11c4c9a0386be71dfe68af6b96ae2d17e89036ef5b62672c84087c3f80706c93

Resubmissions

25/02/2022, 16:28

220225-tysw3shhhm 8

19/05/2021, 13:45

210519-8m9k3t3eza 8

Analysis

max time kernel
433s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
25/02/2022, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

179KB
MD5

61fccc142e2bbf498885bb6e42bae62c
SHA1

7f15507c7798d8b99696c19929c86c6c629eb2f5
SHA256

ae91da58a702252cc0dabcf19fa65e9655c7b7143e71e048aad1ebe59a31aabf
SHA512

a3cc95a442581d02c97d4fe48494b157f37e5dff4ddf175723a2c99e442492370ad65f9f22da29ffd020754445193215b7dadc3515ab8cee91b6dd3b1f1202b1

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\AddMeasure.tiff	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertUse.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertUse.tiff => C:\Users\Admin\Pictures\ConvertUse.tiff.matryoshka	sample.exe
File opened for modification	C:\Users\Admin\Pictures\DebugRegister.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\InstallFormat.png => C:\Users\Admin\Pictures\InstallFormat.png.matryoshka	sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchSet.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\AddMeasure.tiff => C:\Users\Admin\Pictures\AddMeasure.tiff.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\DebugRegister.tiff => C:\Users\Admin\Pictures\DebugRegister.tiff.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\RenameRead.png => C:\Users\Admin\Pictures\RenameRead.png.matryoshka	sample.exe
File renamed	C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.matryoshka	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-white.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_40x40x32.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-fullcolor.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-150.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30_altform-unplated.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\office.js	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-125.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-100_contrast-black.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png	sample.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Landing.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-400.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-300.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	sample.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg	sample.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2396	taskmgr.exe
936	firefox.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	taskmgr.exe
Token: SeSystemProfilePrivilege	2396	taskmgr.exe
Token: SeCreateGlobalPrivilege	2396	taskmgr.exe
Token: SeBackupPrivilege	736	vssvc.exe
Token: SeRestorePrivilege	736	vssvc.exe
Token: SeAuditPrivilege	736	vssvc.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe
Token: SeDebugPrivilege	936	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1040	sample.exe
1040	sample.exe
1040	sample.exe
1040	sample.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe
936	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1052	364	chrome.exe	80
PID 364 wrote to memory of 1052	364	chrome.exe	80
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 948 wrote to memory of 936	948	firefox.exe	83
PID 936 wrote to memory of 1532	936	firefox.exe	85
PID 936 wrote to memory of 1532	936	firefox.exe	85
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3256	936	firefox.exe	86
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87
PID 936 wrote to memory of 3080	936	firefox.exe	87

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffab3e54f50,0x7ffab3e54f60,0x7ffab3e54f70
  2⤵
  PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.0.631519261\302609142" -parentBuildID 20200403170909 -prefsHandle 2064 -prefMapHandle 2056 -prefsLen 1 -prefMapSize 216161 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2160 gpu
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.6.1614987940\1866993424" -childID 1 -isForBrowser -prefsHandle 1960 -prefMapHandle 2008 -prefsLen 708 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2556 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.13.358960565\2113770606" -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 753 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3036 tab
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.20.1990642490\1605788752" -childID 3 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 8151 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3380 tab
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.27.1255951810\283985959" -childID 4 -isForBrowser -prefsHandle 2860 -prefMapHandle 3304 -prefsLen 9887 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 2884 tab
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="936.34.1997031220\1326932171" -childID 5 -isForBrowser -prefsHandle 3112 -prefMapHandle 3016 -prefsLen 12419 -prefMapSize 216161 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 936 "\\.\pipe\gecko-crash-server-pipe.936" 3124 tab
    3⤵
    PID:980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-135-0x000000001C4F5000-0x000000001C4F6000-memory.dmp

Filesize
4KB

Download
memory/1040-130-0x00000000002E0000-0x0000000000312000-memory.dmp

Filesize
200KB

Download
memory/1040-132-0x000000001C4F0000-0x000000001C4F2000-memory.dmp

Filesize
8KB

Download
memory/1040-133-0x000000001C4F2000-0x000000001C4F4000-memory.dmp

Filesize
8KB

Download
memory/1040-134-0x000000001C4F4000-0x000000001C4F5000-memory.dmp

Filesize
4KB

Download
memory/1040-136-0x0000000025A80000-0x0000000026226000-memory.dmp

Filesize
7.6MB

Download
memory/1040-131-0x00007FFAB04E3000-0x00007FFAB04E5000-memory.dmp

Filesize
8KB

Download
memory/1040-137-0x000000001C4F7000-0x000000001C4F8000-memory.dmp

Filesize
4KB

Download