6765c36d392a0d07a8ce911e92ff0e29bfa6d703353abde7cb602e3a24f811c6

Analysis

max time kernel
60s
max time network
61s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12/09/2022, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tdft5hkb.cmdline
Size

369B
MD5

8008a8ac8ae991e78a867ed52a90bf1f
SHA1

c8af66739bdb118fd92804548c87163a0fb1eb20
SHA256

6765c36d392a0d07a8ce911e92ff0e29bfa6d703353abde7cb602e3a24f811c6
SHA512

5719d07646e74cedca9cc50534f9de9eaa82dcab2e5286d1124181cc2ea0e81f88ffb1acd36da88eb1006bd76f21f8c242157018964fa50ba421e31b2cf9e312

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	firefox.exe
Token: SeDebugPrivilege	2352	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2352	firefox.exe
2352	firefox.exe
2352	firefox.exe
2352	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2352	firefox.exe
2352	firefox.exe
2352	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
400	OpenWith.exe
2352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2872	400	OpenWith.exe	69
PID 400 wrote to memory of 2872	400	OpenWith.exe	69
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2872 wrote to memory of 2352	2872	firefox.exe	71
PID 2352 wrote to memory of 3752	2352	firefox.exe	73
PID 2352 wrote to memory of 3752	2352	firefox.exe	73
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 3676	2352	firefox.exe	74
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75
PID 2352 wrote to memory of 4932	2352	firefox.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tdft5hkb.cmdline
1⤵
- Modifies registry class
PID:2580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\tdft5hkb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\AppData\Local\Temp\tdft5hkb.cmdline
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.0.931934043\1704228728" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 1624 gpu
      4⤵
      PID:3752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.3.1425826417\736096107" -childID 1 -isForBrowser -prefsHandle 2216 -prefMapHandle 2152 -prefsLen 122 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 1444 tab
      4⤵
      PID:3676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.13.297729843\404426114" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 6904 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 3412 tab
      4⤵
      PID:4932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2352.20.1609775550\1608235646" -childID 3 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 7609 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2352 "\\.\pipe\gecko-crash-server-pipe.2352" 4040 tab
      4⤵
      PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...