Overview

overview

3

Static

static

3

winHTTP.exe

windows10-1703-x64

1

Resubmissions

22/05/2023, 10:31

230522-mkghkaad6t 3

22/05/2023, 10:00

230522-l1xdaafe75 3

22/05/2023, 09:58

230522-lzv4tsfe72 3

22/05/2023, 09:57

230522-lyz2dsac5z 3

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/05/2023, 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winHTTP.exe

  • Size

    71KB

  • MD5

    42350d934e950efe84485f138baea04a

  • SHA1

    365e36db858e8d07fecf25a437386180b3a8e3ec

  • SHA256

    cc3530b39340965530cb06d3cf7c100cc03542dbb988830b86490f0d26934fb3

  • SHA512

    1406c9620c2a2bb2cd4d16f4968f24a0f494aed50f179c5f283f00e75c818d1ee1f35e0a5e81c2bfa415e9071980dfb03fdf801e4e87068b608eb8ddcfbd8471

  • SSDEEP

    768:F6+27TkhNSsp9b2mNCK66vBWvBNLEaLt:FN2naSgkmUK66pWvBNYe

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\winHTTP.exe
    "C:\Users\Admin\AppData\Local\Temp\winHTTP.exe"
    1⤵
      PID:4032
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.0.60991933\1883700447" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5df8b931-131e-4a5c-bec3-960277a90365} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 1732 1577fa16858 gpu
          3⤵
            PID:4744
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.1.2080973761\1934503532" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0063456-cd1f-4eb7-ad22-3339361076f0} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 2092 1577e80e558 socket
            3⤵
            • Checks processor information in registry
            PID:2752
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.2.1840793668\1043026126" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dd4a5c0-c36e-428e-a504-61b83d866963} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 2788 1570a340b58 tab
            3⤵
              PID:3860
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.3.767810326\2000173280" -childID 2 -isForBrowser -prefsHandle 1076 -prefMapHandle 1376 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a523d249-1707-484b-b132-aa8ce5aa9cd4} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 3292 15708cf3b58 tab
              3⤵
                PID:2840
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.4.2101363521\282293521" -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3892 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf1ec759-67eb-4e45-ba14-88ca175641ed} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 3908 15708cfab58 tab
                3⤵
                  PID:2952
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.7.1644164612\525484649" -childID 6 -isForBrowser -prefsHandle 4960 -prefMapHandle 5060 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d10602-05b9-44e3-b86d-a3d72b96e8d4} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 4640 1570cbfa058 tab
                  3⤵
                    PID:3512
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.6.888437985\1227842449" -childID 5 -isForBrowser -prefsHandle 4860 -prefMapHandle 4864 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10c18a47-0cb3-439b-8eb5-ea9c44966cb0} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 4944 1570cbf9a58 tab
                    3⤵
                      PID:316
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1004.5.1165252955\573181976" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4800 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4271fc1e-1c5f-41f8-99ff-adc87da23ae8} 1004 "\\.\pipe\gecko-crash-server-pipe.1004" 4748 1570cbf8b58 tab
                      3⤵
                        PID:3496
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:5072
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\AddInitialize.gif
                      1⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:504
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:504 CREDAT:82945 /prefetch:2
                        2⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1144

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
                      Filesize

                      4KB

                      MD5

                      da597791be3b6e732f0bc8b20e38ee62

                      SHA1

                      1125c45d285c360542027d7554a5c442288974de

                      SHA256

                      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                      SHA512

                      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G3QSQZEQ.cookie
                      Filesize

                      244B

                      MD5

                      f1fee011a93f19d6a32820f478d76830

                      SHA1

                      fbcb40a9605f3f95d21aaf411677bb6d0888e6de

                      SHA256

                      5ee83abc25d530a7fbc0a89c1a182cdcf04d92685842099a5b8f1a69a940e13b

                      SHA512

                      4eef104494f5e609a0e5f235446bbe6bfa1b28574e7f6d5d50583adf070a2537a03c8b0542586555338892dc2ec8bfc9817f3c9e63992f578eaa382ec981f14b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      144KB

                      MD5

                      2c35a309c2f8424044674b17890436ab

                      SHA1

                      22cd1bbc319478daa1810185e0ca4e301265ae6f

                      SHA256

                      aff90096816cdbba51942ad38ac56997b8ccb28991f3a436ce1e5dfd7020b0a2

                      SHA512

                      3b33888ad841db3895eb5b7453821cd7392f3a323edeae69624318b54076c8362c549374fbdf93aa5db199f0a8f617eab6ab1ed88967403ccbd7a45f375f2fda

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Kno7450.tmp
                      Filesize

                      88KB

                      MD5

                      002d5646771d31d1e7c57990cc020150

                      SHA1

                      a28ec731f9106c252f313cca349a68ef94ee3de9

                      SHA256

                      1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

                      SHA512

                      689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      c205c8a6591363331cd60c7286ad4ac1

                      SHA1

                      7d4c89374e88116484984f5d0b5df0d59aa63ecf

                      SHA256

                      81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

                      SHA512

                      fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionCheckpoints.json.tmp
                      Filesize

                      259B

                      MD5

                      e6c20f53d6714067f2b49d0e9ba8030e

                      SHA1

                      f516dc1084cdd8302b3e7f7167b905e603b6f04f

                      SHA256

                      50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

                      SHA512

                      462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore.jsonlz4
                      Filesize

                      885B

                      MD5

                      3b8569153fbf31386a18448336fa6294

                      SHA1

                      e032adb494fc2eaf023db7081bfed9abeef5c104

                      SHA256

                      cb7fdeed6619fa7708f9b0d05676e670b9236c4097976487779b50132bf22e86

                      SHA512

                      cb638ab13cce3a72df48465acffa281a842644e7d93cb834ef348a2c81a0dd7f390cf50af4665867653dec368e00547a360489f9f22c6625153dc569adfc3bc7

                      Download Submit

                    • memory/4032-121-0x00007FF7A6670000-0x00007FF7A6698000-memory.dmp

                      Filesize

                      160KB

                      Download