Analysis
-
max time kernel
570s -
max time network
570s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
22/05/2023, 15:51
General
-
Target
G_768916 (1).rar
-
Size
8.2MB
-
MD5
e9775d944eddde92787307f5e2523c2c
-
SHA1
176b83a3a60615bb01914c60467839b50346636c
-
SHA256
18ebd9b18169a44b962b85823ff8b3f0c89893124fef76d49a32d549ca87a6c3
-
SHA512
01c40c4d2726778b5f76fb6d4a5bb18fc73da274d10213b389c9e5e5d6cfdb27596c009f1c1919c6d13f5ba9a783c322655cb9f921a89703b9c80af17dfb8130
-
SSDEEP
196608:lBJ/X/1ZpzHOrThHyst/6it2wNh5kwh+abz:lBZX/RgThYit2UIwvbz
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\G_768916 (1).rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.0.492211776\592136480" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {508089ed-ee89-4691-9565-caba0ba6f1a2} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 1716 1d2562ebb58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.1.2011005677\878006100" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2044 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d58257-c83a-4646-9479-e4d500d7721b} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 2072 1d25620e558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.2.458740075\605981031" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3056 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6c632c-2f53-4bd0-ac32-f8b8df29e954} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 2664 1d25a14a558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.3.1908339948\152582267" -childID 2 -isForBrowser -prefsHandle 3096 -prefMapHandle 3136 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9c19432-4d2c-4828-a24b-625b1bef6424} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 3112 1d25b022558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.4.121823048\1679793875" -childID 3 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94063414-360d-4cc2-9533-fecb2fc94748} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 4040 1d25ba3b558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.5.96780650\1498776688" -childID 4 -isForBrowser -prefsHandle 2468 -prefMapHandle 4700 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f608e8a4-5cc4-46a5-8bef-0d24b24893b6} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 4020 1d25c930a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.7.1851490463\244976747" -childID 6 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51079faa-f62e-4084-b986-2a066f0ecf1b} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 4020 1d25d255858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.6.316827289\2075777838" -childID 5 -isForBrowser -prefsHandle 4912 -prefMapHandle 4916 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0faf3a-0338-42dd-bf82-3d70ed5ff997} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 4904 1d25c931058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1088.8.1616290103\514819637" -childID 7 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27302 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58ae8ec-d2ef-47ae-b135-10c218c842ed} 1088 "\\.\pipe\gecko-crash-server-pipe.1088" 5828 1d25c930158 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD56adacfe9da1a10e350b0153281a5c8c2
SHA1c5af943abd2cfee8b30a919e80d86610617214d9
SHA2563de9663cb83471f6c5bae0c67943024715f62fe35e4711bfbd3bf77b543bcba4
SHA512f590e1d8e0760b34ffb119d031d200ca223d97ea3f4132faf63824b3d13d6ee7838a814a1615d97723c9b1451cc3af694162cdec146db003cf8e3a128737e746
-
Filesize
9KB
MD51f7a9f1579781dcca1d52f5f6da8e873
SHA1d50991a95553efabf67e3c8accffc512a32cd397
SHA2567c2838895e94a3ffb2704b3bdaf5e1af5aca994701b23d19aa924be906052ef4
SHA5127c8f3cb4738759a22c20c2e4ad78c08ee79e0a967b65356e8ec35a0a869445dc45fc6b8b21deac0a5c6e200b7754941f3561f63ae91a8a98a52580272afc4f5b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
224B
MD5e66d36cbcfd69fdf8db6e5c649137ef1
SHA1c1ce08cca33347fe58f95f78f61c31ac6501f511
SHA25615376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4
SHA51278a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc
-
Filesize
5KB
MD58e3b89aff5cc88b8122b1fd8b2287d89
SHA16fee0a094d4d27c46e603d68d157bea4866ff980
SHA256991265cd066634ad2334f63899c2b85b68cb08da5b72bd310939c04a7155108d
SHA512b49bcd5dc560ec6ae5c3fb86067330a3f9b4caf24a7c78d92e1ec6569de62da741fe6d353e240ae9181ce9f26f7bf369ef60e82dfd298b410435709fc323e3ea
-
Filesize
5KB
MD568760c9c17d4c472713f0ac3e70c11b4
SHA1f6e589a80f12c3f367bf6eaa48a09f2a2658cb0f
SHA256db7779b26d07ffaf9c33e7e5232b05360ed78797b8a044fac336600a07bfa90d
SHA512aab4091c43df791f6846a818d81136219dd4b97f02a71b8a7b42227655bf6f312dfef84e6e9bece37f57dcf38099b4aca7770c1c3fee4b188748fbd02f1e4800
-
Filesize
944B
MD56e888dd6fcaf9594a8c4264b6803875b
SHA1b2437376c810d15fd5bab09673a2d2ede1c088bd
SHA25626e32f944b43b35bb48ccab93e4b9e63d490da27e0f8c26afe10a193a21b03e1
SHA512cc88f691a29b9a30abaed808025cfbccaa251a2d71b32fccac292930142f0b8450cfd2e4a14a6e65fd7d3f4dee562bcde642648e0affe0763b08d34c1f699a84
-
Filesize
204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
Filesize
224KB
MD598aa0be3d2bead5acce5b5bcebd84cc6
SHA108537ceccf16c2d061a2d4ff6e86fd550b934245
SHA2564da9e30c959a3fdf22782b6cd2bfd2fe6dd87eb6a89b0562a8372e26e61c4197
SHA5127a2ffbfd3e9a509e0a4a977d2e3c438ae725b3a0219de374ce29f7ad146153b618a89b00677b66ec6f05040935dac677b22ee71f430ef401dadefc5eb145e17b
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
6KB
MD5f843fc3b858888d342076c7199266348
SHA197dea7b7d8486f03cc085ef488fda80fe53515a0
SHA25619b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4
SHA5129b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7
-
Filesize
1KB
MD5f733828da17f384d1ae15f1188303e05
SHA1adfdac6a3bd69873744efe50b33ff7a8ef110d37
SHA2560d121cd1e8abe00dab653d900583900a9eb1136cf7298fece9d2f040363a0996
SHA512cc769184614454ee90d9366e34b68b706e6962889b67641ef2a0caf220f3115a083c998dfb3a8f62c4eea3e53ef12f8abf2245998fac16551b9a3332e4515aee
-
Filesize
1KB
MD56c9b4c4caba9f6760b4cd1ff1283ddef
SHA1c9f741cdef9373026e6afb12d20cb307cea24be2
SHA256d8547858824a7fbc37f45a80986fb7e525a579fb81322da645aeca75fa2bc54f
SHA512af90713955cf948a0d7a685487deec02b5ca56e2c619f2d23cfa13af752052f042beec2eac662e46710167bb306451aeb7685765ee343d1605cf952aaadc59d3
-
Filesize
184KB
MD59fd9798429ef6ec3a8ea8581e77c30a3
SHA1a1dd9a4874ccb21e1a78f671d7a262e00f3a9e17
SHA25620be3aae1dec5f235bcb76e96da0d33340a3fe6314f4a077e6c4cb103e8b7c58
SHA5124d1bc60a479b95fe20df1ae3c1fb050345301056ac28c97f780656c01420fbdf71557c243380559926abb20a07caf2ec1860f9ec914ec1cc9510c78ad5adb618
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
Filesize
64KB
-
Filesize
188KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB