Analysis
-
max time kernel
33s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-05-2023 16:16
General
-
Target
Remover.bat
-
Size
4.4MB
-
MD5
f3aa3ff4c657d03f217b05e3de5cfe0f
-
SHA1
f39fe9fecd327901aceb32d55979fb49300a907a
-
SHA256
3c22aced502398a94ad0c44fbdb1eb78e96a500e39af497ff6c7a9f9c512ef25
-
SHA512
99ef3dba1ccd41f4284a2026edd400acff7ec0fb13652e8da71a17417a2c7ed571a227559b3f7b5991f7aa79cd883d14cd6cf17582095633597ed826ffcdd637
-
SSDEEP
24576:DuFAc9dtV23GygMMgqMPGBpQdLZF4VxNB6bu6T4Llm8H2fNjx/YNcQq3NON5BOze:ppgMlWQojUWxw94oa
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 49 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Remover.bat"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ConvertToStep.js"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeProtect.mov"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExportResume.au"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.0.1912734166\787153419" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c68d4702-1c8e-4449-80ae-a36388538980} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1256 13aa9d58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.1.2103280409\83349744" -parentBuildID 20221007134813 -prefsHandle 1448 -prefMapHandle 1444 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72eaf041-531c-4989-9506-1542ba0bfc6c} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1460 d6f558 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.2.573120839\20026007" -childID 1 -isForBrowser -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 21119 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a1087b-9a71-42e5-bfde-86fd3a55b156} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1928 196ef158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.3.1239535465\296085215" -childID 2 -isForBrowser -prefsHandle 572 -prefMapHandle 564 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ba981d-e0b3-4970-912f-cd5a8e4039f7} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2328 d71c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.4.629192135\1675576332" -childID 3 -isForBrowser -prefsHandle 2796 -prefMapHandle 2776 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96a2f297-651d-4c9b-8bb5-76c497dfb25b} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2816 d5b558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.6.1632138888\1105869550" -childID 5 -isForBrowser -prefsHandle 3640 -prefMapHandle 3632 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f887f4-36e1-4a3f-bf8b-b63399a15f18} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3688 1cea6758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.5.785602361\2050609299" -childID 4 -isForBrowser -prefsHandle 3672 -prefMapHandle 2564 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad2207a4-d35e-4986-9fca-c54f3c260894} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3636 1cd64258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.7.1051414740\163089350" -childID 6 -isForBrowser -prefsHandle 4000 -prefMapHandle 3468 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52493f39-1152-49ec-8cf1-d1fcae35607f} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3992 1cea8558 tab3⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\CheckpointCopy.vbs"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmpFilesize
150KB
MD5c8c1f990752d1824a97a826cabb9e1e2
SHA1b2fa0281e5cc4f6215c82d41b0c07c27af49e3b6
SHA256fbf28343029e53d0f4e0cb0d35c3bcb028cfb48e7c95776c8cc1dd5e61220acf
SHA512204283e6cea505a78ac66c258cd0c4a4ff53d122c72198b5464433759a5ef04bb03dc3338ac6342969b5447b9356169df6a85f81ccad779ce3e3eba7d1d1eb20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.jsFilesize
6KB
MD5024c6fe18df82522164511c697474338
