Overview
overview
3Static
static
1processhac...in.zip
windows10-1703-x64
1x64/ProcessHacker.exe
windows10-1703-x64
1x64/kproce...er.exe
windows10-1703-x64
x64/peview.exe
windows10-1703-x64
3x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...ns.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...ks.dll
windows10-1703-x64
1x64/plugin...rt.dll
windows10-1703-x64
1x64/plugin...us.dll
windows10-1703-x64
1x64/plugin...er.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...er.dll
windows10-1703-x64
1x86/ProcessHacker.exe
windows10-1703-x64
1x86/kproce...er.exe
windows10-1703-x64
x86/peview.exe
windows10-1703-x64
3x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...ns.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...ks.dll
windows10-1703-x64
1x86/plugin...rt.dll
windows10-1703-x64
1x86/plugin...us.dll
windows10-1703-x64
1x86/plugin...er.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...er.dll
windows10-1703-x64
1Analysis
-
max time kernel
39s -
max time network
65s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01-03-2023 03:03
Static task
static1
Behavioral task
behavioral1
Sample
processhacker-2.39-bin.zip
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
x64/ProcessHacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
x64/kprocesshacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
x64/peview.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
x64/plugins/DotNetTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
x64/plugins/ExtendedNotifications.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
x64/plugins/ExtendedServices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
x64/plugins/ExtendedTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
x64/plugins/HardwareDevices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
x64/plugins/NetworkTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
x64/plugins/OnlineChecks.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
x64/plugins/SbieSupport.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
x64/plugins/ToolStatus.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
x64/plugins/Updater.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
x64/plugins/UserNotes.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
x64/plugins/WindowExplorer.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
x86/ProcessHacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
x86/kprocesshacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
x86/peview.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
x86/plugins/DotNetTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
x86/plugins/ExtendedNotifications.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
x86/plugins/ExtendedServices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
x86/plugins/ExtendedTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
x86/plugins/HardwareDevices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
x86/plugins/NetworkTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
x86/plugins/OnlineChecks.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
x86/plugins/SbieSupport.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
x86/plugins/ToolStatus.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
x86/plugins/Updater.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
x86/plugins/UserNotes.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
x86/plugins/WindowExplorer.dll
Resource
win10-20230220-en
windows10-1703-x64
General
-
Target
processhacker-2.39-bin.zip
-
Size
3.2MB
-
MD5
b444cf14642ce9b8d75e079166a5df0b
-
SHA1
8e8f8423d163d922242b8b7d85427664f77edc97
-
SHA256
2afb5303e191dde688c5626c3ee545e32e52f09da3b35b20f5e0d29a418432f5
-
SHA512
915b9f7c0b1374ce52fa9653ba1084741d15ff79dbb7c04d2a0f41eea8262b2f556d451bf9eefbd2d32831289908b6a1b39ce2cbcafbbfc4ae6e71d701b1aa81
-
SSDEEP
98304:jDqt5TrOmlLB/7rTOqcXfOzJR1qioDLK2EbhQ:3sTrHlB73OqX4ioDfshQ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1732 firefox.exe 1732 firefox.exe 1732 firefox.exe 1732 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1732 firefox.exe 1732 firefox.exe 1732 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 4288 wrote to memory of 1732 4288 firefox.exe 68 PID 1732 wrote to memory of 4888 1732 firefox.exe 69 PID 1732 wrote to memory of 4888 1732 firefox.exe 69 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 4224 1732 firefox.exe 70 PID 1732 wrote to memory of 3712 1732 firefox.exe 71 PID 1732 wrote to memory of 3712 1732 firefox.exe 71 PID 1732 wrote to memory of 3712 1732 firefox.exe 71
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-bin.zip1⤵PID:3236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1732.0.1749991055\22783168" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0cbb462-cbc1-4f7c-9bbd-c462228ae44e} 1732 "\\.\pipe\gecko-crash-server-pipe.1732" 1732 1a079c16558 gpu3⤵PID:4888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1732.1.679835430\360877628" -parentBuildID 20221007134813 -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f42d3e2-8691-44cb-b994-c835ef4ceec4} 1732 "\\.\pipe\gecko-crash-server-pipe.1732" 2080 1a06d472e58 socket3⤵PID:4224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1732.2.1237785662\454077807" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 2976 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94a7ceb-3b3d-4a57-aacc-acbf8899b648} 1732 "\\.\pipe\gecko-crash-server-pipe.1732" 2676 1a07c7edf58 tab3⤵PID:3712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1732.3.2014360873\143989864" -childID 2 -isForBrowser -prefsHandle 984 -prefMapHandle 1292 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61f4ea60-5736-4cb8-9196-8128b0dd4dfd} 1732 "\\.\pipe\gecko-crash-server-pipe.1732" 3264 1a07d0e7e58 tab3⤵PID:1584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1732.4.229511500\1024907009" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 4292 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e6e909-947c-4018-ad4c-515688b239fc} 1732 "\\.\pipe\gecko-crash-server-pipe.1732" 4280 1a078b0f758 tab3⤵PID:372
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize144KB
MD594dd41a9fb6c739ee64bff8f94c48c47
SHA1ae1f96b07c68f391a283dfa5a3b2759746c07ef2
SHA256f25ca9795a09fb7e199d78f8929d2aaf7135033fee735edc787e17db4fcdf153
SHA51270e6410a42b4f4592638fa21a3bf331bd8c5022a32172176c97408da6a30cdd606db18d7afcfd169bf150150a7820516c83c5c5c00a536a63629ae8eb62ebc84
-
Filesize
6KB
MD5f843fc3b858888d342076c7199266348
SHA197dea7b7d8486f03cc085ef488fda80fe53515a0
SHA25619b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4
SHA5129b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7