9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-Rat-Remote-Administration-Tool--main.zip
Size

5.0MB
MD5

9b3b306a4a17ad6eff92e9d97e46a65e
SHA1

521447c757afd5cdbec84444bb247f9d411a2f2f
SHA256

9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485
SHA512

866b98395c6591635b1718307e3cc7a97ef620ec608a2260d28535371492f2f4c95362a46c29c4e08d69542338c4060f24a7c121b2a1e90d6d6c5ed70038781f
SSDEEP

98304:OjQOrfOehjeCSFFEYhqox9mv7Ys7q2f24IRUeIV1iwLZnnpha7Kmlf3:OjvKCSFFEYjbA77q2+pS5nLbEx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 5024 firefox.exe
Token: SeDebugPrivilege 5024 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

5024 firefox.exe
5024 firefox.exe
5024 firefox.exe
5024 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

5024 firefox.exe
5024 firefox.exe
5024 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

5024 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeDebugPrivilege	5024	firefox.exe

pid	process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe

pid	process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe

pid	process
5024	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 60 wrote to memory of 5024	60	firefox.exe	firefox.exe
PID 5024 wrote to memory of 4508	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 4508	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 2684	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 1736	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 1736	5024	firefox.exe	firefox.exe
PID 5024 wrote to memory of 1736	5024	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main.zip
1⤵
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.0.844819942\995053127" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cd734d0-027f-49b9-8fea-bed8da25f83b} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 1932 203f2eef858 gpu
3⤵
PID:4508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.1.1368469249\162420822" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {677a6a64-00e1-4d83-9d3e-75677518f7cb} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2332 203e5f70758 socket
3⤵
PID:2684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.2.330279750\583964726" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d091b0a-99f0-4bea-a9bf-65613e0e5e94} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2940 203f2e66558 tab
3⤵
PID:1736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.3.1301926521\45450349" -childID 2 -isForBrowser -prefsHandle 2492 -prefMapHandle 3524 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0d2a7a1-8696-4b5b-8cc1-484c977ada7a} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2480 203e5f62b58 tab
3⤵
PID:4104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.4.505766572\643992425" -childID 3 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e955b06f-ecce-4237-aafa-20a58439d8ad} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3952 203f6df4858 tab
3⤵
PID:1708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.5.1520109427\2131821777" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac47df9-db0a-406f-9ab2-030bd13c4db1} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5056 203e5f2fc58 tab
3⤵
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.6.1049507184\666730950" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e155ba4-1ad0-4fd1-a49d-4fd8b3f0fe0a} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5308 203f979cf58 tab
3⤵
PID:3988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.7.1234046461\1914958036" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5092 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0838893-7402-4aa5-ae98-e51ed2dd3a9f} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5440 203f979de58 tab
3⤵
PID:3356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.8.1293284175\2029035580" -childID 7 -isForBrowser -prefsHandle 5816 -prefMapHandle 5292 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8171af6-1902-4e17-84fe-60e34d261b19} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5808 203f6107558 tab
3⤵
PID:5000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.9.1880118340\1697038352" -childID 8 -isForBrowser -prefsHandle 6036 -prefMapHandle 6040 -prefsLen 26851 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b622f21-0377-4a9c-89ee-0681c3c845e7} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 6024 203f790d058 tab
3⤵
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
159KB

MD5
b012b037ea628e48424a50cdab47e021

SHA1
e08a85bde37cda76872070a59e2793acc0605d6a

SHA256
823febb0bd5808cfdd54f7092084205b67ec1253f0df114d0a18c04bcc969c6c

SHA512
2c108dd9303a8f4914b85ea8447b67051ee0c394b9074237771a948cc439aeb2718098b7cb7bb14882ebaf28ea77158983018f00a6d573a1a13432a3a70dcf8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
7KB

MD5
6778939ccbc5155a66e63367bf36ad9d

SHA1
9e96c1d76501bc3edd9bc80c5026df0867cdaad4

SHA256
4a12de830cf74c91714efb3d4791f40e06bdbf969495c6a5b701722f93bd610b

SHA512
22f797649044d8f85b60407945819d83019d339f608966ba5633d4f0992f2111aef0de523a5d9161267b9307901fa9fc09854d9dbe961690b010a680a617f985

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
7KB

MD5
5b17f2e1d031b014dd97ec493b4b4cef

SHA1
ea96b871e7a44b232550e6e8bdb10da7bad16cd2

SHA256
c57e00f5efb226be5189a793ae61362fa0802701da7ba725000adba7cc6b74bb

SHA512
41e987423b584f7edc4064e67d8af9738c1cb90951dfd0cef137fc2d790a495f417626ce8bed34ba93ce1db41d06f46e80c7053541ce3c2de6e7c2c4972445bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
dca5d20174a9dc0274ec45f649d34ed8

SHA1
d427961de50d09aa2ef7b9067bb42028576427f8

SHA256
44cade9d613ed09b621d6c803b85ec384f18bac9331b5921fd1cdb63fcc2ca5a

SHA512
fc140b68210a739c9793b5226d0c51693208122910a4e2497b0cfedda2101c6d663f08aa2a56872e0bf00f5c54c0f3fb688ee8c6a5f963e9a2c4c4597cab8478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
Filesize
6KB

MD5
22949dd2e093dd30697086a173021d38

SHA1
7faad190683e6c5f6485c4416320fadd0a2849d6

SHA256
24ef9c5f24c19a01c6b2a76b2e30720870f947de3a5d33a54f9681b91d37dcf1

SHA512
3d3069d39e85c0fecb95f6bbd69ed40f5c4a0a376ba5beb78696475c6762039d786512323893cdcf82abbb355a0fc9307cc0effeb1295eea9857c64b8b973c98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
b1c55d6f717732cd292d3109a55286f7

SHA1
85fd085b20999d53b6a81674aa284262a0fd60b6

SHA256
3b63ae55c0f7f5b477d7fced0c1dc22e57401f54eee7c09d81df848934780f1c

SHA512
1d1fa02ccaaaf5520160dd08d440205c79d5c210163f68949a2b7ba62a314af768dd85f8673c0d36e8c770fdcb80ffc37481e3bf799202db26fad912d0db5507

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
0e28a9316aaac5b02e4be0e9348109b8

SHA1
f4ece5428aa7c744d2d6bfa4121ff53dad9ae94f

SHA256
0d7073ac846d13551bf5f308e1172f55022e6313b35b10b63b5768d69ad62280

SHA512
637af0602f1bf7c8b2e7b54439d01521152fa6d45ebfa177b5289e846a67ba106ed23f80acc889f3ea49e966a35a058f5407d817098a1722544e99d36776d3b5

Download Submit