e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Detail's for Shipping...exe
Size

777KB
MD5

655733a8c4475a2d82527b049f66c335
SHA1

9736ab1176850b60c260c86cd4d51a784f7a69cb
SHA256

e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
SHA512

8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487
SSDEEP

12288:6PnWqhxJu3T26ZqyZtLa+sw07DZcuayiZ7t5h:GnWExk3Fq407DUV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3508	fireblende.exe
3720	fireblende.exe
5112	fireblende.exe
2956	fireblende.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 116	660	Detail's for Shipping...exe	89
PID 3508 set thread context of 3720	3508	fireblende.exe	98
PID 5112 set thread context of 2956	5112	fireblende.exe	107

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3904	schtasks.exe
3668	schtasks.exe
4632	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
116	Detail's for Shipping...exe
2956	fireblende.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 116	660	Detail's for Shipping...exe	89
PID 660 wrote to memory of 2592	660	Detail's for Shipping...exe	90
PID 660 wrote to memory of 2592	660	Detail's for Shipping...exe	90
PID 660 wrote to memory of 2592	660	Detail's for Shipping...exe	90
PID 660 wrote to memory of 2228	660	Detail's for Shipping...exe	92
PID 660 wrote to memory of 2228	660	Detail's for Shipping...exe	92
PID 660 wrote to memory of 2228	660	Detail's for Shipping...exe	92
PID 660 wrote to memory of 3164	660	Detail's for Shipping...exe	93
PID 660 wrote to memory of 3164	660	Detail's for Shipping...exe	93
PID 660 wrote to memory of 3164	660	Detail's for Shipping...exe	93
PID 2228 wrote to memory of 3668	2228	cmd.exe	96
PID 2228 wrote to memory of 3668	2228	cmd.exe	96
PID 2228 wrote to memory of 3668	2228	cmd.exe	96
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3720	3508	fireblende.exe	98
PID 3508 wrote to memory of 3380	3508	fireblende.exe	99
PID 3508 wrote to memory of 3380	3508	fireblende.exe	99
PID 3508 wrote to memory of 3380	3508	fireblende.exe	99
PID 3508 wrote to memory of 1596	3508	fireblende.exe	100
PID 3508 wrote to memory of 1596	3508	fireblende.exe	100
PID 3508 wrote to memory of 1596	3508	fireblende.exe	100
PID 3508 wrote to memory of 4256	3508	fireblende.exe	102
PID 3508 wrote to memory of 4256	3508	fireblende.exe	102
PID 3508 wrote to memory of 4256	3508	fireblende.exe	102
PID 1596 wrote to memory of 4632	1596	cmd.exe	105
PID 1596 wrote to memory of 4632	1596	cmd.exe	105
PID 1596 wrote to memory of 4632	1596	cmd.exe	105
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 2956	5112	fireblende.exe	107
PID 5112 wrote to memory of 1036	5112	fireblende.exe	108
PID 5112 wrote to memory of 1036	5112	fireblende.exe	108
PID 5112 wrote to memory of 1036	5112	fireblende.exe	108
PID 5112 wrote to memory of 4056	5112	fireblende.exe	109
PID 5112 wrote to memory of 4056	5112	fireblende.exe	109
PID 5112 wrote to memory of 4056	5112	fireblende.exe	109
PID 5112 wrote to memory of 3352	5112	fireblende.exe	112
PID 5112 wrote to memory of 3352	5112	fireblende.exe	112
PID 5112 wrote to memory of 3352	5112	fireblende.exe	112
PID 4056 wrote to memory of 3904	4056	cmd.exe	114
PID 4056 wrote to memory of 3904	4056	cmd.exe	114
PID 4056 wrote to memory of 3904	4056	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe
"C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe
  "C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3668
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Detail's for Shipping...exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"
  2⤵
  PID:3164

C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
  "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"
  2⤵
  PID:3380
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"
  2⤵
  PID:4256

C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe
  "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fireblende"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe" "C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe"
  2⤵
  PID:3352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fireblende.exe.log

Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe

Filesize
777KB

MD5
655733a8c4475a2d82527b049f66c335

SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb

SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487

Download Submit
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe

Filesize
777KB

MD5
655733a8c4475a2d82527b049f66c335

SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb

SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487

Download Submit
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe

Filesize
777KB

MD5
655733a8c4475a2d82527b049f66c335

SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb

SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487

Download Submit
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe

Filesize
777KB

MD5
655733a8c4475a2d82527b049f66c335

SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb

SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487

Download Submit
C:\Users\Admin\AppData\Roaming\fireblende\fireblende.exe

Filesize
777KB

MD5
655733a8c4475a2d82527b049f66c335

SHA1
9736ab1176850b60c260c86cd4d51a784f7a69cb

SHA256
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d

SHA512
8d12acf7882a8aa7c3cf451767cfa45603b40c3a3375bab0003a117d07184837e8d57044ca59654a9cd5c254d1e536f62b2d81289dbd49014cbf5d995a627487

Download Submit
memory/116-138-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/116-145-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/116-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/116-148-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/660-132-0x0000000000690000-0x0000000000758000-memory.dmp

Filesize
800KB

Download
memory/660-134-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download
memory/660-133-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2956-172-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2956-170-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads