7ecf7d92400ce62490e16d39bd3cf4f73a1a1df516e418948e52c5a761d314ee

Resubmissions

27/10/2022, 15:04

221027-sfnc7scfak 7

27/10/2022, 14:58

221027-scab6sceb9 1

Analysis

max time kernel
140s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract#4073.html
Size

839KB
MD5

13edbdd74a0145b65fe8fd8431844b49
SHA1

1f23da416c57113b7ad39b6bc518ed322cb76417
SHA256

9fb40fd3db4d25b23218bceefc3312045b4235dea6f89f28b8dacba1698a8fc2
SHA512

d6e1d8a41d7726dc2de4d8668731fb2525b0f97417fd8a80fb1f0250010986504134580f8e38654d8957def60ae1612c5ee8196a69b7d30eabdd45a47e3f697d
SSDEEP

12288:P660yZwt0EhU1ONKdFyL/txdNFSNMYs+q8WgussBwVFnbOkxp3:S6tYnTFSbzq8WXsssFbfxp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2800	regsvr32.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\attachment.zip:Zone.Identifier	firefox.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2780	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2800	regsvr32.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe
2952	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2800	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	firefox.exe
Token: SeDebugPrivilege	916	firefox.exe
Token: SeDebugPrivilege	916	firefox.exe
Token: SeRestorePrivilege	2656	7zFM.exe
Token: 35	2656	7zFM.exe
Token: SeSecurityPrivilege	2656	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
916	firefox.exe
916	firefox.exe
916	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
916	firefox.exe
916	firefox.exe
916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 1848 wrote to memory of 916	1848	firefox.exe	28
PID 916 wrote to memory of 600	916	firefox.exe	30
PID 916 wrote to memory of 600	916	firefox.exe	30
PID 916 wrote to memory of 600	916	firefox.exe	30
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1496	916	firefox.exe	31
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32
PID 916 wrote to memory of 1584	916	firefox.exe	32

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Contract#4073.html
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Contract#4073.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.0.709217536\1091827024" -parentBuildID 20200403170909 -prefsHandle 1200 -prefMapHandle 1192 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 1284 gpu
    3⤵
    PID:600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.3.1194394015\1094707792" -childID 1 -isForBrowser -prefsHandle 1880 -prefMapHandle 1876 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 1704 tab
    3⤵
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.13.54350451\1335200601" -childID 2 -isForBrowser -prefsHandle 2704 -prefMapHandle 2700 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 2716 tab
    3⤵
    PID:1584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.20.2125927407\1701027861" -childID 3 -isForBrowser -prefsHandle 2712 -prefMapHandle 3076 -prefsLen 7643 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 3176 tab
    3⤵
    PID:2084

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\attachment\Contract_5353.iso"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reviewer\orderliness.cmd vr 32. exe
1⤵
PID:2740
- C:\Windows\system32\replace.exe
  replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
  2⤵
  PID:2768
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe reviewer\graphs.dat
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2780
- - C:\Windows\SysWOW64\regsvr32.exe
    reviewer\graphs.dat
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2800
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\attachment\reviewer\graphs.dat

Filesize
628KB

MD5
d5987c7f04bccd90782c37f5697e39ef

SHA1
b5eb5a330b400338ade359e13ac29fc61dbdad64

SHA256
d8d246935b437a41f5a65035889ba4b5e219ef9f565cd32789c4d9b677477aeb

SHA512
c4c986605090a3ca4eb6f254eb00f153b6bf816e58f7efbd3398b6c8ae4f868b99842141b6105684c4eefa461160ae5ee9a56974d420d40ba73c752b331b89df

Download Submit
C:\Users\Admin\Documents\attachment\reviewer\orderliness.cmd

Filesize
359B

MD5
dae49109ceddf28e9abb871db8f827be

SHA1
fd5f2515013319101aabc8785a947d12de434a03

SHA256
835b165c48b39c9196b11b18e389ead29884b0361d5ac7242dadddc095cd6382

SHA512
a5e18a5589d20e9fb9c5d51d8ac85f0c8e88a76fe4911a9d554d8e44d1db097364b5e7e8e120a2eb648ddb9bfd5233380d399244a77e0817442b4fdf0e6b89a7

Download Submit
\Users\Admin\Documents\attachment\reviewer\graphs.dat

Filesize
628KB

MD5
d5987c7f04bccd90782c37f5697e39ef

SHA1
b5eb5a330b400338ade359e13ac29fc61dbdad64

SHA256
d8d246935b437a41f5a65035889ba4b5e219ef9f565cd32789c4d9b677477aeb

SHA512
c4c986605090a3ca4eb6f254eb00f153b6bf816e58f7efbd3398b6c8ae4f868b99842141b6105684c4eefa461160ae5ee9a56974d420d40ba73c752b331b89df

Download Submit
memory/2656-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/2800-63-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/2800-61-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/2800-64-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/2800-65-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/2800-66-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/2800-67-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/2800-68-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/2800-71-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/2952-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2952-73-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download