Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 15:13
General
-
Target
https://f002.backblazeb2.com/file/calenda-gulph-heraclidae/index.html#[email protected]
-
Sample
210929-sls6msfcgr
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of FindShellTrayWindow 14 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://f002.backblazeb2.com/file/calenda-gulph-heraclidae/index.html#[email protected]1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.0.1310813478\1699384164" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 1604 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.0.324976179\296131642" -parentBuildID 20200403170909 -prefsHandle 1396 -prefMapHandle 1388 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 1476 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.73581045\909869404" -parentBuildID 20200403170909 -prefsHandle 1416 -prefMapHandle 1408 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1500 gpu3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffac8824f50,0x7ffac8824f60,0x7ffac8824f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff70f3da890,0x7ff70f3da8a0,0x7ff70f3da8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,3877945948030807641,15685164538224625189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6084 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
9f20688c661750ad6dcf06eda97f88ba
SHA1a0c2e5929e9d6ed87ae9d555fd8a1c49cbb984ec
SHA256325486c68075a5858c7fa3bae5e88791eaee7f42546d0436c64d9742d22eae3b
SHA512839b542d80a961ee40effea26f4da8d85e7a1e06e76b5462ad71e853e9554fed9bc1011c3bce03f60a1d5844cd09c194923776507d771a28c8ae47482dfebec2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
c10344914a2ed777e56026aacbcbd43d
SHA1ba31f0ee00c15c057d0c4787c5c25a341b82d5c6
SHA256f44b2f81c422ac25d47b3775a51b72d635f026b418c8e61bfb3ec1a8af8143b8
SHA512ca34d15c72f860adc829818e65053dff1ca5fe585c19d6e25dabad8d5556d988ba87d914d8fb2b65bb1f7d7eabe079cb4ebf018dc25a243c4c48db31e824c9af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
ac343cd15b7582a30d7d73bebc7b68a8
SHA1bb03bf8e1ae33478164c06de26dbb2a24c25361d
SHA256fb9c8e6e9c4229e5f84d9dc1bd1abb9b5466773f7309f11a1688e5081c73326d
SHA512c1adcfe2f85b136f6faaedb4bb9076c25607aa9753a59964d81bd7f0177749e4b5f0feaa877d2cab83f1a52ac5dbd699c383f407691f417163971a712b10e15b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\S2NJ8RX7.cookieMD5
12de4ac93002f1fbb7a7ddea1b6bce1c
SHA1b06fa89fbc82928906f73476bb295d8a97b9f677
SHA25649d70e1c1f85596ef354430c31854e1407724639a58844153f8e24ae76d95103
SHA5128519291f9f0af0ee1fd971bca78dc66401675cdf30ccd694314ffad01f21c8cbdc02d22d9ec6ef46d7de3c8fc8ceabdc364028e44a67f99b89b81f013742f790
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tqq24hzz.default-release\Telemetry.FailedProfileLocks.txtMD5
c81e728d9d4c2f636f067f89cc14862c
SHA1da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA51240b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114
-
\??\pipe\crashpad_2328_FFKCFSIHJMBTOGFTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_4944_VBGPRLQWWFQFORAGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/488-115-0x0000000000000000-mapping.dmp
-
memory/664-114-0x00007FFAE36C0000-0x00007FFAE372B000-memory.dmpFilesize
428KB
-
memory/1308-934-0x0000000000000000-mapping.dmp
-
memory/1452-207-0x0000000000000000-mapping.dmp
-
memory/2168-381-0x0000000000000000-mapping.dmp
-
memory/2264-493-0x0000000000000000-mapping.dmp
-
memory/2288-908-0x0000000000000000-mapping.dmp
-
memory/2864-402-0x000001A3C4530000-0x000001A3C4532000-memory.dmpFilesize
8KB
-
memory/2864-238-0x0000000000000000-mapping.dmp
-
memory/2940-485-0x0000000000000000-mapping.dmp
-
memory/3476-930-0x0000000000000000-mapping.dmp
-
memory/3696-116-0x0000000000000000-mapping.dmp
-
memory/4124-731-0x0000000000000000-mapping.dmp
-
memory/4132-662-0x0000000000000000-mapping.dmp
-
memory/4212-565-0x00007FFAEA460000-0x00007FFAEA461000-memory.dmpFilesize
4KB
-
memory/4212-559-0x0000000000000000-mapping.dmp
-
memory/4256-956-0x0000000000000000-mapping.dmp
-
memory/4280-562-0x0000000000000000-mapping.dmp
-
memory/4308-571-0x0000000000000000-mapping.dmp
-
memory/4468-586-0x0000000000000000-mapping.dmp
-
memory/4512-591-0x0000000000000000-mapping.dmp
-
memory/4520-743-0x0000000000000000-mapping.dmp
-
memory/4580-924-0x0000000000000000-mapping.dmp
-
memory/4596-916-0x0000000000000000-mapping.dmp
-
memory/4664-947-0x0000000000000000-mapping.dmp
-
memory/4664-613-0x0000000000000000-mapping.dmp
-
memory/4732-621-0x0000000000000000-mapping.dmp
-
memory/4824-631-0x0000000000000000-mapping.dmp
-
memory/4872-942-0x0000000000000000-mapping.dmp
-
memory/4880-918-0x0000000000000000-mapping.dmp
-
memory/4892-641-0x0000000000000000-mapping.dmp
-
memory/4944-901-0x0000000000000000-mapping.dmp
-
memory/5104-937-0x0000000000000000-mapping.dmp