58bb4399d28df01f90e1d0c5b2cf734dc53557d543354de3ce14fa6f6931c58a

General

Target

winrar-x64-591.exe
Size

3.1MB
MD5

779b1a96f1da4a1af90eecf940dd6d07
SHA1

3f077891cddd60f7770067f044ddf56ea73d699d
SHA256

58bb4399d28df01f90e1d0c5b2cf734dc53557d543354de3ce14fa6f6931c58a
SHA512

ae37b7b3647e63ccafb98b87d14d7cd02855c06bd6b7cdbcd00db85b65d40bd8a5e95bafb859d1fbd01fe832b3ba1b910ed68bcaaf56a96d47d317292bdc2488

Score

7^/10

spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

winrar-x64-591.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-591.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1708 firefox.exe
Token: SeDebugPrivilege 1708 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winrar-x64-591.exe

pid process

684 winrar-x64-591.exe
684 winrar-x64-591.exe

description	pid	process
Token: SeDebugPrivilege	1708	firefox.exe
Token: SeDebugPrivilege	1708	firefox.exe

pid	process
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe

pid	process
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe

pid	process
684	winrar-x64-591.exe
684	winrar-x64-591.exe

Suspicious use of WriteProcessMemory 148 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1720 wrote to memory of 1708	1720	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1960	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1960	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1960	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 1964	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 972	1708	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.0.987954303\868093340" -parentBuildID 20200403170909 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 1 -prefMapSize 219537 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1276 gpu
3⤵
PID:1960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.3.70463930\911640324" -childID 1 -isForBrowser -prefsHandle 1664 -prefMapHandle 1648 -prefsLen 122 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1096 tab
3⤵
PID:1964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.13.1781524053\407518409" -childID 2 -isForBrowser -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 988 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 2512 tab
3⤵
PID:972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.20.1218070294\603301847" -childID 3 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 7371 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 2852 tab
3⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef46b6e00,0x7fef46b6e10,0x7fef46b6e20
2⤵
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
cc55beaa6076fc16d7c6fcb48acd2285

SHA1
27c215d9703b5c28b7dc818758fab94050ce1854

SHA256
fbf05377e6b4b454ae06941f2b378ab4d3847cd5bd2db41833ce3c13445f8986

SHA512
c1add79bf10bce97e234b085e0c9a40b4d786750b16aef2c1dc10b8c468d54638ab224cf6f0f7f7b8d3c37cc0067db3f0420ddb3f42622e7849d88b817fc5fea

Download Submit
\??\pipe\crashpad_2692_OAKCYDKAZQAOSKNI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/684-5-0x0000000005550000-0x0000000005573000-memory.dmp

Filesize
140KB

Download
memory/972-848-0x0000000000000000-mapping.dmp

Download
memory/1340-2448-0x0000000000000000-mapping.dmp

Download
memory/1708-7-0x0000000000000000-mapping.dmp

Download
memory/1720-8-0x0000000000060000-0x0000000000070000-memory.dmp

Filesize
64KB

Download
memory/1960-226-0x0000000000000000-mapping.dmp

Download
memory/1964-493-0x0000000000000000-mapping.dmp

Download
memory/2004-0-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

Filesize
2.5MB

Download
memory/2064-1776-0x0000000000000000-mapping.dmp

Download
memory/2100-2457-0x0000000076FB0000-0x0000000076FB1000-memory.dmp

Filesize
4KB

Download
memory/2100-2418-0x000000013FB73F60-0x000000013FB74020-memory.dmp

Filesize
192B

Download
memory/2100-2409-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2100-2435-0x0000000000000000-mapping.dmp

Download
memory/2140-2594-0x0000000000000000-mapping.dmp

Download
memory/2168-2694-0x0000000000000000-mapping.dmp

Download
memory/2388-2747-0x0000000000000000-mapping.dmp

Download
memory/2488-2501-0x0000000000000000-mapping.dmp

Download
memory/2512-2705-0x0000000000000000-mapping.dmp

Download
memory/2512-2745-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2576-2733-0x0000000000000000-mapping.dmp

Download
memory/2680-2666-0x0000000000000000-mapping.dmp

Download
memory/2772-2162-0x0000000000000000-mapping.dmp

Download
memory/3048-2675-0x0000000000000000-mapping.dmp

Download
memory/3048-2693-0x0000075100040000-0x0000075100041000-memory.dmp

Filesize
4KB

Download
memory/3048-2726-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/3048-2744-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads