Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 12:13

General

  • Target

    eicar_com.zip

  • Size

    184B

  • MD5

    6ce6f415d8475545be5ba114f208b0ff

  • SHA1

    d27265074c9eac2e2122ed69294dbc4d7cce9141

  • SHA256

    2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad

  • SHA512

    d9305862fe0bf552718d19db43075d88cffd768974627db60fa1a90a8d45563e035a6449663b8f66aac53791d77f37dbb5035159aa08e69fc473972022f80010

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip
    1⤵
      PID:2768
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\DisableSet.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      1⤵
        PID:2908
      • C:\Windows\SysWOW64\werfault.exe
        werfault.exe /h /shared Global\59e7bc0f7d25400c993b76ece00eff77 /t 2812 /p 2908
        1⤵
          PID:3744
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.0.793444033\1954463360" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {817ac0df-2007-4a8b-9287-8825de266ceb} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 1980 1e0cadd8158 gpu
              3⤵
                PID:2544
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.1.203225069\488470313" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69cde125-e74f-42e3-b108-7452e05af83b} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 2380 1e0be66e858 socket
                3⤵
                  PID:4656
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.2.1339852065\656572787" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3116 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e66a54-0cda-4509-8045-4c1872212c81} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 3388 1e0cee8df58 tab
                  3⤵
                    PID:5004
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.3.526584453\1678543255" -childID 2 -isForBrowser -prefsHandle 1060 -prefMapHandle 1048 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b452354e-4c63-4088-b534-611a1119d2dc} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 1092 1e0be65e258 tab
                    3⤵
                      PID:2484
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.4.979113912\38861203" -childID 3 -isForBrowser -prefsHandle 1772 -prefMapHandle 4192 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bcf1b8-b650-4f97-98f6-524a15620ed7} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4256 1e0d055b958 tab
                      3⤵
                        PID:2348
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.5.2026041156\1257408464" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef878d59-16f9-4a1b-b9d5-923074871286} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4192 1e0d055a758 tab
                        3⤵
                          PID:4644
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.7.1433901405\1335504840" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2a12305-b6e8-4bfc-a6fe-9ddb5198bf18} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5484 1e0d1431758 tab
                          3⤵
                            PID:1316
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.6.1439338328\838467566" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {612443cb-e103-44b0-a454-21df98c54313} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5212 1e0d1432958 tab
                            3⤵
                              PID:1184
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.8.1930033379\1132401006" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 5876 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {850d3a78-e414-4c4a-b0f9-4c01bebc2ad9} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5896 1e0d3090f58 tab
                              3⤵
                                PID:2132
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.9.2106773309\109277580" -parentBuildID 20221007134813 -prefsHandle 4708 -prefMapHandle 4532 -prefsLen 26936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bcf9a24-9c80-48d2-a003-d1e1e3e76e86} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4664 1e0d1281558 rdd
                                3⤵
                                  PID:4556
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.10.1116446008\1978718090" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 2932 -prefMapHandle 3244 -prefsLen 26936 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191eb37e-31bf-4ddc-b30c-210be3602e03} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 2944 1e0d127f158 utility
                                  3⤵
                                    PID:1200

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

                                Filesize

                                6KB

                                MD5

                                eb7f961dbb51592b2b7e35116cc27841

                                SHA1

                                b723075849d6b3ae14901ea5fe38a9ef4358a4cf

                                SHA256

                                3515803c1c4b301d5d12d7b700c6003f57f1d969fae18c6819220143a99081d4

                                SHA512

                                b516e47a886c3b5091a9a39129a32b8cf85d8d2a35a8f2d52eebe8252c1fb672f9f46f023ef754e7c9ae249605dda3dfa6d2fc5d9409453252e623eb14eba296

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

                                Filesize

                                7KB

                                MD5

                                e68ea31f4064c106fc128d67f646e9bf

                                SHA1

                                cf6ece8a5b44eb49b19960023417ef99c927a69d

                                SHA256

                                b6c3afbe56f9e727005b4c12efb195514da2ff9f95dc875c03078bef23bcc197

                                SHA512

                                193576cca6f3a61c48fef6debc818cab37d2b0d2dc7211ac8c4896606f83769c5241a2bcf043c4761b9fa830e9e047d57c912ddfed6a21851c423d2827abc723

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs.js

                                Filesize

                                6KB

                                MD5

                                eed11b15c7ec734b2dec374207fa7f41

                                SHA1

                                30fd668c5c91c3a0fe0e619570b01ff29bc996be

                                SHA256

                                6e72dea31f877add2cce2f646ecddd96212796fd4f5eb751e2786b944577712a

                                SHA512

                                62210e3a10f759bdd70612c3aecda957a7e71055fdc224fba443bb0a4643e89c9adcaf1db712b2dcc4354ac1732f58af71c9ec67863f2e69fe956da0d095a616

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                3KB

                                MD5

                                6d47e4d505c41b328e40046c0ea7e18c

                                SHA1

                                14a5be6a106217b59da295fc346debb68581299b

                                SHA256

                                1b620a8b01c9db1dead779c9d41520893cdcb21180b7108606395b7db57c2382

                                SHA512

                                c61c8cbb9c91b5f299f7fb2a150cb96102ecc8cd1d06a6367cc4713eea526c8e91bba079205f03a46b0ea53f29c5711d180eac98b7e91f5168cdc16df5c463d2

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                4KB

                                MD5

                                a9fb6c240ef9c3ff9f64f431f374ff60

                                SHA1

                                17e684bbcca04f13dbe9e5423e856a4aca8f7cb9

                                SHA256

                                ae4d1a64c84d6d771e74d9ab0d745bf431e8e606841875418532878b440dbbab

                                SHA512

                                25570ec9017a0af8fdaaebbec55dd5d41d5d594425e2c7989b12114c5ac4c903725fa865962c83e6f68d6ea506403efe4674fa379bf0fdc9cadd4e9d1815bde9

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                4KB

                                MD5

                                95b83b48995497c026bc563b25c5c3af

                                SHA1

                                13c2b5cb3ca7588ff7b649da1688887099ee8a91

                                SHA256

                                1fa51fd0f39b74fc2132ad478b6673f619845e63e72db40c009f5ad82f7a28ab

                                SHA512

                                3d22109c8a741752d19418781a2cf8212d6205820980fe4669a5fefad6e0ba2788a846b98add40cad0337f5240b32f7e32d2c15bac5927f87e9dbdad257080d0