Overview

overview

10

Static

static

URLScan

urlscan

1

https://anonfiles.co...

windows7_x64

10

https://anonfiles.co...

windows10_x64

8

https://anonfiles.co...

windows10-2004_x64

8

Analysis

  • max time kernel
    1590s
  • max time network
    1520s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    24-01-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://anonfiles.com/3eqaq5Y2u9/TrafficBot_7.60_rar

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfiles.com/3eqaq5Y2u9/TrafficBot_7.60_rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfiles.com/3eqaq5Y2u9/TrafficBot_7.60_rar
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.0.990767330\1116772808" -parentBuildID 20200403170909 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 1 -prefMapSize 219766 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 1784 gpu
        3⤵
          PID:4044
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.3.940960823\168014742" -childID 1 -isForBrowser -prefsHandle 2440 -prefMapHandle 2240 -prefsLen 78 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2472 tab
          3⤵
            PID:2100
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.13.1505496068\483014984" -childID 2 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 944 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3284 tab
            3⤵
              PID:2656
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.20.1371678290\1795262393" -childID 3 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 6935 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3808 tab
              3⤵
                PID:384
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
            1⤵
              PID:972
            • C:\Windows\System32\WaaSMedicAgent.exe
              C:\Windows\System32\WaaSMedicAgent.exe 5ddfab62cf29df5e062aee10e0ce0a42 9BC1rJC06k+5TJbrMbgHig.0.1.0.0.0
              1⤵
              • Modifies data under HKEY_USERS
              PID:1544
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k wusvcs -p
              1⤵
                PID:5080
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k wusvcs -p
                1⤵
                  PID:4664
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k wusvcs -p
                  1⤵
                    PID:64
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k wsappx -p
                    1⤵
                      PID:4500

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads