Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
07-05-2023 17:00
General
-
Target
https://www.curseforge.com/minecraft/texture-packs/low-on-fire/download/4524893
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 41 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.curseforge.com/minecraft/texture-packs/low-on-fire/download/45248931⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e0 0x45c1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.0.1721770065\620890782" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {870f44b4-f104-4880-9b94-e2a45b23f3f7} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1932 1db3fbece58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.1.1630221396\1126091446" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffb099b-8234-4061-b75d-7c95993b9532} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2332 1db32c72b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.2.1495179610\1165080799" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16d84a6f-c643-4bb5-a745-a286bdc8eea9} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3068 1db439ef058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.3.1952270288\1090378829" -childID 2 -isForBrowser -prefsHandle 1448 -prefMapHandle 2472 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f692ad94-ac1a-46ea-8a9c-e4fea535cf4c} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3572 1db32c6ae58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.4.1493267240\376015094" -childID 3 -isForBrowser -prefsHandle 4072 -prefMapHandle 4084 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23726e81-7113-44f0-9864-a9c19f0eb23d} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 4100 1db449d3a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.7.1836614215\1301692508" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01325d2f-9981-4606-8df9-fcec9d17d5d9} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5292 1db46589558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.6.344166972\1277444057" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67916818-b4e7-4bcb-9350-c136a5cff7b8} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5064 1db45f58958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.5.470175833\1622476588" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4224 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b269db5-9d45-4b88-bb48-dfd370aec8df} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1644 1db32c2f658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.8.2040152222\1244354965" -childID 7 -isForBrowser -prefsHandle 5564 -prefMapHandle 5328 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0d52531-6471-413a-9bdf-ab6d85a16e47} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5336 1db47ab3158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.9.703226183\469280609" -parentBuildID 20221007134813 -prefsHandle 3200 -prefMapHandle 5900 -prefsLen 26755 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9112dd73-79b5-4975-9063-ee74fed78a59} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 4524 1db32c61c58 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.10.249341113\1737323369" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6040 -prefMapHandle 6060 -prefsLen 26755 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f67bfc-b57f-421b-a8a6-0bfe3093307e} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5116 1db45f52558 utility3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ab855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD514c5e436db29ac7db9301c7374ade89b
SHA11edbc68541a9f7fcee30b0128b50e8ff551a4a04
SHA2563aa77b97fbf0ad97b71967f6324c99f34217026515d4d6583af5705c514e89d5
SHA51216214d49c04a0bef7165ba36f98262d78b1600bb4afdf82f004d04f302692f28c3bfe457be36da5fc62c7a27a8b3d94073d2d8069a3aa506cd40f85574e4724a
-
Filesize
434B
MD5dd34ff77b7172353c9506f68a62b4d13
SHA1e21eb05d00b13c987bf9075a10a7dc4273b1e128
SHA25622635b8b94bd5716a9d1c245a03d1ea99ed437d1ae9d674180c1deab3173cfed
SHA5128d4c2c26f088c418e0493aa4fe357af92704cdc42e510fec5351d846ab0b6c07d40a127e958b620a40e31ec8b1462e3cbc526d4aa075c1619b25e880a0dc5b71
-
Filesize
5KB
MD52a6dc31c23187bb5046e4799f70ae54a
SHA12432b3eec722754d7f71aa1ff53b83db869eca1b
SHA256d99655ebcecd05a59f98d7dff9b01259261d252cbfb0962239358209a833bf96
SHA512aac9d8e84c939a6fdaf18d3693915142a15e0b0b40a6e6e2a000f62e1f8128e2f83871887d4b4725ad2791825b5e386444c61ba284e578bac42980a0b647bd38
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
5KB
MD5c7b28ffc1154feffac7268ec63dd4e9a
SHA1ca70f1a3d452c472cdeeff57b2e50e69e218a4bb
SHA256b1c9f08adaa8f91957bcd20e2796814557683ed051173ae31779752632efc5b9
SHA51250b3b0c0a18c02673c42c20212841ef6a099573adad51890535c6ca6fc55658117589a4772cebac93eb8d9464e6ec7f721a183c2cc64ec4770feb1563ea83a8d
-
Filesize
160KB
MD586e72b825a2fa51d46c081a8039de0a4
SHA1f8709dfa15d0e6478b947bdf00e8d4431acf8dfb
SHA25663b39596e1f747960a344b017762a959597aa48d7d18097e444bbf5570418d2c
SHA512e2ec6427b07a73c72f342fd3cd185dd63ed45ccff458c0678749dab44265ecbfc115aaa768e216c4579d1f96b25f68b362d9e8e0043aa4bbc860b55a90110897
-
Filesize
16KB
MD522ae0cc1f2fd20d5c875565b685ece8b
SHA1fde1738b3cb904427b499c128479f05f14b82f1d
SHA256810b5d4991752b830b842e194bac0d3b6cb4f108679eef0a3fba7f8039fa4458
SHA5125892db00dd24068760612e118605f6d55b19ee8bddf188e5ea7f888a31e55359333972afcf92b02fda0471126bc732d1af029e71524a3b3c9f5231a48ba2a09c
-
Filesize
6KB
MD5e9f7f6c3fd3960d58269ee5b31f01011
SHA1e0119d7e2142b5b072992cd6b9615e54696c5b54
SHA256687c2b9576ecbed8031a8a771268623627067474dec6bd496075cc02bc15ca66
SHA5124dbdebc7f0146555a3ef98a0fab54fa80761a302c1cb1547e58c471b732b9616f1f5cfd81131510f151a865fc262dc251fee9fb69fe18f7103140f9f47eacef3
-
Filesize
6KB
MD5ff1b73ccde5e1d26cb601534d92aa0ab
SHA1fd6b1e4c3be5391cf3d0eb8696aca474c3c75d98
SHA256209e2d948e2d15ca8a861ad0623cea7dcae0b7ae3e01975de040ab3fee8a5897
SHA5120d44e7a35ebde2672a06ea58cab42076b853687e0882e0de869d42ccbaa76befd1530d91d9a7157db04ac0684214efe1cd3c03045285f6d4c03bf3652d8617b1
-
Filesize
6KB
MD5da5e8486fc520686d546f86b93eb7a13
SHA1948e7ba7c683b27afb96693eafb511ef46b64b53
SHA256617d1c842a8ce24962b6c9a5e3f09e9612b5717539a4194eaa48665d77c9a14d
SHA512ca46b60a31c2acd19e907872625ffdcd6a4d493d35207b207d03b6702e2e7d3e2bdb5bbc3d9bd2a211f5f1c880a4a573331618fbb814d4b0b5b5f3c9bb1d73e0
-
Filesize
6KB
MD50f312ff8202775bf9330ee47ef3fb331
SHA17811b8247892eace5556267cb57493cdbdab38b8
SHA256c45a5ea211d910214a5c22d6ee5c28b777bdf8037f773a17ee9eddfdcdbe97fa
SHA5127b36a61b4db30000d9bafd7d0af5ecf4dc0f09467be6e4344266cea120a9ac96c2cd03ec62f5bc21e79c386ce91e1842fd878f974d5693c0baa68d510d1b09c3
-
Filesize
7KB
MD55199467ac6362e497529ab12ba2e824c
SHA1c63f5ba41b37f83588051d2752daaf540ec1c400
SHA256eb6d2352172df654317dd6dcc0ca4651b31e4d1d2a53b22d215acd32fc6295fd
SHA5122dd911f49a08356dd319d6d9b00f4c06ba38a2168abc581aa30aff824872917feb60766846b45708925623c22db67f7505085e22cff3e0f3bdb9fb9a910c0da1
-
Filesize
6KB
MD5f73e52d124620d05267ba934f3b312d3
SHA134121aa291d9f88b3e8e3a2fa37cb1c06cac2d30
SHA256fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7
SHA5124ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46
-
Filesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
1KB
MD5f914bd9473ceef88356e379023429427
SHA1163e08908273a261be7d84c4a4e4032388f8b414
SHA2568e7af0884c1cd74d46e16de0d74de6c7bfa2d9e01b361565940cbd9d90d291be
SHA5122ffdfdf1e374dcfdf84116d38ecd6fb5a31c96f0b3a3bc0f36066e5efeba367ab00039ca9a17d20c4dfe1031d90f9aa2d4e3b9f7fa7725f1f99bd3a0fdf24ab4
-
Filesize
2KB
MD52cefb1d2fe6a06e6c3428809428bff46
SHA14ccf4f1f13c037c321144bfb710ee3cef0a10d62
SHA256fccbc865f8aa63780a5fd66d558369678257e56ab70d01076a05e5566a7f7e53
SHA512b899e99ce147648b867303080bea3e150ea91d94de70720c731e773e82b1a416dfefa59e592cdf22c4bde760ffc3e0688db4f9c0ed4cb6e90e247c7a904303b8
-
Filesize
2KB
MD5c649d388684b2fb666a8a11ae7010211
SHA194323c8e3efac9ef89433c5ed61d32eb1b2b47b5
SHA25671f4a50f29f9f1b18f3d59dba8a3a37296953c4756208413c80c83bf699b715e
SHA512443f1fda32ed0dc05e6e0a1ef9584438ff976a80d8d2f985ba30556c48ec204f5a9870ac1671fd620f836e67743534519259a2ed1a2046f12049ae5e652ff9fb
-
Filesize
12KB
MD5d2ca2344a60898e5280ecb3f4af20026
SHA1012aa5491541cbcd2767b4ab9b146ca67e8b0ac3
SHA2569a77447ca7be7ce5f038c8e86c51add73f4679a7c0694d05f2e0edc6044a0ebc
SHA51283e652b015f725f5f3c481a7e7b474bcb0c07ae018331ad7e78b8a69edd937cb67e2faba3194493fbf4332043d5c6587b49bb3b1c28f620dfc3344efcc8ce5bf