SHA1152f2037990159375f4846bec398c223ac5e6ba0
SHA2562bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2
SHA512071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225
-
memory/296-55-0x000000013F9D0000-0x000000013FAC8000-memory.dmpFilesize
992KB
-
memory/296-56-0x000007FEFAB20000-0x000007FEFAB54000-memory.dmpFilesize
208KB
-
memory/296-57-0x000007FEF62C0000-0x000007FEF6574000-memory.dmpFilesize
2.7MB
-
memory/296-58-0x000007FEFB270000-0x000007FEFB288000-memory.dmpFilesize
96KB
-
memory/296-60-0x000007FEFAA20000-0x000007FEFAA31000-memory.dmpFilesize
68KB
-
memory/296-59-0x000007FEFAB00000-0x000007FEFAB17000-memory.dmpFilesize
92KB
-
memory/800-171-0x000007FEFA580000-0x000007FEFA591000-memory.dmpFilesize
68KB
-
memory/800-185-0x000007FEF67F0000-0x000007FEF6820000-memory.dmpFilesize
192KB
-
memory/800-132-0x000007FEFAB00000-0x000007FEFAB17000-memory.dmpFilesize
92KB
-
memory/800-133-0x000007FEFAA20000-0x000007FEFAA31000-memory.dmpFilesize
68KB
-
memory/800-135-0x000007FEFA7C0000-0x000007FEFA7D1000-memory.dmpFilesize
68KB
-
memory/800-136-0x000007FEFA7A0000-0x000007FEFA7BD000-memory.dmpFilesize
116KB
-
memory/800-137-0x000007FEFA780000-0x000007FEFA791000-memory.dmpFilesize
68KB
-
memory/800-134-0x000007FEFAA00000-0x000007FEFAA17000-memory.dmpFilesize
92KB
-
memory/800-131-0x000007FEFB270000-0x000007FEFB288000-memory.dmpFilesize
96KB
-
memory/800-129-0x000007FEFAB20000-0x000007FEFAB54000-memory.dmpFilesize
208KB
-
memory/800-128-0x000000013F9D0000-0x000000013FAC8000-memory.dmpFilesize
992KB
-
memory/800-138-0x000007FEF5F10000-0x000007FEF6110000-memory.dmpFilesize
2.0MB
-
memory/800-155-0x000007FEFA740000-0x000007FEFA77F000-memory.dmpFilesize
252KB
-
memory/800-161-0x000007FEFA710000-0x000007FEFA731000-memory.dmpFilesize
132KB
-
memory/800-234-0x000007FEF4AD0000-0x000007FEF4AFC000-memory.dmpFilesize
176KB
-
memory/800-172-0x000007FEFA560000-0x000007FEFA571000-memory.dmpFilesize
68KB
-
memory/800-163-0x000007FEFA5A0000-0x000007FEFA5B1000-memory.dmpFilesize
68KB
-
memory/800-162-0x000007FEFA6F0000-0x000007FEFA708000-memory.dmpFilesize
96KB
-
memory/800-184-0x000007FEF6820000-0x000007FEF6838000-memory.dmpFilesize
96KB
-
memory/800-130-0x000007FEF62C0000-0x000007FEF6574000-memory.dmpFilesize
2.7MB
-
memory/800-183-0x000007FEF6840000-0x000007FEF6851000-memory.dmpFilesize
68KB
-
memory/800-173-0x000007FEF7230000-0x000007FEF724B000-memory.dmpFilesize
108KB
-
memory/800-186-0x000007FEF66C0000-0x000007FEF6727000-memory.dmpFilesize
412KB
-
memory/800-190-0x000007FEF5EA0000-0x000007FEF5F0F000-memory.dmpFilesize
444KB
-
memory/800-217-0x000007FEF67D0000-0x000007FEF67E1000-memory.dmpFilesize
68KB
-
memory/800-220-0x000007FEF6290000-0x000007FEF62B8000-memory.dmpFilesize
160KB
-
memory/800-221-0x000007FEF5E10000-0x000007FEF5E34000-memory.dmpFilesize
144KB
-
memory/800-223-0x000007FEF5DC0000-0x000007FEF5DE3000-memory.dmpFilesize
140KB
-
memory/800-222-0x000007FEF5DF0000-0x000007FEF5E07000-memory.dmpFilesize
92KB
-
memory/800-219-0x000007FEF5E40000-0x000007FEF5E96000-memory.dmpFilesize
344KB
-
memory/800-218-0x000007FEF66A0000-0x000007FEF66B1000-memory.dmpFilesize
68KB
-
memory/800-224-0x000007FEF4D10000-0x000007FEF5DBB000-memory.dmpFilesize
16.7MB
-
memory/800-228-0x000007FEF4CD0000-0x000007FEF4CE2000-memory.dmpFilesize
72KB
-
memory/800-231-0x000007FEF4C60000-0x000007FEF4C73000-memory.dmpFilesize
76KB
-
memory/800-232-0x000007FEF4C40000-0x000007FEF4C52000-memory.dmpFilesize
72KB
-
memory/800-230-0x000007FEF4C80000-0x000007FEF4CA1000-memory.dmpFilesize
132KB
-
memory/800-229-0x000007FEF4CB0000-0x000007FEF4CC7000-memory.dmpFilesize
92KB
-
memory/800-227-0x000007FEF4CF0000-0x000007FEF4D01000-memory.dmpFilesize
68KB
-
memory/1344-54-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB