darkside | 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673

General

Target

156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll
Size

54KB
MD5

f587adbd83ff3f4d2985453cd45c7ab1
SHA1

2715340f82426f840cf7e460f53a36fc3aad52aa
SHA256

156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
SHA512

37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.30b346f4.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Drops file in System32 directory 5 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe

Modifies registry class 6 IoCs

Processes:

firefox.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.30b346f4	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.30b346f4\ = "30b346f4"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4\DefaultIcon\ = "C:\\ProgramData\\30b346f4.ico"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

taskmgr.exerundll32.exe

pid	process
3600	taskmgr.exe
3600	taskmgr.exe
4256	rundll32.exe
4256	rundll32.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskmgr.exefirefox.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3600	taskmgr.exe
Token: SeSystemProfilePrivilege	3600	taskmgr.exe
Token: SeCreateGlobalPrivilege	3600	taskmgr.exe
Token: SeDebugPrivilege	3992	firefox.exe
Token: SeDebugPrivilege	3992	firefox.exe
Token: SeBackupPrivilege	4368	vssvc.exe
Token: SeRestorePrivilege	4368	vssvc.exe
Token: SeAuditPrivilege	4368	vssvc.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

taskmgr.exefirefox.exe

pid	process
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

taskmgr.exefirefox.exe

pid	process
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3992	firefox.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe
3600	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3992 firefox.exe

pid	process
3992	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3488 wrote to memory of 764	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 764	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 764	3488	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 2384 wrote to memory of 3992	2384	firefox.exe	firefox.exe
PID 3992 wrote to memory of 1400	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 1400	3992	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 2388 wrote to memory of 3540	2388	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe
PID 3992 wrote to memory of 3612	3992	firefox.exe	firefox.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#1
2⤵
PID:764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.0.320327996\1087374056" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 1612 gpu
3⤵
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.6.2101120339\329837940" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 156 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 2908 tab
3⤵
PID:3612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.13.362001218\1614522103" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 3132 -prefsLen 196 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 2836 tab
3⤵
PID:3768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.20.1618842082\283422053" -childID 3 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 6950 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 3592 tab
3⤵
PID:1860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.27.2025427947\1797354232" -childID 4 -isForBrowser -prefsHandle 3996 -prefMapHandle 4028 -prefsLen 6950 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 4016 tab
3⤵
PID:2972

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:3540

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#1
1⤵
PID:4220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#1
2⤵
PID:4236

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#1
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#3 worker0 job0-4256
4⤵
PID:4488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\chrome.3992.25.50917191
MD5
fe2ceeb0194ab76f28515bec8450da98

SHA1
e11823c5bba27cdf43304278406aebe09021d337

SHA256
40ad3d2a8034960efb066cd198a3c75510626f44748cb238accfa00a7bceca63

SHA512
c1032b52e23def714006bc6603c6e03f9ea66ba2692de56bc848449208b4c490b9a5308f60a4d17f5d036ee3c3f4659b2284ac3b87ae324df17d27943c9e0e97

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads