Analysis
-
max time kernel
75s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09/06/2023, 16:01
General
-
Target
File-Assassins.Creed.Brotherhood.v1.03_861863.exe
-
Size
3.2MB
-
MD5
25bf828eb7f8e63e0af77f391a34bec5
-
SHA1
cf0607bcbfd85508114cf71b95186875764bbcfc
-
SHA256
364144aa26b5be6dc9bf399cf33f4a1cc64c82edd70369512b134d64bec10f4b
-
SHA512
2bd0067c887d03908712d0a8294014e08da87eb14890681ddc6434dd2d7ed2248147567d617c9e0b83a21e7dfe67f725657664b71fa56bab28d0ba1418ad4532
-
SSDEEP
49152:U7F6yA5Bneq5lGXEn8R8/iq2ir7SaJeq12X3ht5jHvisWMjqzTy8IPcd5T:U7WGXb8amYBHj5W1FIPcdZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\File-Assassins.Creed.Brotherhood.v1.03_861863.exe"C:\Users\Admin\AppData\Local\Temp\File-Assassins.Creed.Brotherhood.v1.03_861863.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File-Assassins.Creed.Brotherhood.v1.03_861863.exe"C:\Users\Admin\AppData\Local\Temp\File-Assassins.Creed.Brotherhood.v1.03_861863.exe" /lap /toaq2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\AdventurousClothsjbUtility\AdventurouspUtility.exe"C:\Program Files (x86)\AdventurousClothsjbUtility\AdventurouspUtility.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.0.1520523334\2131632502" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1800 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b64ed240-66da-48f4-83ea-c91cf98d34f2} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 1916 2a054819e58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.1.1833599712\1754950147" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d37093db-e1a7-4dc8-a7e0-21aff9feefce} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 2316 2a04686f558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.2.1401884880\440640374" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2944 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c670f4-181b-4570-b59a-62dedb546562} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3196 2a0574fab58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.3.1777231556\1010730357" -childID 2 -isForBrowser -prefsHandle 1476 -prefMapHandle 1468 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bad4a5de-2959-47c8-8c10-35c3c5ac2a31} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3548 2a046865f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.4.1236513887\1728008223" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3960 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eea006d0-855e-46a5-9029-a4cd58137343} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4016 2a04685b858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.7.724045221\723068809" -childID 6 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4b95a3a-7540-423b-98bb-67403514a3c5} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5404 2a059e0f658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.6.1931577550\1914224836" -childID 5 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a466a841-6dc5-45f2-acce-59a2cbc84fc1} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5200 2a059e0ea58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.5.600289349\1723257581" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 3176 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f886a0d-2440-4711-adff-1d01013fb167} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4836 2a059e0ff58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.8.1974180983\691389748" -childID 7 -isForBrowser -prefsHandle 5220 -prefMapHandle 5276 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d224bd0-60d6-4448-a680-f7040227b453} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 5704 2a04685df58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.9.2076127717\939880799" -childID 8 -isForBrowser -prefsHandle 3336 -prefMapHandle 3032 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f15d4642-57f6-42e9-8509-18cb92cafe70} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3344 2a04682f058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.10.1962019004\1913308127" -childID 9 -isForBrowser -prefsHandle 3324 -prefMapHandle 5476 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab76a28-eb1a-461c-a948-eccb2789cea2} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4732 2a053a36a58 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5a6a0f7c173094f8dafef996157751ecf
SHA1c0dcae7c4c80be25661d22400466b4ea074fc580
SHA256b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4
SHA512965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94
-
Filesize
1.5MB
MD5a6a0f7c173094f8dafef996157751ecf
SHA1c0dcae7c4c80be25661d22400466b4ea074fc580
SHA256b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4
SHA512965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94
-
Filesize
1.5MB
MD5a6a0f7c173094f8dafef996157751ecf
SHA1c0dcae7c4c80be25661d22400466b4ea074fc580
SHA256b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4
SHA512965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94
-
Filesize
142KB
MD5e9f53abf24abcc7200e85ce9bab372a7
SHA1768343665c365e632f9a2d518a70df66adff9e0e
SHA256045a6f902de44bb109fe47e8a552bcb2d4c71c8d6000b85fd974c020b3c42b2a
SHA5129cb15557c57f50bc0eb639caca7defd0b07ec9e05409aadadfd1cf95b99283137827f77ba63b99ef7b4551b99610bcb5e8ddb68a200995b1a1e96c9b3dc60a0e
-
Filesize
6KB
MD5642ae00e1fff3667948ca01b1a1e91ec
SHA1c7e3601f3ed6d7887bcc43472b9b182ee4b4c4ad
SHA256ef4b538520d22e2d3d09a9e733520766c2652ceb0a9e4fe7d022dbee630e84a8
SHA5129d7cef0faa81813a3b40160e33f002e8e152a4f0b6ee5382a74f0eda54a38dbd2ba250c34f27acc13f782760ff650edbaec9a044ab3c8f2f05aa2c2e59e29dd9
-
Filesize
6KB
MD5910d088738d30c6e38c2f7db609941d8
SHA128012b59010c7897ed7169dcfb681f748d6deea0
SHA2565bd92307daa19c1f9a43a15c777d069dda7a6fd61d7de4e59a7f1e2859c1830f
SHA51290357b46810f35daab4f50b43e261f691e466a6d8263d626a7f5bb3030e77cfafa7e6b1a60424dc47b57d8f74597308f47123c25da4b75a07f28913980871ba2
-
Filesize
7KB
MD549c7ade2cc29ca87c71031ddf574c834
SHA1bcd8fea52db8bcc91a9df2132c5d9d9d92a5f616
SHA2569144c2d0a341f0dec4f4121e7daa5422578ca667ba6cbd0768a701f90acbb8d2
SHA51292b34c3eb52af071084009e10312e268c99edca436eac767054899544e1e2590e42b02ce44f7ec08491da82198a78566a504ee4857f1e3b675a429584df79529
-
Filesize
6KB
MD5108b97b1ff7efbdb1aecce96d55ff2e5
SHA1bb72b2e0c3d859fe5e821632307a32df331b55e1
SHA256c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e
SHA512e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc
-
Filesize
1KB
MD5a2178b68d508fd76cc2bf98dd28f333c
SHA1155e981a988d0658ace5d41e7c0573db66b94716
SHA256d8814cd1e7fbdf9a35c8b60d348bc7f2b430f6212a595f62a63981464974306d
SHA512bc94d92182c0f5faab6b1b5ca396404242163f6f0b625ec9177157e9c1b5469fc310b151bfc0ee7b835754b6e1179a9ef839a0e38c37540a481a1c702ac3237b
-
Filesize
4KB
MD5e118330037f4b92563c3be77b18a2f8e
SHA12e312ae9d9699dd44d907f5680f46919c2deb6db
SHA256f055898bc75d7094f73411b1f36cfd97615647dbcbe61df0463f7b9c98209bff
SHA512ae3091447eec653081b1309c46eded8a29133abea255faa7334599e6eb5cd88ab1b95336d28de51c1ccb832fc7c21d381f0b904aa3ab190d165665397f0ca544
-
Filesize
4KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
4KB