable (search for "CTF{" or "FLAG:").