Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-06-2021 23:13
General
-
Target
2d2f33da036cf7945401ec14ae9ff6ca.exe
-
Size
568KB
-
MD5
2d2f33da036cf7945401ec14ae9ff6ca
-
SHA1
411a5706daf68e47dd828af8c2616d67420b7a94
-
SHA256
3d05fee7a89dfce1ad029562fa7b84346bce12d932214cde9b26f266d53ce49c
-
SHA512
77ef687b29f74735eb652277cbc16b646cd0c14e0b2290eb05a9b5b9556b5f41b0a3c6126dee5be5f53485a35d81d454dac9ba5fe3322378ab3b9f061652feb0
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2f33da036cf7945401ec14ae9ff6ca.exe"C:\Users\Admin\AppData\Local\Temp\2d2f33da036cf7945401ec14ae9ff6ca.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.0.1492433872\1320420230" -parentBuildID 20200403170909 -prefsHandle 1488 -prefMapHandle 1480 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 1572 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.3.1613558633\1253004179" -childID 1 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 5468 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.13.1632934106\1323996685" -childID 2 -isForBrowser -prefsHandle 5256 -prefMapHandle 5424 -prefsLen 1022 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 5296 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1372.20.914826676\1666593446" -childID 3 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1372 "\\.\pipe\gecko-crash-server-pipe.1372" 4136 tab4⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0x84,0xd4,0x7ff8a64a4f50,0x7ff8a64a4f60,0x7ff8a64a4f703⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1564 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1772 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings3⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff73213a890,0x7ff73213a8a0,0x7ff73213a8b04⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1548,10748985336983438967,2329767992977540886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2024 /prefetch:83⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1440 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2d2f33da036cf7945401ec14ae9ff6ca.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 14403⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1440 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2d2f33da036cf7945401ec14ae9ff6ca.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 14403⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f821c9373168a40378173f2af19112c2
SHA1cda76f41b912c5407df424a7e3dc9741bc6e1bc5
SHA256795e05d1b80a0991927a178e1220dc22d3e0b33223fb197a4b205cb7762a3405
SHA512359491708e03d5e8a9b60ce1df6abc363174af8e173bf605fdb524704c819aac03a9071ec34f3ce685669e1b6a3461ed9af436eddc60e884b9ee118fa5ea7581
-
MD5
519144c818963ea5fc2ab482dbf1ea0b
SHA100cd5dd55eee91ded3e4e17c8fd3dbac963cf556
SHA2569abf505903203c5673e976b6cf4edd62fb6d8f83f93b1a1b1c9961f1528aa8f9
SHA5126c2c5883b0096f27a0dc2f9848d8a7b6b5bbdf7ef03c6d636820d1e6a7440bbf90fb3dcd18c5e6b039c336dd51536766ba28f00960f32d63469d8c678d98a7a1
-
MD5
3621eda26da95a4142955f56c5c385d0
SHA1e597ead68d1ca0171ee532c6ca6e157c8ddea06a
SHA256e3d07ea541c32c7f419079ed9fc753dcc6452593419a179534bfc60f21d9305f
SHA5121c8c5aca4e2021ead5016361586ebd5e1a92f039996faa43fc3b88f5aae03d152052df3b92c63f8939c3d709c6dea79d1aaa6f988b646527ed0bba0cd6c0bf4a
-
MD5
7308e58bf4b9264368e35494e7627965
SHA1d221abedd37acc45a9ebbd861106a66aee57e595
SHA256ddb3763958a15ad9d6cedfd472daf9528e93ef5214b9dd4472de26a14705aae8
SHA5121ed20fad96ae459e82592792038bffdfd4dc009eab84ab8af33ea2f9faed976aacd4937a8b0fec8095b05b02839c96277dccb6c3ca525ce226822d84670e279e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
-
-
-
-
-
-
-