e36d8c91125c90f78086ffe1761087897c6a557e8112120aedf96d391b1be4b8

Analysis

max time kernel
52s
max time network
62s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01/04/2023, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bpokgsds.exe
Size

1.7MB
MD5

84fd9290237ed9f226d3e37c6d32a725
SHA1

f3a254323cdb176281fddced0e1b2d2e5c2dce29
SHA256

e36d8c91125c90f78086ffe1761087897c6a557e8112120aedf96d391b1be4b8
SHA512

7e3985b985965042ef32092a7601e4faaa4e76aadc48b30ef6f2d81539362e34be2c96689fba5e1f5647d62a4a6cb1ec27791c32523b60f31c59ebec3876bb61
SSDEEP

24576:bveDZgS/qNvy6IZO7k6wZ/sC4NRJMxLo7:bvGF/qhr7nwZUbQ8

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	bpokgsds.exe
Token: SeDebugPrivilege	1016	firefox.exe
Token: SeDebugPrivilege	1016	firefox.exe
Token: SeShutdownPrivilege	5048	svchost.exe
Token: SeCreatePagefilePrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe
Token: SeLoadDriverPrivilege	5048	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1016	firefox.exe
1016	firefox.exe
1016	firefox.exe
1016	firefox.exe
1016	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1016	firefox.exe
1016	firefox.exe
1016	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1016	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 2088 wrote to memory of 1016	2088	firefox.exe	70
PID 1016 wrote to memory of 2204	1016	firefox.exe	71
PID 1016 wrote to memory of 2204	1016	firefox.exe	71
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4008	1016	firefox.exe	72
PID 1016 wrote to memory of 4704	1016	firefox.exe	73
PID 1016 wrote to memory of 4704	1016	firefox.exe	73
PID 1016 wrote to memory of 4704	1016	firefox.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bpokgsds.exe
"C:\Users\Admin\AppData\Local\Temp\bpokgsds.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.0.510093704\306210418" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b492e3d3-9bc4-4b25-a7b9-48d38bb11369} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 1748 21bc9316558 gpu
    3⤵
    PID:2204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.1.1511390625\95821976" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d45c5bd-8777-4605-9d72-dea9a579c1be} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 2104 21bbca6fb58 socket
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.2.74057744\1392050580" -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 2844 -prefsLen 21039 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ef4c0e0-0011-4973-a0ca-5d97ed9ee494} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 2696 21bcc154258 tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.3.1941187275\1873594517" -childID 2 -isForBrowser -prefsHandle 3344 -prefMapHandle 3340 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5830b6a-1f74-47db-932e-1c370408053e} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 3352 21bbca61958 tab
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.4.2094668524\2147166219" -childID 3 -isForBrowser -prefsHandle 3952 -prefMapHandle 3380 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a62b9e1-b279-4bc7-b0aa-92bdf54e69bf} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 3968 21bcd969158 tab
    3⤵
    PID:3852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.6.629635339\1891893887" -childID 5 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5d3441a-6d31-4ac5-852d-d5c82b3b3bc1} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 4924 21bcf1d0558 tab
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.5.550708462\490722318" -childID 4 -isForBrowser -prefsHandle 2980 -prefMapHandle 4640 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05291e76-56ce-4e2e-90b9-7f625de2242a} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 2808 21bcf1d2f58 tab
    3⤵
    PID:3404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.7.1586159019\968713815" -childID 6 -isForBrowser -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdee80c7-a817-4c94-be46-f46aea79d168} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 5144 21bcd1bbe58 tab
    3⤵
    PID:2588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1016.8.1882806498\1841081166" -childID 7 -isForBrowser -prefsHandle 5192 -prefMapHandle 5596 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c92a11b2-dbf4-47ad-b90e-32f2369481c3} 1016 "\\.\pipe\gecko-crash-server-pipe.1016" 2784 21bd0047d58 tab
    3⤵
    PID:1408

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:3960

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:4496

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2964

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp

Filesize
153KB

MD5
dc4bc09e9e96b58648f7d1237b851047

SHA1
c7d22da021ac96faa53580d23d62eb450cb5af95

SHA256
0ee9955fdce4d8a33d3559a8c8ddbc1fec2fe60c9813972fee2d89ae46523034

SHA512
227909f8c6b9b319b2942ba0e2a6b3f7d1e2527cc1749690535f5f75f0789e2d439b4aea7e5ad51203b867312475c3de902297c1fe01691b810ee13d80af23c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js

Filesize
6KB

MD5
cdb5a91b7898f75f98e448e80b41dba6

SHA1
c749651f98e32a2320d2e52fd467fd6217660535

SHA256
ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

SHA512
b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ac4bb78fb3e95c7d4d096a5e6d007e1c

SHA1
1bdcfd8336b839d5d62053d846bd5b5660bf5965

SHA256
b56bcb96b1ad3da0042c3275b0bd555a89919425edaa32282b4214856951f001

SHA512
befd2dce24a74a8a0b86b463fa9c68273c1ce3a39db3d377fa091d474a8f9803eb5733954e4e634ce760f29e1b3305041eae23f1fbddcd8f9d85bcc4a497e981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bd065051f3d5b6ec704e8fc90805cc85

SHA1
098967c6f79c6e62a1649d86f9349dbea2c2614e

SHA256
845c404bca6636c87934befd73a5ee70a51fd10e3f375662bd68e6d31fb90010

SHA512
813f122b08790683d8070510e7b7fb90912e4e4984f3a45659e13d09ed62c32ff777116e55579afa958341336ad6c122040bb07ed7228d9a685cbd48cd0ef158

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
4fb103c943e6b3fe55808d4d2f582103

SHA1
38780f9420cffbc30640422e6b1d89080711cf6b

SHA256
6c097354bb700b3980253dc29323356fc20715abbc0e78d194f462e788f29df9

SHA512
87f1477f2572ed5b2c0ff1f578412f5a3d2c5df8d073fed8689899714dcd388d00ecefabc9fcb8ef5b87c3fe6c8f75a2b246c5a4228961c6f35faeda278c64b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
52da1dfd2d332db7747b41aeeb44affe

SHA1
4976876da3e75020785b34ffec0ba6032557d309

SHA256
d1869cd469726183b4cd85c3d7fb5a97f6466ac10e939c772b0c3f0763864b2b

SHA512
8fbac1777be44f61dea963e08f1d658ee2179b1353254de877d38ed4d5ff1de7f4f661f221ff224ee859f169766342687ec0691ce1ed63216d9bd0f7ee0fcd0f

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
da1843bd78e186e0ea03b556a2fb5cc6

SHA1
220573bd78f237f2d082107c62dd0c45eb58af74

SHA256
78e01b319ee89bafb2ec273f06f6f75d685af339767c114da770d77231b8b97c

SHA512
6ccd50cd8223f69b95cbd7d4d37693b9255cd9172291d31f12b73019d7e40681a7fe19eac25dd21a0d9256451a184743157637696ae65f85ff008a5993742c3b

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads