Overview

overview

3

Static

static

1

infected.rar

windows10-1703-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/06/2023, 17:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    infected.rar

  • Size

    21.4MB

  • MD5

    bf019a439e27c17780770489fc25856a

  • SHA1

    00e1fdfe90f14db94871099667ea40ecb73162c2

  • SHA256

    154181284ea384d94c32ba0ecf8a157f8bc77e4759ff4d14cf9465fef4aba041

  • SHA512

    8686403403e1c74c5db25bf6e7c9fa84815ae242d43ac11b681f25cda5c561477db148d10b5f311f10ee940ffbc61d1366ba0f15de879da7332c05ff261eee6b

  • SSDEEP

    393216:4jwGA+3SFeBSFe3yEzglMKJgXSq6ik5hjq2ngJeyhW01nVSgVIKVy8uRn5exxGTg:HGp3SSUepcbgyhrgIyhW0nSgNghRsxAg

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\infected.rar
    1⤵
    • Modifies registry class
    PID:4276
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3936
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4304
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.0.1167587908\1837606571" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1612 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af6bdf8e-04bf-4618-8c51-930249aa23d7} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 1716 23be6aa5258 gpu
          3⤵
            PID:4772
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.1.1542514600\386634449" -parentBuildID 20221007134813 -prefsHandle 2052 -prefMapHandle 2044 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96ca0568-4395-4ea5-aaff-ce894472d627} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2072 23be5910658 socket
            3⤵
              PID:3716
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.2.2105884361\566802774" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 2680 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29dba949-f21c-499a-96a9-19baa693f222} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2652 23be9943e58 tab
              3⤵
                PID:4356
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.3.1974119907\238029005" -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 1076 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df14eef1-5118-46d3-92fc-7e6f1f2aaac5} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2220 23bda22e158 tab
                3⤵
                  PID:4968
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.4.642910963\582325423" -childID 3 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2725f5e7-a3a4-47df-a9c6-9939334a4280} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 3456 23bda261658 tab
                  3⤵
                    PID:792
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.5.1842762697\634249605" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d8fc341-09e1-4d68-9e10-875d3164e22b} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4760 23bec081b58 tab
                    3⤵
                      PID:4468
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.7.534556473\512989030" -childID 6 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14b97c6f-e511-4c49-9d4d-6a9d9b68ce00} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 5088 23bec0eb758 tab
                      3⤵
                        PID:4276
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.6.57757005\218474230" -childID 5 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c263f6fc-b114-4558-9060-f48af24d759f} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4892 23bec0eae58 tab
                        3⤵
                          PID:4324
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.8.333224623\1966620089" -childID 7 -isForBrowser -prefsHandle 4252 -prefMapHandle 4460 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc084e7-b65a-485d-a6d5-b662b28d3489} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2824 23bec07e558 tab
                          3⤵
                            PID:5068

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              153KB

                              MD5

                              f31d5670faa1efb6818ba17a54eb18ee

                              SHA1

                              f20acf6b133b02007ad5aeda52c52d3707cab2c3

                              SHA256

                              0bd4dcac6e275f2cf337ad779b0fc462788df02f784ee7ed753e287a944affcb

                              SHA512

                              2288270a624b10774bd1a76358a1876a62447b137e95178c14445f8bc3e1edaf1c9390f42a3a6ad8765271d2053b347b01f6b57563e1df28a0566da146bd6ab6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              c205c8a6591363331cd60c7286ad4ac1

                              SHA1

                              7d4c89374e88116484984f5d0b5df0d59aa63ecf

                              SHA256

                              81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

                              SHA512

                              fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              f7de50310e5c328de74abae5119af75b

                              SHA1

                              b2ec134e27c6589cf5395e3bdf14031e55d568d2

                              SHA256

                              07df199b995b625c5a023ce95106afdd5a6c6db30f637ca8092dba5d72d61937

                              SHA512

                              dd61c1503268bfa90060a951eac63b31156fc22bac034b0f64e8466bb85f9c6e15f4c65b79ef4ccb31fcd4532e987dc735fa22d45192dae2cee17f904b4ea2b1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              4KB

                              MD5

                              8901c55a3a9286847b9f5b10e101b7b9

                              SHA1

                              ba105ee297fad906320e8dc176cdb9992d408bf4

                              SHA256

                              cc867ab84956da83204a7b60e78bb2fa815e61f5d1316140f95bdf44f341be1c

                              SHA512

                              2e5d30ca5ce556aef0eaf30ea7802a1f722500513448f9b37aa521c8eb0d13dfefe7f31b13df036a403d24e50893421ed75c5ce5b459df66fc283c05acefab39

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore.jsonlz4
                              Filesize

                              4KB

                              MD5

                              a947c2412787ce0c6b6356817abf1a11

                              SHA1

                              73bb369e5da3fe8cd12d3d1f7d46bef40c69927f

                              SHA256

                              155e76b7f55bc4aea9d940b6724e357c8ffff9b11fcd3006e2104e919c5f1493

                              SHA512

                              b709db379d624fc35d117f1d71afc693c2749c4189e0738bfdc1123a4a2e633b48e7bc6e19d9dac7aff83e154d3c16bd9393b9829012ef949d7c149a6da2ccf0

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                              Filesize

                              184KB

                              MD5

                              381779f019ae2bda37b43154ff1e5f33

                              SHA1

                              ced27b07ad43fc8cd49cde6e36793b52e77ca3bc

                              SHA256

                              7d905585ff08493c9fcf70607b95fdf7e27a15d12b10ab6f7ef53890199c2f0d

                              SHA512

                              01bffbf7f691c5cd2387782533f1117a2ac8818190423fb7ecb18d9cdced2916f493aa50da6e14ffac3971b84c612ce2c38b9f9a5ef515c162c7142254f05c8c

                              Download Submit