Overview

overview

1

Static

static

1

PDR.exe

windows10-1703-x64

1

Resubmissions

11/04/2023, 00:54

230411-a9jb8sbb4y 1

11/04/2023, 00:50

230411-a6378sbb2w 1

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/04/2023, 00:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PDR.exe

  • Size

    11.7MB

  • MD5

    24a77eda3be2a02b022484f5b1e0248a

  • SHA1

    4aa4f3ddec505225340a907b2842303d1ca36460

  • SHA256

    6ffb8c3e46190de4f35eeb3b27be48e64fc6c0d65765673fcec208b02551b817

  • SHA512

    f806027f3fdebd9d0f18c2c86efd27cbc9e096cc4727079184cb3119b77282a8dd7976f01e7aff6716fe2d8414e3f120aae819ab3ca01f83af7ced6a679dbb3c

  • SSDEEP

    196608:Lvn3mRbyLISkEQEyvVtBl91DpEdghRndjZ5Q6:D3mRbyLISkEQEyvVtX91GdghRdrR

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PDR.exe
    "C:\Users\Admin\AppData\Local\Temp\PDR.exe"
    1⤵
      PID:2264
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4916
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4316
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.0.856860429\204966372" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da222777-1bff-49c9-90c9-acf6f4bf62dc} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 1732 18c8fe17858 gpu
            3⤵
              PID:3660
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.1.1966468942\1778448792" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1bddbe5-3050-4427-ad03-baa1f0b1860f} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 2088 18c8ec12558 socket
              3⤵
                PID:4136
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.2.1732075867\348797575" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2824 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdcc2655-346f-4a8b-a1ba-6c8ad9f052fc} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 2840 18c92b3a658 tab
                3⤵
                  PID:3144
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.3.1510463116\1757471983" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3528 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e58915-d6ab-4a7f-a4a5-b44bd9271fd2} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 3556 18c93272b58 tab
                  3⤵
                    PID:4360
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.4.891352594\810589541" -childID 3 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0c8f2c4-ddd6-4f92-90cf-20bd544e2060} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 3596 18c83762b58 tab
                    3⤵
                      PID:3860
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.5.1525508829\1762733580" -childID 4 -isForBrowser -prefsHandle 4400 -prefMapHandle 4416 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79caa621-eafd-413a-9067-48b2b8af1e10} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 4428 18c9531c358 tab
                      3⤵
                        PID:432
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.7.1164332957\305198111" -childID 6 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70646417-b38e-4744-829d-523e263b7840} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 4968 18c9534f058 tab
                        3⤵
                          PID:68
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.6.620476746\1009092050" -childID 5 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46fce39a-bfcb-493b-a08f-e46bb09ed3c4} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 4768 18c9534d558 tab
                          3⤵
                            PID:868
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1432.8.321909598\1397293493" -childID 7 -isForBrowser -prefsHandle 5368 -prefMapHandle 5376 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7ea4e4-dff3-4f06-8863-4a924c602e3d} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" 5400 18c8f188958 tab
                            3⤵
                              PID:4704

                        Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                151KB

                                MD5

                                1a451957ebb631c053301dd93634b035

                                SHA1

                                a52dec93af8fa5dad7cc59100c8f8a792b342274

                                SHA256

                                f87e8db9cb9b5f15dc0b54fa2ec410f64b6481e73fa8081847c3627360429360

                                SHA512

                                e8614146151495b96cc168988b9274bcc1d6854b789f032668e9d0023119d4081957b6165dbe32efe5cbb29b07b0db89e5218941107a7dc04c8a2a6914c6dede

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                c205c8a6591363331cd60c7286ad4ac1

                                SHA1

                                7d4c89374e88116484984f5d0b5df0d59aa63ecf

                                SHA256

                                81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

                                SHA512

                                fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                1KB

                                MD5

                                e93705d612f7a0164baa8604505ca17d

                                SHA1

                                af4d7162b2c06611a9172e8a41f2d6bd6f7a148d

                                SHA256

                                6efe1ece29c9e4e0d9d87bef9ac6428d713c73d954bea6915187748f0b80279b

                                SHA512

                                b51ad858b95c969108c314938e7fd28fa2265b38acc51c73973de6aea2894e8613c7614fb96a345ba5c3229f6851d3319390f7f19d5644e72f1b34149b237016

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                1KB

                                MD5

                                ca9f1a4a3f06ff06f32d85388a0dffba

                                SHA1

                                70095803c2bc4a898c8fec324f2469a2f52b8281

                                SHA256

                                f671cbf886041e2b490c129d00e406f367bd7e09a7beba538f4ab46b73ae101b

                                SHA512

                                2b141b0991cc0b89f962b30c339e8457616d6e281061e74c604f92ee57ede9a6068dadbec212e991e9a767b8e8d3cfdae8cda0393e54ede3a01c47fdf4d39b52

                                Download Submit