hxxps://github[.]com/Ataraxia1339/CommandGen/releases/tag/v2[.]0

Analysis

max time kernel
62s
max time network
65s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/12/2022, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2296	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe

Loads dropped DLL 8 IoCs

pid	Process
1200	Process not Found
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe
2364	CommandGen-v2.0.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c0000000133ab-54.dat	pyinstaller
behavioral1/files/0x000c0000000133ab-55.dat	pyinstaller
behavioral1/files/0x000c0000000133ab-57.dat	pyinstaller
behavioral1/files/0x000c0000000133ab-59.dat	pyinstaller

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CommandGen-v2.0.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	firefox.exe
Token: SeDebugPrivilege	1360	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1512 wrote to memory of 1360	1512	firefox.exe	27
PID 1360 wrote to memory of 384	1360	firefox.exe	29
PID 1360 wrote to memory of 384	1360	firefox.exe	29
PID 1360 wrote to memory of 384	1360	firefox.exe	29
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1708	1360	firefox.exe	30
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31
PID 1360 wrote to memory of 1576	1360	firefox.exe	31

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.0.400937706\2077294940" -parentBuildID 20200403170909 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1252 gpu
    3⤵
    PID:384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.3.1952350667\507789013" -childID 1 -isForBrowser -prefsHandle 1740 -prefMapHandle 1736 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1752 tab
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.13.1019359244\1667999675" -childID 2 -isForBrowser -prefsHandle 2696 -prefMapHandle 2692 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 2708 tab
    3⤵
    PID:1576

C:\Users\Admin\Downloads\CommandGen-v2.0.exe
"C:\Users\Admin\Downloads\CommandGen-v2.0.exe"
1⤵
- Executes dropped EXE
PID:2296
- C:\Users\Admin\Downloads\CommandGen-v2.0.exe
  "C:\Users\Admin\Downloads\CommandGen-v2.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
740172fbadaf5ec1c087864972779dd4

SHA1
24dc24efe6b823b3dab6abdac21948096e784a7c

SHA256
02c9f0158565034baa66d94ab3bd7b35732c871933ce2b85442639dc9e2ba721

SHA512
e59b894eb84ade8943defe17c251087580e882565b57c160df137f6e6a957fc296f6f14e853350db2c17b96d7016cc544f7fde5fc14762c9c90ac19e1f7941dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
e6f48279f9721c34af7b74145dd888a8

SHA1
a72065e72185db0127717eb8cc70f15feb8de68a

SHA256
c6c4529917c20ef5d1c13adefcd3d594198372b765e3766190ce35ec0f9cabc2

SHA512
72beb368c205a909b363839a4553fc780e536663df2f19095819f1048d9ebe07de6d3b9b1859143703be233be64537fb117d55a9a9fe4bf7d56f812e71fcf49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
38edcee1dc735c2259604545fd580aa9

SHA1
60fe52917c0f94f89cd46e1fc4e5924b79d6f0fb

SHA256
ce6855146cba2a1471cb356ae5e249d668243bc5369ea84d2d1902789f7805b3

SHA512
1ffe5328bcd91c22a8eae3b3c696a08a46937c359bf8e52497f2ba353ef4b1e791794a878597c8d05212ab7bf15b8105d695280eb7e69fe9071ffd4c373b981f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
2f17d6384b532dfc41b8d80d2605c101

SHA1
9abd5e43ede2d3c29ce4d394b5259ea25727bd90

SHA256
1410ca328d46dd446857a6d89a191eba28bb169f1e0ed12033af3ff5d03dc5a6

SHA512
9ea3878cb0ae958d5ac50c238eb96289ffb47f99beb9053ed6e02f548cc71352b91a8ffa0010ed2a0f9b19b40a96927f8d121208e7339598ea91cdb108c7957f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
202babbfc439861c13377e652a1b5a89

SHA1
e68ca975d19c9d6fb6575abc8400d6e8d12814d2

SHA256
dec0cb4e7b45d9881179f4ec40b19420edfa8f1e2ef3c7bb25a39a67a0773d46

SHA512
1dd136d4a04096346a6c1606d9da456ee3638386fe1303b51924f9dd39dff0a5cff1c4170a82d2e7d7b409d303581f55b38166025222b4746165c029534234c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\python310.dll

Filesize
4.3MB

MD5
316ce972b0104d68847ab38aba3de06a

SHA1
ca1e227fd7f1cfb1382102320dadef683213024b

SHA256
34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e

SHA512
a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\ucrtbase.dll

Filesize
986KB

MD5
ce2f9a4268bb6bf909978b1f3d2d7486

SHA1
fd96b9a0f05325d5c1a01efc0854a4efe359424f

SHA256
d2eb64172cdf893cd980dced96d7077578fbd22dcbeaec357ecdf865aa85a8dd

SHA512
c66e39f16a4fb04c3d57771ac60bf979f55933e7a33ee4675de5de10819f2f5689927ec09a74724797f058e35b66093f0a03a1235f6298d7016016dc12b5ea7a

Download Submit
C:\Users\Admin\Downloads\CommandGen-v2.0.exe

Filesize
9.2MB

MD5
a19b65ddea074ebbae924703fda99919

SHA1
64c0b6c222ac68e8c9049dbb5c61f0aced5cad10

SHA256
d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c

SHA512
4549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae

Download Submit
C:\Users\Admin\Downloads\CommandGen-v2.0.exe

Filesize
9.2MB

MD5
a19b65ddea074ebbae924703fda99919

SHA1
64c0b6c222ac68e8c9049dbb5c61f0aced5cad10

SHA256
d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c

SHA512
4549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae

Download Submit
C:\Users\Admin\Downloads\CommandGen-v2.0.exe

Filesize
9.2MB

MD5
a19b65ddea074ebbae924703fda99919

SHA1
64c0b6c222ac68e8c9049dbb5c61f0aced5cad10

SHA256
d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c

SHA512
4549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
740172fbadaf5ec1c087864972779dd4

SHA1
24dc24efe6b823b3dab6abdac21948096e784a7c

SHA256
02c9f0158565034baa66d94ab3bd7b35732c871933ce2b85442639dc9e2ba721

SHA512
e59b894eb84ade8943defe17c251087580e882565b57c160df137f6e6a957fc296f6f14e853350db2c17b96d7016cc544f7fde5fc14762c9c90ac19e1f7941dc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
e6f48279f9721c34af7b74145dd888a8

SHA1
a72065e72185db0127717eb8cc70f15feb8de68a

SHA256
c6c4529917c20ef5d1c13adefcd3d594198372b765e3766190ce35ec0f9cabc2

SHA512
72beb368c205a909b363839a4553fc780e536663df2f19095819f1048d9ebe07de6d3b9b1859143703be233be64537fb117d55a9a9fe4bf7d56f812e71fcf49f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
38edcee1dc735c2259604545fd580aa9

SHA1
60fe52917c0f94f89cd46e1fc4e5924b79d6f0fb

SHA256
ce6855146cba2a1471cb356ae5e249d668243bc5369ea84d2d1902789f7805b3

SHA512
1ffe5328bcd91c22a8eae3b3c696a08a46937c359bf8e52497f2ba353ef4b1e791794a878597c8d05212ab7bf15b8105d695280eb7e69fe9071ffd4c373b981f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
2f17d6384b532dfc41b8d80d2605c101

SHA1
9abd5e43ede2d3c29ce4d394b5259ea25727bd90

SHA256
1410ca328d46dd446857a6d89a191eba28bb169f1e0ed12033af3ff5d03dc5a6

SHA512
9ea3878cb0ae958d5ac50c238eb96289ffb47f99beb9053ed6e02f548cc71352b91a8ffa0010ed2a0f9b19b40a96927f8d121208e7339598ea91cdb108c7957f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
202babbfc439861c13377e652a1b5a89

SHA1
e68ca975d19c9d6fb6575abc8400d6e8d12814d2

SHA256
dec0cb4e7b45d9881179f4ec40b19420edfa8f1e2ef3c7bb25a39a67a0773d46

SHA512
1dd136d4a04096346a6c1606d9da456ee3638386fe1303b51924f9dd39dff0a5cff1c4170a82d2e7d7b409d303581f55b38166025222b4746165c029534234c0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\python310.dll

Filesize
4.3MB

MD5
316ce972b0104d68847ab38aba3de06a

SHA1
ca1e227fd7f1cfb1382102320dadef683213024b

SHA256
34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e

SHA512
a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22962\ucrtbase.dll

Filesize
986KB

MD5
ce2f9a4268bb6bf909978b1f3d2d7486

SHA1
fd96b9a0f05325d5c1a01efc0854a4efe359424f

SHA256
d2eb64172cdf893cd980dced96d7077578fbd22dcbeaec357ecdf865aa85a8dd

SHA512
c66e39f16a4fb04c3d57771ac60bf979f55933e7a33ee4675de5de10819f2f5689927ec09a74724797f058e35b66093f0a03a1235f6298d7016016dc12b5ea7a

Download Submit
\Users\Admin\Downloads\CommandGen-v2.0.exe

Filesize
9.2MB

MD5
a19b65ddea074ebbae924703fda99919

SHA1
64c0b6c222ac68e8c9049dbb5c61f0aced5cad10

SHA256
d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c

SHA512
4549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae

Download Submit
memory/2296-56-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download