c530d7214b50c0c2f0382b1d9a83f3fc4bb71f33024823c751503bf301f2e132

Analysis

max time kernel
85s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CliIkosNet 2.0.16.28 R4 BANOBRAS/SharpZipLib.dll
Size

112KB
MD5

c37a2719bd83ba766b29d8f83cee6258
SHA1

9f92916429f9f52723d18079899e63715a32ab36
SHA256

1e2cf0f79d2e5d6b10e21067bb86c4df1fc8b28f45fb7ef92ae67a2dcee3be0e
SHA512

64670d11ea9edea0c96bf8de64f005149109ed5fd5a6c1fc5f825ab6b8e1349b7524afadb564f144bda933ca61de891fb6c7a5f2508eb98094f97197eb4d58d9
SSDEEP

1536:V821slfy1MQ+0qxrJtTVsDWsHtdLSvvnnoU+q4UrviOBW6zsAzSYxCS/LsDuaCCt:a2GE+0qxrPuLSvR6OBPljsD5CCitwZj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4484 firefox.exe
Token: SeDebugPrivilege 4484 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4484 firefox.exe
4484 firefox.exe
4484 firefox.exe
4484 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4484 firefox.exe
4484 firefox.exe
4484 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4484 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4484	firefox.exe
Token: SeDebugPrivilege	4484	firefox.exe

pid	process
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe

pid	process
4484	firefox.exe
4484	firefox.exe
4484	firefox.exe

pid	process
4484	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4484	3440	firefox.exe	firefox.exe
PID 4484 wrote to memory of 4496	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 4496	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 2884	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 3496	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 3496	4484	firefox.exe	firefox.exe
PID 4484 wrote to memory of 3496	4484	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CliIkosNet 2.0.16.28 R4 BANOBRAS\SharpZipLib.dll",#1
1⤵
PID:1968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.0.526583775\487824613" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1c9b02-9dea-47a1-9f10-6955bbbb0e4e} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 1916 2a25e816858 gpu
3⤵
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.1.529132911\297777202" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3795baa1-3ce2-4db8-867f-1a6f5f4e482f} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 2316 2a250972858 socket
3⤵
- Checks processor information in registry
PID:2884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.2.1187494661\33223163" -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3252 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afcff58-dfaa-4f31-8802-851240f1512c} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 3264 2a261514758 tab
3⤵
PID:3496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.3.1687019830\892132346" -childID 2 -isForBrowser -prefsHandle 1292 -prefMapHandle 3108 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7bf0411-4eb1-424a-92b2-9954e13c0f19} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 3000 2a250971958 tab
3⤵
PID:2808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4484.4.1745496650\362191952" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76ac6c79-23be-4b57-be6c-a870a1263480} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" 1292 2a2627ac258 tab
3⤵
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
164KB

MD5
6aad4dd2294a7f776f96c1df811ef418

SHA1
a9800ea14ba47f73865be3852582b92ade75c7e1

SHA256
5b06d2e4ffded224037a17306b5e2e4db4d56f613d11574bcd60c9a1d790bd50

SHA512
46c9a89aa6fe3590c82a6891f21d42e0aeb9e041927e3f7646f64e59a2ec79d365561e5bb791a93a41a2c71102b850ffc84dd6f4fc2ffbd3459f5339bb8c6e6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
413b929ffdda1b7a40d1c6a296363709

SHA1
819f1fb714ba6748737c0d6527c3bee82e212707

SHA256
9058db6eeee34a9462b146ed1c5aea9baf83d3085236b4223b55c78f79e1c309

SHA512
51a646c65c9932662d5fc599607a20b97cb0f716ba6dab404764cc90ddfaa598dd5336dcf940c2366654f35920d4da60fd4d1e23330d97acd6c32bc2695c8f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore.jsonlz4
Filesize
882B

MD5
c9ac5d0ad14e1f63f4778064cd2980c7

SHA1
76d6f82db69844e202a220cf52be11fc67245808

SHA256
55912aea22ea4da47ece9a1c4aabd5bbe41d472157ae0ec3577d4db37865e183

SHA512
3bf9ca75cd24480df5c8cd5929ffbbbc0174c68f1b7b4e2ecd933970d37c30c1975de702d089a5f3e599a8b83c4d373dd3272a340571c03c7f1907251c9d0459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\xulstore.json.tmp
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit