Overview

overview

3

Static

static

1

index.php

windows7-x64

3

index.php

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    21-03-2023 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    index.php

  • Size

    1KB

  • MD5

    37d8268785753a37a26503b012dfd9cf

  • SHA1

    5a5a6d123bfa9ff0242bed19f088f09cb7a53528

  • SHA256

    910f01c1620199d6fe31bd925e7f10f2e1dd93261c040c049ac5a06b0b0d64fc

  • SHA512

    e7c9e632b32fab87db9e6089f8c39bcdb58510faf0b68f8d274ed7a6847ba8d5e60294771c0b030c2ae42ce033cfe22fa6f284882e02591e2655508666dff8d4

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\index.php
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\index.php
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\index.php"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\index.php
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:708
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.0.849434981\1890849693" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d095d7d7-bd99-4607-8fc2-0d3ce7ea6328} 708 "\\.\pipe\gecko-crash-server-pipe.708" 1260 13fab558 gpu
            5⤵
              PID:1364
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.1.657468457\1572687330" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4392fea3-ea9a-40ee-8366-5c4a780b0f91} 708 "\\.\pipe\gecko-crash-server-pipe.708" 1476 e71f58 socket
              5⤵
                PID:880
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.2.1932481374\1347113988" -childID 1 -isForBrowser -prefsHandle 2024 -prefMapHandle 2020 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61f530a2-c18e-481f-b407-755e96acbfe6} 708 "\\.\pipe\gecko-crash-server-pipe.708" 2036 1a5f8f58 tab
                5⤵
                  PID:1452
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.3.1352262395\1564471083" -childID 2 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d97b090-4688-4075-9036-eb947d63756d} 708 "\\.\pipe\gecko-crash-server-pipe.708" 2784 1c58eb58 tab
                  5⤵
                    PID:2076
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.4.1194739356\276617941" -childID 3 -isForBrowser -prefsHandle 1064 -prefMapHandle 3364 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488fe318-d80f-4d96-848e-22e265f58d64} 708 "\\.\pipe\gecko-crash-server-pipe.708" 3432 1a1fa758 tab
                    5⤵
                      PID:2484
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.5.197295475\179654163" -childID 4 -isForBrowser -prefsHandle 3400 -prefMapHandle 1076 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b533319-d3e1-400c-a355-83a8d8f5200e} 708 "\\.\pipe\gecko-crash-server-pipe.708" 3488 1e3ba158 tab
                      5⤵
                        PID:2512
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="708.6.696716138\1936562285" -childID 5 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b220dfa-126a-4387-a64c-e6657f8528d7} 708 "\\.\pipe\gecko-crash-server-pipe.708" 3708 1e3b9b58 tab
                        5⤵
                          PID:2672
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                  1⤵
                    PID:1804

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\81ei91hh.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    144KB

                    MD5

                    fd6eee394680fc1cd868b35d7fb68503

                    SHA1

                    31d0496976b8a4b7054dbdfc40ddc33f7bbff404

                    SHA256

                    c5539c3e98f7870a9bcc6b3fe581b8894091d55aa72bc3487852a016c703110a

                    SHA512

                    8838a9c16847430dba28ae4d8f7b23983d55a6dc4f36816966c9337ef92ab541a2624fec607311a0f9521f40f2ead58d0818a1f15ea232be90c69698c1e4e655

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    287079c0a70882ef8bb416820d8184ad

                    SHA1

                    67f9835b12c37eee8e6d0e00dbc303d8f7d9a772

                    SHA256

                    cdce500c9efcf5aaa92013a70429d0fb43331c7f28472a7186f8079e510b91b1

                    SHA512

                    05048711b5b6c658a6f7c522d33e0260b25f7ba970bd129adba232d68c82ca018fee195022a880972204f5d4566cbb89f2d4063741b0df1aafa8e8bf7d5795b8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    c92f80d601c14e003b0276b25a02dddb

                    SHA1

                    8f125162c0322063f2f546ce6cd0bfcab6a2602c

                    SHA256

                    34b6124c10744f02672a65234e6d3eced661c103008d4a86b8136f97d4b8e605

                    SHA512

                    b5ecf62ac87e6e0b2e5a9f2dfbbd18e9b7e3300438271ed16836cb79d9ea9b4e64243d478fae818aede7c88b5cdff9a94904b168e25db48db4f957f37fe48e0e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    4fc334c016bf8485ae8626fa6edbbea5

                    SHA1

                    7d75c930678f501c73c76d03672382b589d800df

                    SHA256

                    cd92bd7ebc4dd074a93f1759f30b091a95878c8686d28b3f0c0959082c0929f3

                    SHA512

                    2d912da941394386c690a2591fe5fd2e9f92460c6ded57d703ae6ac8547953fe965651e8a2e495384a5c8343143ba8b9239a9c3610c2e439c3d6033771ec2f64

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    192KB

                    MD5

                    0334912a663a990c2df5452749c29a51

                    SHA1

                    d30c90e3710854eaf6e96e7cd125711093a3e06d

                    SHA256

                    c973bd9b582388831a8f808489bc4a0787bb07b62e94db0d39592e9990b31f44

                    SHA512

                    2a52fc101ba1e212f482b9a9f99151f4795f5f0d7b1cec4745ed5ca27a721f8287ac2953b5ab6028378fd19008d8dbdef7ebbcc52aa982445a5018fe92d6ba81

                    Download Submit