Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k was found to be: Known bad.
Malicious Activity Summary
Echelon
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
NTFS ADS
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-14 10:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-14 10:49
Reported
2021-06-14 10:51
Platform
win10v20210410
Max time kernel
102s
Max time network
121s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bitcoin-Check v1.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Bitcoin-Check v1.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bitcoin-Check v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bitcoin-Check v1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Bitcoin-Check v1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.0.2139458304\1555540724" -parentBuildID 20200403170909 -prefsHandle 1540 -prefMapHandle 1532 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 1628 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.3.62013209\1626786656" -childID 1 -isForBrowser -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2256 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.13.1922853634\1193161395" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3052 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 3524 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.20.1345227621\544175681" -childID 3 -isForBrowser -prefsHandle 3208 -prefMapHandle 4324 -prefsLen 8017 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 4572 tab
C:\Users\Admin\Downloads\Bitcoin-Check v1.exe
"C:\Users\Admin\Downloads\Bitcoin-Check v1.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:64447 | tcp | |
| N/A | 8.8.8.8:53 | mega.nz | udp |
| N/A | 66.203.127.18:443 | mega.nz | tcp |
| N/A | 8.8.8.8:53 | mega.nz | udp |
| N/A | 8.8.8.8:53 | mega.nz | udp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | location.services.mozilla.com | udp |
| N/A | 34.215.35.6:443 | location.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| N/A | 65.9.82.123:443 | content-signature-2.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 127.0.0.1:64456 | tcp | |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| N/A | 50.112.175.102:443 | shavar.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | push.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | na.static.mega.co.nz | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 158.69.52.76:443 | na.static.mega.co.nz | tcp |
| N/A | 158.69.52.76:443 | na.static.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | na.static.mega.co.nz | udp |
| N/A | 8.8.8.8:53 | na.static.mega.co.nz | udp |
| N/A | 52.43.176.132:443 | push.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| N/A | 65.9.82.108:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | search.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| N/A | 52.24.23.122:443 | search.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| N/A | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| N/A | 65.9.82.105:443 | snippets.cdn.mozilla.net | tcp |
| N/A | 66.203.125.11:443 | lu.api.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| N/A | 66.203.125.11:443 | lu.api.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| N/A | 65.9.82.79:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d1zkz3k4cclnv6.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d1zkz3k4cclnv6.cloudfront.net | udp |
| N/A | 65.9.82.105:443 | d228z91au11ukj.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 8.8.8.8:53 | www.wikipedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | www.reddit.com | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | support.mozilla.org | udp |
| N/A | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| N/A | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 127.0.0.1:64466 | tcp | |
| N/A | 127.0.0.1:64486 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 142.250.179.138:443 | safebrowsing.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| N/A | 8.8.8.8:53 | gfs208n128.userstorage.mega.co.nz | udp |
| N/A | 185.206.26.38:443 | gfs208n128.userstorage.mega.co.nz | tcp |
| N/A | 185.206.26.38:443 | gfs208n128.userstorage.mega.co.nz | tcp |
| N/A | 185.206.26.38:443 | gfs208n128.userstorage.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | gfs208n128.userstorage.mega.co.nz | udp |
| N/A | 185.206.26.38:443 | gfs208n128.userstorage.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | gfs208n128.userstorage.mega.co.nz | udp |
| N/A | 66.203.127.18:443 | mega.nz | tcp |
| N/A | 8.8.8.8:53 | sb-ssl.google.com | udp |
| N/A | 216.58.208.110:443 | sb-ssl.google.com | tcp |
| N/A | 8.8.8.8:53 | sb-ssl.l.google.com | udp |
| N/A | 8.8.8.8:53 | sb-ssl.l.google.com | udp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.194.223:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | f0548144.xsph.ru | udp |
| N/A | 141.8.193.236:80 | f0548144.xsph.ru | tcp |
| N/A | 8.8.8.8:53 | aus5.mozilla.org | udp |
| N/A | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| N/A | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| N/A | 2.22.61.56:80 | ciscobinary.openh264.org | tcp |
| N/A | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| N/A | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 172.217.17.78:443 | redirector.gvt1.com | tcp |
| N/A | 216.58.211.99:80 | pki-goog.l.google.com | tcp |
| N/A | 65.9.82.123:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | r5---sn-5hnekn7k.gvt1.com | udp |
| N/A | 209.85.226.74:443 | r5---sn-5hnekn7k.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | r5.sn-5hnekn7k.gvt1.com | udp |
| N/A | 8.8.8.8:53 | r5.sn-5hnekn7k.gvt1.com | udp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.82.123:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.82.97:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| N/A | 65.9.82.28:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| N/A | 65.9.82.28:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| N/A | 65.9.82.28:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.82.28:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
Files
memory/3184-114-0x0000000000000000-mapping.dmp
memory/4068-116-0x0000000000000000-mapping.dmp
memory/3604-121-0x0000000000000000-mapping.dmp
memory/1492-124-0x0000000000000000-mapping.dmp
memory/4400-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\Downloads\Bitcoin-Check v1.exe
| MD5 | fa72209ff58ceb1248dc80dd9fcf76a0 |
| SHA1 | ad2d65e196bffdbb79fdf3f5e6df31c6e232a579 |
| SHA256 | 9f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede |
| SHA512 | 9adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f |
C:\Users\Admin\Downloads\Bitcoin-Check v1.exe
| MD5 | fa72209ff58ceb1248dc80dd9fcf76a0 |
| SHA1 | ad2d65e196bffdbb79fdf3f5e6df31c6e232a579 |
| SHA256 | 9f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede |
| SHA512 | 9adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f |
memory/4832-129-0x000001FEE1830000-0x000001FEE1831000-memory.dmp
memory/4832-131-0x000001FEFBEC0000-0x000001FEFBF31000-memory.dmp
memory/4832-132-0x000001FEE1C40000-0x000001FEE1C42000-memory.dmp