Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2023 21:43

General

  • Target

    eicar_com.zip

  • Size

    184B

  • MD5

    6ce6f415d8475545be5ba114f208b0ff

  • SHA1

    d27265074c9eac2e2122ed69294dbc4d7cce9141

  • SHA256

    2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad

  • SHA512

    d9305862fe0bf552718d19db43075d88cffd768974627db60fa1a90a8d45563e035a6449663b8f66aac53791d77f37dbb5035159aa08e69fc473972022f80010

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip
    1⤵
      PID:428
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\MoveProtect.bat" "
      1⤵
        PID:1276
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\MoveProtect.bat"
        1⤵
          PID:3652
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnlockConnect.xhtml
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4856
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:316
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.0.749594616\669997206" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b309b26-3cfd-43af-a144-88402b243c28} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 1936 22cffbf9958 gpu
              3⤵
                PID:1756
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.1.688226255\1485105759" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e14ad94-471b-4897-9584-2dc4d1d3163c} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 2316 22c89153258 socket
                3⤵
                  PID:4016
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.2.1763316165\1306693748" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2896 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fd082d0-d4fa-480f-a656-9689ff7a1d7b} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 3012 22c8b9f5558 tab
                  3⤵
                    PID:5096
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.3.515674352\1106438174" -childID 2 -isForBrowser -prefsHandle 3360 -prefMapHandle 1248 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c3d9863-7455-4766-900f-615124ee0c27} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 2460 22c8a4fcd58 tab
                    3⤵
                      PID:220
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.4.1862888337\659535382" -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2ef0a4-3557-4d22-83c6-ed2047a129c6} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 4184 22cfad6e258 tab
                      3⤵
                        PID:392
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.7.851589742\1021360214" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d13512a-87c9-45b4-9c72-3c01c03675eb} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 5392 22c8e520958 tab
                        3⤵
                          PID:5084
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.6.1558094742\1551599473" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7837d6ed-0e97-41f1-938a-6e22041d2824} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 5192 22c8e51e558 tab
                          3⤵
                            PID:1372
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.5.1066513230\949380778" -childID 4 -isForBrowser -prefsHandle 4972 -prefMapHandle 5060 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {073a8b5d-8a94-4407-9641-a451f59399b1} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 4796 22c8e521558 tab
                            3⤵
                              PID:1380
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3052.8.2054202398\903606049" -childID 7 -isForBrowser -prefsHandle 4360 -prefMapHandle 1612 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02898b2-c115-4e13-bc4a-4fdea4cdc6c5} 3052 "\\.\pipe\gecko-crash-server-pipe.3052" 5240 22c8e143c58 tab
                              3⤵
                                PID:3736

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

                            Filesize

                            154KB

                            MD5

                            6a4e2ddf8b4a9b8945c2da43d4ce0ab0

                            SHA1

                            d794aa7266346184e690a41ae3dcdb3df53c816f

                            SHA256

                            e82e5dfa1b5bb7a1e91f997baf72f719fc85dcc7c9334f531b068aa5efb2558a

                            SHA512

                            9c9bd437f0d724c5852c4bcfd47481cfe66d7976abb3e751c5bd02a88a5191e9faaaa0fcd0df46fbe6939b89bc8e2c8fb161d191066a88fedcdacb617363f259

                          • C:\Users\Admin\AppData\Local\Temp\~DFA14AD34DE4ABE8D2.TMP

                            Filesize

                            16KB

                            MD5

                            ba49cfc5f414f1aba36d7150de8e34c8

                            SHA1

                            f9a4716c966c94be265ba20a36b59ae072089251

                            SHA256

                            f53e5591f430aacdd1ff4ca9475fda33af4255f129ca197027c23664803c1e71

                            SHA512

                            5be9d3291b27ba62012cc7c70cb19c743bb67a7c592d68a589f5eaafaa2905ff4ca5745d6908ef61c9a954e53b044d5d913c7fb7403580c34552dc57c226b42c

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            873e561460643fe0bf0cd8b96c587009

                            SHA1

                            fda3671e3561144df316cf1fb5a23274accb71e9

                            SHA256

                            7004e70f570f0dec9d37d5b900363eba9030bc9b58aee716c492f3bdeccfbcfd

                            SHA512

                            9de0fd70c521bff3e85b06763a7d08b4956eb6b814ef8961eff9426c1e55aa9d11c37bfb6b8e1d16eedf32fdf2e3a411eafb931cfed94f6a74b12ae56af7048f

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            fce829808c9ae0b894fa2ae90a07b4b9

                            SHA1

                            1214a86dceeb1246242d8971781a3f7ff92650bd

                            SHA256

                            366542194f8898480c0dfc63e1adf63ecdcadf5f4a7fd1c62792018641b3581c

                            SHA512

                            48deb9dafc0c20d4032a70185d80d3cb64dfec7b7f59bb5e987ecefe91932ae5392901337990e4e1241bc0dda44ac173feefcbce8248df5f0e408231b9ec5c86

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                            Filesize

                            7KB

                            MD5

                            de37280ab15de5b0c7077b5742e9b46f

                            SHA1

                            789d38130614427307444f14cd99d28d51c17383

                            SHA256

                            23b7ebbb81401c59a948432e9c3a86dffb818ec81faf4017c75ae362e7ec407d

                            SHA512

                            806998bc4b8487c3ba4d5053519df67093db98f6480293c308f2a4c54388868a8e3b5a61b0d92681c2aafe2eca199efb787a68feee0d3fe77f04a859679dc953

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            655a9c7461bf5cd44817f03765cab37f

                            SHA1

                            893bf77d678c22e235cc15f283b96c4bfe146a31

                            SHA256

                            de64d838d7f1cd9e19f98096bcaaa2f0ce601a2d5980cdaf1d95a1630b6898c7

                            SHA512

                            b2d8c7ec756871ed030ce111c61d26bbc885df36db70c0515c027f46ae06311312ea444ac83c2bb00fea5d8d69c2343437a89f248854435043f6b555aa39ce2b

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

                            Filesize

                            6KB

                            MD5

                            fcd5f37e5e4066f7cffe8eb106b6ce19

                            SHA1

                            b0a1c4d3d5c96271429fb09cb71055d177c13402

                            SHA256

                            38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

                            SHA512

                            afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            3KB

                            MD5

                            05183100e0309b8a791ba9e0a1483594

                            SHA1

                            4f285b5fa29b9fd44e98509a1292f0685f6236c6

                            SHA256

                            7da56a4de269034eaa1050f494440548c5df0163ed6c199095044a550cec9d66

                            SHA512

                            3501c3a662a0309b33b2aab3d6da4473fb65dea28fdff0ff3239cbf4cceb5cc8d004aea84bd9df19a9bec4c2198d68c7816d4ddf3d6e1f76bb40c26091691fab

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            aa72171928666bb0bf336674503b5cdd

                            SHA1

                            c89d4db0c06517123b4072cc8f8f7cdd94948bc1

                            SHA256

                            ba8e3967615b364090c2d4116fcdd9b19fee0e9544536530fb3cde4b88c1282c

                            SHA512

                            781304913e34a6696b070c48a482773f608be56b7fb7346918f8cfc0e780796b681571f86b3ddcca5d49662d03ffe2bbb4f08ae3a5230a682562b6b0dd8ad46e