Analysis
-
max time kernel
102s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-06-2021 10:49
Static task
static1
URLScan task
urlscan1
Sample
https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k
General
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bitcoin-Check v1.exepid process 4832 Bitcoin-Check v1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 129 api.ipify.org 130 api.ipify.org 131 ip-api.com -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Bitcoin-Check v1.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bitcoin-Check v1.exepid process 4832 Bitcoin-Check v1.exe 4832 Bitcoin-Check v1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
firefox.exeBitcoin-Check v1.exedescription pid process Token: SeDebugPrivilege 3184 firefox.exe Token: SeDebugPrivilege 3184 firefox.exe Token: SeDebugPrivilege 4832 Bitcoin-Check v1.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 3184 firefox.exe 3184 firefox.exe 3184 firefox.exe 3184 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 3184 firefox.exe 3184 firefox.exe 3184 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 3184 firefox.exe 3184 firefox.exe 3184 firefox.exe 3184 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 2680 wrote to memory of 3184 2680 firefox.exe firefox.exe PID 3184 wrote to memory of 4068 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 4068 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 3604 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe PID 3184 wrote to memory of 1492 3184 firefox.exe firefox.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.0.2139458304\1555540724" -parentBuildID 20200403170909 -prefsHandle 1540 -prefMapHandle 1532 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 1628 gpu3⤵PID:4068
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.3.62013209\1626786656" -childID 1 -isForBrowser -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2256 tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.13.1922853634\1193161395" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3052 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 3524 tab3⤵PID:1492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.20.1345227621\544175681" -childID 3 -isForBrowser -prefsHandle 3208 -prefMapHandle 4324 -prefsLen 8017 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 4572 tab3⤵PID:4400
-
-
-
C:\Users\Admin\Downloads\Bitcoin-Check v1.exe"C:\Users\Admin\Downloads\Bitcoin-Check v1.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa72209ff58ceb1248dc80dd9fcf76a0
SHA1ad2d65e196bffdbb79fdf3f5e6df31c6e232a579
SHA2569f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede
SHA5129adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f
-
MD5
fa72209ff58ceb1248dc80dd9fcf76a0
SHA1ad2d65e196bffdbb79fdf3f5e6df31c6e232a579
SHA2569f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede
SHA5129adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f