6413b835503a6c77f347a262f0ce18de15ea59608658aa8c2e51a3433ffe1624

Resubmissions

15-01-2023 00:36

230115-aybg9abe6s 8

15-01-2023 00:11

230115-agp93sfe58 8

15-01-2023 00:06

230115-ad4y3abc3t 8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2023 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

interium/crack/v4.exe
Size

5KB
MD5

67601d1b4381c7dafe8e7ad94f38a142
SHA1

16e6e3a8f666429c1a4941e9c0945a22afd6377a
SHA256

04a007a31de14d111ec54030e3646422d5ee224177dae95795ac2826a55336f7
SHA512

63b4666f7212f08c8c9ae24cf914d1694dec5a1daacad0e9e742c0dc39662cc97f1c66722dce99656d3a70277485b25374eb5abad06821c55e73b7f3be7172a3
SSDEEP

48:C7zRekJFF6G3N1zcuzrRr1nnzrQYAPSC1iF9vhAHyhdUXhQB8sXlE6mN0F3ybCV3:Kjd6uzrh1nf2PSCA3vhghQK+l2K3iw

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe
2664	v4.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
632	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeShutdownPrivilege	4308	svchost.exe
Token: SeCreatePagefilePrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeLoadDriverPrivilege	4308	svchost.exe
Token: SeDebugPrivilege	4428	firefox.exe
Token: SeDebugPrivilege	4428	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe
4428	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 2904 wrote to memory of 4428	2904	firefox.exe	69
PID 4428 wrote to memory of 4132	4428	firefox.exe	71
PID 4428 wrote to memory of 4132	4428	firefox.exe	71
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3412	4428	firefox.exe	73
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74
PID 4428 wrote to memory of 3924	4428	firefox.exe	74

C:\Users\Admin\AppData\Local\Temp\interium\crack\v4.exe
"C:\Users\Admin\AppData\Local\Temp\interium\crack\v4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4428.0.359270579\1585489403" -parentBuildID 20200403170909 -prefsHandle 1504 -prefMapHandle 1196 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4428 "\\.\pipe\gecko-crash-server-pipe.4428" 1604 gpu
    3⤵
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4428.3.2029043737\963625170" -childID 1 -isForBrowser -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4428 "\\.\pipe\gecko-crash-server-pipe.4428" 2176 tab
    3⤵
    PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4428.13.1749673083\2029123368" -childID 2 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4428 "\\.\pipe\gecko-crash-server-pipe.4428" 3208 tab
    3⤵
    PID:3924

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:2636

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:3376

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
memory/2664-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download