Overview

overview

3

Static

static

1

Bin.zip

windows10-1703-x64

1

Bin.zip

windows10-2004-x64

1

Ephemeral.Runtime.dll

windows10-1703-x64

3

Ephemeral.Runtime.dll

windows10-2004-x64

3

EphemeralEd.exe

windows10-1703-x64

1

EphemeralEd.exe

windows10-2004-x64

1

libgcc_s_seh-1.dll

windows10-1703-x64

3

libgcc_s_seh-1.dll

windows10-2004-x64

3

libstdc++-6.dll

windows10-1703-x64

3

libstdc++-6.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bin.zip

  • Size

    759KB

  • MD5

    8163dbd06ed50ea6d34693398355bec7

  • SHA1

    7b2906d30897afc3448fa7a1971d8fb7552ba0fd

  • SHA256

    0fe8f2044189a284d991b7eb5689c371718c67d3d539f696402665c02319b14e

  • SHA512

    897bbb209f6ca31705f9b4afc3a3e05617be26a166d98d1754674f8cd968c7e20de79b3d0e899d53d92a450618ee901220cdf19c97672c03b7d8b31cf70bc1db

  • SSDEEP

    12288:kfl4VYCnpQlKB00SHoPfcSTs0fkZl3TtlBb+LG4eVJoWp92WcTjSeFp7gEeU26Nv:ESVYCnpUKSIncSIEe3TtlBb+LkVJYSeZ

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Bin.zip
    1⤵
      PID:2292
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2088
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3892
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.0.1493447768\866731484" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0765ff7-4a02-4a22-947d-d8919dc89203} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 1732 23c9e118558 gpu
            3⤵
              PID:5016
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.1.1383875610\2108372883" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb06d3ae-c076-4370-b4b8-adf014b73e13} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 2088 23c9cdf1058 socket
              3⤵
                PID:3264
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.2.411587347\335789663" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7014f87-29d5-4175-a3b7-2cfeb25b5c2e} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3052 23ca0e45858 tab
                3⤵
                  PID:4984
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.3.1342752626\1576079717" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eaf110a-f162-4363-bfdc-aeb9d561de24} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3512 23c9185cd58 tab
                  3⤵
                    PID:4400
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.4.411683885\1737560518" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d0e2973-0006-4bb7-bfec-1e04598b1c19} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3696 23ca23dca58 tab
                    3⤵
                      PID:4396
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.5.2014436229\2126743069" -childID 4 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1283074e-f16f-43a0-a7f8-eb3ace7ebc75} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 4744 23ca0da3958 tab
                      3⤵
                        PID:96
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.7.879204080\145160552" -childID 6 -isForBrowser -prefsHandle 4988 -prefMapHandle 4888 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa6f5f9-9061-428f-8c46-bff567617ee9} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5000 23ca3b58c58 tab
                        3⤵
                          PID:228
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.6.76666394\2092143918" -childID 5 -isForBrowser -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8efffc-1fac-4bce-9c9c-f0c38b0aad45} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 4776 23ca3266b58 tab
                          3⤵
                            PID:236
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0xf8
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:532

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Credential Access

                      Discovery

                      Query Registry

                      2
                      T1012

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        148KB

                        MD5

                        d6cf01c2a38774eb720108fffbc2cb37

                        SHA1

                        50617b88904c4e3ff5d2f72bf5110593044779ed

                        SHA256

                        599f4d7730e8b6767efd4625aa9a985d006f14338c549a38cfcfd088130fd8f1

                        SHA512

                        6ce4e93fde29e37ae6cbf7d92ae75a1f02a2fb345e311c0011cf4ee0ee973dfb56e861ca959d69c77176fca3342d9703cfbc0fd2198629fb3ee1889cbedb0f5e

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        fc03769491e92557713bff75b3dcae44

                        SHA1

                        a4f4687575dba8a950a014c93d8f9f086a2b68d6

                        SHA256

                        3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

                        SHA512

                        8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        4d5a250aeb1f2aa15095d94a750b4cdf

                        SHA1

                        7bdc20cb6ef0071ed478ad0ae326506b2ae75f49

                        SHA256

                        1fcbf777804881ca044cc3c8652e6cfe5e0852891ca8e30f3f5437158965378e

                        SHA512

                        114c0d04abc3ccaa4c609894d95a80347b9a07af08a888a0d9b355ac44635f5511e6a81cf3164973593fc21d2f6c7d879ce1cd6dc7c8a9fffc9f0d63c19518f2

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        d8897f51af723f640c1d52fc0feec882

                        SHA1

                        9aa2840cfd804b2eba60159dc6e05d21e91def3e

                        SHA256

                        89240d6378bde3dac8a8855607f7c3020290a8fb73cb0c456eb9203ac6c146d0

                        SHA512

                        6aae89e842464fc5e05eed21ff9b512ef87c1db2314a9af1edddc014bd1aca7dce68a889974d904a607fb36dfc5790828dc90664f17e8c45585d9d331a285fcc

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        a3948e41d2174f625e74f03b6443d19b

                        SHA1

                        ebc26d7fd2f672b8e7b9bfc276e87d9926bbef33

                        SHA256

                        161e0394a581c8fe798bbd3ed6ef02820cf8f0df9aa13db288ef10cd36c96bdb

                        SHA512

                        f8674349020fc45b01e2cea8a4dbb27e31cbf6bb85cd85a8f5adbe5877c588987ec5ba41de90dcb88699943a18dcba639e8f13be164e4bdcdb7229cabd19eeee

                        Download Submit