Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2023 12:13
Static task
static1
Behavioral task
behavioral1
Sample
eicarcom2.zip
Resource
win10v2004-20230703-en
Behavioral task
behavioral2
Sample
eicar_com.zip
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
eicar.com
Resource
win10v2004-20230703-en
General
-
Target
eicar_com.zip
-
Size
184B
-
MD5
6ce6f415d8475545be5ba114f208b0ff
-
SHA1
d27265074c9eac2e2122ed69294dbc4d7cce9141
-
SHA256
2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad
-
SHA512
d9305862fe0bf552718d19db43075d88cffd768974627db60fa1a90a8d45563e035a6449663b8f66aac53791d77f37dbb5035159aa08e69fc473972022f80010
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1496 firefox.exe Token: SeDebugPrivilege 1496 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1496 firefox.exe 1496 firefox.exe 1496 firefox.exe 1496 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1496 firefox.exe 1496 firefox.exe 1496 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1496 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 2800 wrote to memory of 1496 2800 firefox.exe 99 PID 1496 wrote to memory of 2544 1496 firefox.exe 100 PID 1496 wrote to memory of 2544 1496 firefox.exe 100 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 4656 1496 firefox.exe 101 PID 1496 wrote to memory of 5004 1496 firefox.exe 102 PID 1496 wrote to memory of 5004 1496 firefox.exe 102 PID 1496 wrote to memory of 5004 1496 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicar_com.zip1⤵PID:2768
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\DisableSet.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:2908
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\59e7bc0f7d25400c993b76ece00eff77 /t 2812 /p 29081⤵PID:3744
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.0.793444033\1954463360" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {817ac0df-2007-4a8b-9287-8825de266ceb} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 1980 1e0cadd8158 gpu3⤵PID:2544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.1.203225069\488470313" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69cde125-e74f-42e3-b108-7452e05af83b} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 2380 1e0be66e858 socket3⤵PID:4656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.2.1339852065\656572787" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3116 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e66a54-0cda-4509-8045-4c1872212c81} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 3388 1e0cee8df58 tab3⤵PID:5004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.3.526584453\1678543255" -childID 2 -isForBrowser -prefsHandle 1060 -prefMapHandle 1048 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b452354e-4c63-4088-b534-611a1119d2dc} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 1092 1e0be65e258 tab3⤵PID:2484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.4.979113912\38861203" -childID 3 -isForBrowser -prefsHandle 1772 -prefMapHandle 4192 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bcf1b8-b650-4f97-98f6-524a15620ed7} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4256 1e0d055b958 tab3⤵PID:2348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.5.2026041156\1257408464" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef878d59-16f9-4a1b-b9d5-923074871286} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4192 1e0d055a758 tab3⤵PID:4644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.7.1433901405\1335504840" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2a12305-b6e8-4bfc-a6fe-9ddb5198bf18} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5484 1e0d1431758 tab3⤵PID:1316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.6.1439338328\838467566" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {612443cb-e103-44b0-a454-21df98c54313} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5212 1e0d1432958 tab3⤵PID:1184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.8.1930033379\1132401006" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 5876 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {850d3a78-e414-4c4a-b0f9-4c01bebc2ad9} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 5896 1e0d3090f58 tab3⤵PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.9.2106773309\109277580" -parentBuildID 20221007134813 -prefsHandle 4708 -prefMapHandle 4532 -prefsLen 26936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bcf9a24-9c80-48d2-a003-d1e1e3e76e86} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 4664 1e0d1281558 rdd3⤵PID:4556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1496.10.1116446008\1978718090" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 2932 -prefMapHandle 3244 -prefsLen 26936 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191eb37e-31bf-4ddc-b30c-210be3602e03} 1496 "\\.\pipe\gecko-crash-server-pipe.1496" 2944 1e0d127f158 utility3⤵PID:1200
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5eb7f961dbb51592b2b7e35116cc27841
SHA1b723075849d6b3ae14901ea5fe38a9ef4358a4cf
SHA2563515803c1c4b301d5d12d7b700c6003f57f1d969fae18c6819220143a99081d4
SHA512b516e47a886c3b5091a9a39129a32b8cf85d8d2a35a8f2d52eebe8252c1fb672f9f46f023ef754e7c9ae249605dda3dfa6d2fc5d9409453252e623eb14eba296
-
Filesize
7KB
MD5e68ea31f4064c106fc128d67f646e9bf
SHA1cf6ece8a5b44eb49b19960023417ef99c927a69d
SHA256b6c3afbe56f9e727005b4c12efb195514da2ff9f95dc875c03078bef23bcc197
SHA512193576cca6f3a61c48fef6debc818cab37d2b0d2dc7211ac8c4896606f83769c5241a2bcf043c4761b9fa830e9e047d57c912ddfed6a21851c423d2827abc723
-
Filesize
6KB
MD5eed11b15c7ec734b2dec374207fa7f41
SHA130fd668c5c91c3a0fe0e619570b01ff29bc996be
SHA2566e72dea31f877add2cce2f646ecddd96212796fd4f5eb751e2786b944577712a
SHA51262210e3a10f759bdd70612c3aecda957a7e71055fdc224fba443bb0a4643e89c9adcaf1db712b2dcc4354ac1732f58af71c9ec67863f2e69fe956da0d095a616
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD56d47e4d505c41b328e40046c0ea7e18c
SHA114a5be6a106217b59da295fc346debb68581299b
SHA2561b620a8b01c9db1dead779c9d41520893cdcb21180b7108606395b7db57c2382
SHA512c61c8cbb9c91b5f299f7fb2a150cb96102ecc8cd1d06a6367cc4713eea526c8e91bba079205f03a46b0ea53f29c5711d180eac98b7e91f5168cdc16df5c463d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a9fb6c240ef9c3ff9f64f431f374ff60
SHA117e684bbcca04f13dbe9e5423e856a4aca8f7cb9
SHA256ae4d1a64c84d6d771e74d9ab0d745bf431e8e606841875418532878b440dbbab
SHA51225570ec9017a0af8fdaaebbec55dd5d41d5d594425e2c7989b12114c5ac4c903725fa865962c83e6f68d6ea506403efe4674fa379bf0fdc9cadd4e9d1815bde9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD595b83b48995497c026bc563b25c5c3af
SHA113c2b5cb3ca7588ff7b649da1688887099ee8a91
SHA2561fa51fd0f39b74fc2132ad478b6673f619845e63e72db40c009f5ad82f7a28ab
SHA5123d22109c8a741752d19418781a2cf8212d6205820980fe4669a5fefad6e0ba2788a846b98add40cad0337f5240b32f7e32d2c15bac5927f87e9dbdad257080d0