Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20-05-2023 21:14
General
-
Target
ChatGPT-4_Online.rar
-
Size
2.3MB
-
MD5
ae9cc5aada7d190699750a0637b91c44
-
SHA1
3bd4c2389e6db658719bf3a224ae58d72d076538
-
SHA256
e64bb75516fa8244fc31da6ee100cc10627f316aabc5ec9cfd2d9f5a028a6e4c
-
SHA512
cb2367a973d4bb389b75e5926a8e7115596c83016fc5fc9c8239ae0c663cedfbe8cb86aabc2fc7282620108efa189fd0c4a4afe0e37d80a33526381e114e3832
-
SSDEEP
49152:e+1J1nX5LY2DfnuGPq2cFaqZS0ah8BoAcIkvnEUNuC06hWydTbW:dv1JLY2Du2q24aqkZaBoAcIkMyWyw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ChatGPT-4_Online.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.0.192616793\1480425862" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {136b4913-755e-4bae-b0ba-28e4ed89e042} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 1892 24e7c0a5558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.1.1328187481\523714585" -parentBuildID 20221007134813 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af3535e7-f8d5-4e53-b367-ca8be9d00730} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 2292 24e6e16fe58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.2.2057377512\710779235" -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2684 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71e37f45-6a7a-49db-a2ea-0bffe860b069} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3004 24e7af93a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.3.266896026\527237296" -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6529d19-e1de-497d-a965-e5842f1d22e1} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3800 24e7dbf0058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.4.417553311\1909399445" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3944 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a86bb94-f304-418f-9450-fbfe3ec20f0c} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3984 24e7d785958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.5.961468833\995178256" -childID 4 -isForBrowser -prefsHandle 4872 -prefMapHandle 4828 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c01521d-879a-4b3b-ace2-416212327443} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3940 24e7c663758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.6.501780438\1377666319" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {325ffae9-2e8c-421e-80e8-fbe87bf03e94} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5100 24e7c664058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.7.1135609361\529484509" -childID 6 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e11c34e0-78d6-4a8c-8c46-23d6590dcd4c} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5280 24e7c664658 tab3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD58e3ab9fc51d6bfe54257c5e375204ccd
SHA1141850209af06bfa5b8a134bafa5dfb19f320c8b
SHA2565c3ec1ee0469ca1c42a2ae4ff942a5690035de2ed709bd2ba649199b929a9f9e
SHA5127d49b3a2ed7279ce9b2cdfa92c1e5589ab69b7bc3bcffa805a6eec4af23888b1e34355e59fca820be989518fd2d15de921ebc3a457a8f28d8f1673bcf29d3ce6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD58f12a4a03b6e56a7ca01a1be0cc86999
SHA1d0b08af249c4b0ced1f24eba6640f4244be0ad9a
SHA25697731f1d2c6b5814383048771cbfcfd4cca85dc44d4ace23f0d9f10d9ee30d1a
SHA51224faaae6901bd61efe8959cc354ab7b282c42d85a9a32d78caa9790924d8e68c653dafe0fe16dc29bec2962cf907a2950d6c06023a9e2d41f14f159468d7c36b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmpFilesize
149KB
MD5d168552e36420e8c3ab33da6a4356c6d
SHA138c23b61b621cf0cf6c522874dfb59b5d9cbfcad
SHA256f2285b37bf2ce7bb9a996e8e1e8a729c289af7a1e00c7c3e4be749b274e2c1f3
SHA51280a26ceeaed4bc5ab016266e1ad87915282128779a9c440a755eb75ef9512c15e930d06e6771348f4ef3b1ee8cbaf9748f14c3fe5e352bb66181bec8aa1dc5b3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\917E41E135032D6BD66E5D6F84F0988D37234A33Filesize
14KB
MD58ab08076672d54a48fc146a9c222ff48
SHA130a6dffd8d9dc83b8c17a36cb3f2099cede8ad75
SHA25697ef0fa958ef191053fac2dc5338d0ec5d62e79956e37a9d235e4f8846a01eb1
SHA5123b56f8d2c946a2a18c96f68f8a8ed60bfce95953d50456adf39d42803b85f890b35741bd8bfc7c62171d3b49d4164568ec835b955d7a30b0c81e6ecf79af5ecc
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.jsFilesize
6KB
MD5a351d6ed2e59d75aea0ec8c3c9073f41
SHA1563baef5af50b05ddcc4405abae910f06f3b48c5
SHA256bf5aefc1f1815e52f7da3a189081fdf4b7762b78008de3cc5602d0cb14aeea6a
SHA512baaf59a046d0bdc3a15cae23cb97c0ed774435ec86403a05e9e3889902d9b9a0624bb3796ebf6755f41f503684a3b08b97b62608ca13e658511d05db98139928
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.jsFilesize
6KB
MD50e6ca484baa1c06114c09843f703c17a
SHA1f0bb509d3eff302680f9e1fdcf583ca31a390211
SHA256c0651fdcb02805f182a6f73a9d7469d55289d8deead236a870dea56e07c98444
SHA5125697ae50c74d08cecdc6d6ca456089d2a1a3f547667b28d2edd97e3de98ed92e0a6a687d005f3d35c1387e93e039b70709c90c3b1552e3cdd5b5f1f3ffe6a63f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.jsFilesize
6KB
MD5001a072ed1f8c36e5011232cd9ce3735
SHA14a3d4dcd0f95137bb408213c69e59ed6221284c2
SHA25676440b63ee46e4d46d0a7576f40de2e05527bcfa91a5f70b3e1fddbab8d34451
SHA5123b35bc6a809edf25209c9821636f0905bb3fd77fa62a33acdc0d2ba7e1c7dd4d4b2756b438f03a3e32a0a7b341f9a3abcfc31b24a2fa526efd5bd42488326f91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.jsFilesize
7KB
MD5f319a8ccd4e62ee9d9213f2113df0eda
SHA1e53adaec71d7848136c5ea8a4f8dcb543911f08b
SHA2569529fc54e4b5168f837da2cac58951884111bd8a08402064583cf5a648359723
SHA512ff71c8f45395479f4c91acc9e5b3514e88148f7ac7c4a649c06395e3a9743f6eb368e21d26f6071bec0cc21aad368247f02e879913d45de8adef0b71288c4e7e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.jsFilesize
6KB
MD5feb8a52858c8167a58f36caa1b37f116
SHA17ae7f9d2721ae3c579f9e18e4fea679e8c848158
SHA256adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a
SHA512109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD583c60cc8abd2a14ee88c9259e22ae5e1
SHA156a241c80a5a2ca2d7b640f7fba8cb6f7ad53d9c
SHA25645b1444151da418c55407f1f7982741b1369f40369e236088d2b4346081a8c2e
SHA5128796142b61058ab2364a8a3553a66da1544c508835d61f19923ca9ab4a643a65ce7896364a3817f4c1021fe5ae05565beab239cb087e597aef94410f4b429647
-
memory/4616-285-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-292-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-295-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-294-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-293-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-291-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-290-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-289-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-284-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB
-
memory/4616-283-0x00000158046A0000-0x00000158046A1000-memory.dmpFilesize
4KB