3f2681c4a608ec4c8b57c3d25a7d2acb387eb707ee7f155df2a043c013c1f43b

General

Target

3f2681c4a608ec4c8b57c3d25a7d2acb387eb707ee7f155df2a043c013c1f43b.dll
Size

120KB
MD5

5fe97e6ac07dde840c71df15c5f8ca77
SHA1

3efddbef4a6d09f9ad9c176caad8641c6c95c9db
SHA256

3f2681c4a608ec4c8b57c3d25a7d2acb387eb707ee7f155df2a043c013c1f43b
SHA512

927bedb0cf49f8a6d719067ade8e617eb7e5eacbed33e5c78b8a93a2d26a3b3f668f7f666637c54eeb7018c4546aee7f4e01d34746ab677743134d98281b0cd2

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 3 IoCs

Processes:

SystemSettings.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\1742034116\2087166547.pri	SystemSettings.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4068 2756 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
4068	2756	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SystemSettings.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemSettings.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
2756	regsvr32.exe
2756	regsvr32.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WerFault.exeSystemSettings.exe

description	pid	process
Token: SeRestorePrivilege	4068	WerFault.exe
Token: SeBackupPrivilege	4068	WerFault.exe
Token: SeDebugPrivilege	4068	WerFault.exe
Token: SeShutdownPrivilege	2452	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2452	SystemSettings.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3392 firefox.exe
3392 firefox.exe
3392 firefox.exe
3392 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3392 firefox.exe
3392 firefox.exe
3392 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SystemSettings.exefirefox.exe

pid process

2452 SystemSettings.exe
3392 firefox.exe

pid	process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

pid	process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

pid	process
2452	SystemSettings.exe
3392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2648 wrote to memory of 2756	2648	regsvr32.exe	regsvr32.exe
PID 2648 wrote to memory of 2756	2648	regsvr32.exe	regsvr32.exe
PID 2648 wrote to memory of 2756	2648	regsvr32.exe	regsvr32.exe
PID 2756 wrote to memory of 3892	2756	regsvr32.exe	explorer.exe
PID 2756 wrote to memory of 3892	2756	regsvr32.exe	explorer.exe
PID 2756 wrote to memory of 3892	2756	regsvr32.exe	explorer.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 1628 wrote to memory of 3392	1628	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3768	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3768	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 1072	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3424	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3424	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3424	3392	firefox.exe	firefox.exe
PID 3392 wrote to memory of 3424	3392	firefox.exe	firefox.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3f2681c4a608ec4c8b57c3d25a7d2acb387eb707ee7f155df2a043c013c1f43b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3f2681c4a608ec4c8b57c3d25a7d2acb387eb707ee7f155df2a043c013c1f43b.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 768
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.0.648440\791009256" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 1624 gpu
3⤵
PID:3768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.3.1766456652\574432652" -childID 1 -isForBrowser -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 122 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2268 tab
3⤵
PID:1072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.13.1803480959\1894726409" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 6979 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 3452 tab
3⤵
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads