442584a4f6016837a165995a920af67355dc2df73a577a684cd2a3ebfa29aa50

General

Target

Undertale All Weapons.xdelta
Size

513KB
MD5

8ff0dc95c6c1bd9eae17f7b5db0d4934
SHA1

626f1c8c9523f32474a9155d804f65473a39281d
SHA256

442584a4f6016837a165995a920af67355dc2df73a577a684cd2a3ebfa29aa50
SHA512

98bd62ef36dc5a481235f4f99a27220f3abdc0dfc67491147dc96747779048a458a16398cab40f7c87c9b255d02ca9f723e077c43ca60b8e60cfe8ac789e2bfc
SSDEEP

12288:Y1APdDAnM4Ujj580EwWgzPrgrbWfecngCajB79hPIvZM2dkTuSorP9KA+tnk2Gxf:Y1APd0nyP7EgzsX+xajFPIxM2dkTuSoz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 368 firefox.exe
Token: SeDebugPrivilege 368 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

368 firefox.exe
368 firefox.exe
368 firefox.exe
368 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

368 firefox.exe
368 firefox.exe
368 firefox.exe

description	pid	process
Token: SeDebugPrivilege	368	firefox.exe
Token: SeDebugPrivilege	368	firefox.exe

pid	process
368	firefox.exe
368	firefox.exe
368	firefox.exe
368	firefox.exe

pid	process
368	firefox.exe
368	firefox.exe
368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1992 wrote to memory of 2036	1992	cmd.exe	rundll32.exe
PID 1992 wrote to memory of 2036	1992	cmd.exe	rundll32.exe
PID 1992 wrote to memory of 2036	1992	cmd.exe	rundll32.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 1500 wrote to memory of 368	1500	firefox.exe	firefox.exe
PID 368 wrote to memory of 2044	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 2044	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 2044	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 1096	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 2004	368	firefox.exe	firefox.exe
PID 368 wrote to memory of 2004	368	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Undertale All Weapons.xdelta"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Undertale All Weapons.xdelta
2⤵
- Modifies registry class
PID:2036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.0.1314273235\267079232" -parentBuildID 20221007134813 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6803d67f-3e9a-484b-9fff-309ab9c5d1ef} 368 "\\.\pipe\gecko-crash-server-pipe.368" 1244 13fabe58 gpu
3⤵
PID:2044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.1.1607458218\1478986967" -parentBuildID 20221007134813 -prefsHandle 1440 -prefMapHandle 1436 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8998ae60-d699-4566-a31e-405690f885e2} 368 "\\.\pipe\gecko-crash-server-pipe.368" 1452 f71c58 socket
3⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.2.463764756\897506596" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cbdebd-568b-4d00-b701-22ba0de36ed5} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2056 1a3cf258 tab
3⤵
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.3.276440317\574227594" -childID 2 -isForBrowser -prefsHandle 840 -prefMapHandle 1596 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {353a5072-efd3-43fd-b912-4f4132b13057} 368 "\\.\pipe\gecko-crash-server-pipe.368" 576 f71058 tab
3⤵
PID:2036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.4.1103021615\1983022338" -childID 3 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42fb1838-89dd-4045-bdbd-6b67fc9bf1d9} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2852 1b9e7058 tab
3⤵
PID:844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.6.1458744170\463878351" -childID 5 -isForBrowser -prefsHandle 3804 -prefMapHandle 3808 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efade550-052c-427c-99d5-b15ea4dfa7ec} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3792 1dc0e058 tab
3⤵
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.5.2145089120\1301933567" -childID 4 -isForBrowser -prefsHandle 3656 -prefMapHandle 3692 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43b5bfeb-821e-4f9f-be4b-c8d711dd2782} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3696 1dc0e958 tab
3⤵
PID:2376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.7.85550219\760934292" -childID 6 -isForBrowser -prefsHandle 3840 -prefMapHandle 3844 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cf4bbde-8e37-4783-a043-2a9da6023d2d} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3828 f66e58 tab
3⤵
PID:2588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.8.1501676352\1992565931" -childID 7 -isForBrowser -prefsHandle 1768 -prefMapHandle 1676 -prefsLen 26721 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a24240b9-a3ed-4d3f-b6c1-6c1442a2c6da} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2608 1dc7de58 tab
3⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmp
Filesize
151KB

MD5
b463e0aa0fec868d42ad9ff9919ac755

SHA1
9f944eb5f764826f8c469092745df7782c4ada77

SHA256
926d371921405a5353693bda900eb62475429a9e198250ce7592c61dd2df87cd

SHA512
64319fb984521574c8e1c264297a1db135510d47069909bf0b3b401e61e45b22da458761b9e5f7a4223e3d8146cc515f918dd9e79d0f5e420f898b542608a50f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.js
Filesize
6KB

MD5
024c6fe18df82522164511c697474338

SHA1
152f2037990159375f4846bec398c223ac5e6ba0

SHA256
2bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2

SHA512
071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
029b3dc32f8bb6aba9a4ab2afd538418

SHA1
7664acb497ead71d95aa3e62d80a88efcb7e1602

SHA256
ac8c460dacfe5d8cda15d594b973c184356a834d5eff9448062e22d299e9d5e7

SHA512
fc2399182ea7a8e8602f48bf5c0c17ddd188c8a3fea0d1db9b9ac26fab0018c84d8a6383cae4b41802c1265d004f7566d387bc530e21f39cfd2dffd8b78014fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
50d95689dfe2a73d5e8902f9bbd4301a

SHA1
b7fba68659f983ef93c074b44ff1fdf1c0fc1dff

SHA256
171ef89739b9ecc01432f81eb82e7330f78f6172414239bbf30a39255fe9fa65

SHA512
f20704e9b65a900161fcc929c1ea25804886949f5334f332f486500808e0adbc6a8b1ce6d9f0113a8f31a8ad987f0b4b035ac0860dd4eb151883944d4bd23803

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
00f20a55d1314e02befab0f1d3a7878f

SHA1
6200c26dcecd027db26b29719c0d790fe5d39179

SHA256
9cd343f928600deda6a80d875d2895137b6813ba61e736a8cdefbe9ef21960b5

SHA512
da33384089eacfd058bee38e687a55e926ed1ddf5813f3337c25b9406e015da4bde716bf457ac3d5b904abef0be0c7a4d8766aaf5457d6cc0b96cff84dee7c7c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads