Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
01-09-2023 15:55
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmktb0xGZFNpV1NjM3Njd3p0TWRhS3BiMEZnZ3xBQ3Jtc0tsWG9aeDVYOFpjZFEtbzd4UjdBb0ZGWHdGMF9qNlpSR1ZJRENDT2NpTVY3eVlubUlCeGUwWmJ3ZVMxTGdqazduNzFHU1RiZzZickVKZXRiQTlmSXc3SkxDdW5KN1p2elBLZnhvWkRxOElObXFiYnNtNA&q=https%3A%2F%2Fgithub.com%2Fbill-zhanxg%2FMalware-Database%2Ftree%2Fmain%2FMalware&v=9iglWm4SkIs
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmktb0xGZFNpV1NjM3Njd3p0TWRhS3BiMEZnZ3xBQ3Jtc0tsWG9aeDVYOFpjZFEtbzd4UjdBb0ZGWHdGMF9qNlpSR1ZJRENDT2NpTVY3eVlubUlCeGUwWmJ3ZVMxTGdqazduNzFHU1RiZzZickVKZXRiQTlmSXc3SkxDdW5KN1p2elBLZnhvWkRxOElObXFiYnNtNA&q=https%3A%2F%2Fgithub.com%2Fbill-zhanxg%2FMalware-Database%2Ftree%2Fmain%2FMalware&v=9iglWm4SkIs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmktb0xGZFNpV1NjM3Njd3p0TWRhS3BiMEZnZ3xBQ3Jtc0tsWG9aeDVYOFpjZFEtbzd4UjdBb0ZGWHdGMF9qNlpSR1ZJRENDT2NpTVY3eVlubUlCeGUwWmJ3ZVMxTGdqazduNzFHU1RiZzZickVKZXRiQTlmSXc3SkxDdW5KN1p2elBLZnhvWkRxOElObXFiYnNtNA&q=https%3A%2F%2Fgithub.com%2Fbill-zhanxg%2FMalware-Database%2Ftree%2Fmain%2FMalware&v=9iglWm4SkIs2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.0.1295992151\1919272416" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1192 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d15ae79-6841-4f7b-b626-573c25fc0099} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 1356 43db358 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.1.2114551990\1325043739" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4fce88a-7dfa-4060-8ca7-fffed4fc2019} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 1536 e78b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.2.1393928392\999750664" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 1872 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4411bd9a-3c09-4adb-aa76-6d032dddeaae} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 2008 4363458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.3.754639664\1140110771" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2648 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dddb20f9-e4ad-4b5b-a338-97bb50abc6f3} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 2664 e6e158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.4.2029700938\469365543" -childID 3 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ba6135-f5b2-44d2-a89f-ebd46341112a} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 3776 1e59ab58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.5.522489030\858841511" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c75cea09-4a61-428b-a650-cb4123e50937} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 3744 1fdc6258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.6.684757257\837567508" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4080 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa6b54df-0525-4626-8493-9b19fd7a4061} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 4064 21489658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2224.7.1520567107\978987984" -childID 6 -isForBrowser -prefsHandle 2184 -prefMapHandle 4404 -prefsLen 26797 -prefMapSize 232675 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eeb1d940-6b3e-443b-b74a-f5cfea05ee11} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" 4360 20bcae58 tab3⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Users\Admin\Desktop\NoEscape.exe\NoEscape.exe"C:\Users\Admin\Desktop\NoEscape.exe\NoEscape.exe"1⤵
-
C:\Users\Admin\Desktop\NoEscape.exe\vc_redist.x86.exe"C:\Users\Admin\Desktop\NoEscape.exe\vc_redist.x86.exe"1⤵
-
C:\Users\Admin\Desktop\NoEscape.exe\vc_redist.x86.exe"C:\Users\Admin\Desktop\NoEscape.exe\vc_redist.x86.exe" -burn.unelevated BurnPipe.{39038AD9-5021-469E-9486-105B03CD5C29} {E95D1E2A-8C9E-4AF2-A76B-7765EA6CE828} 29962⤵
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5510a7fa9de658e876bc80c909f99adf1
SHA1b33f49262918176bbe252b081d18a4843e8c2bf5
SHA2560cdd9f41af1874de2f6d8cd5cffc799b7107b8eabe66eaa1f932360559a2db2c
SHA512915eb9d974533b9e3d3ef9a714bbfe69d6bdbff62fe24eb669313da8d582d44d3e137d1f50ebeb79e30898426d27867ad5492584329f706efec40b97bba60954
-
Filesize
12KB
MD5d5122dd2d3b354eb23bd0ea4fdecd31e
SHA1559ab29e59c3bfb234636d2984d08fb0d3b91fdf
SHA2569c8dd946a65cbbb4603a0d6000fae67d3252bf21d0a134d5edbb98e26cd55496
SHA512dad45a00b572c0fe6b64d5944a941c92a5ab250213e3f10db949d1fa7fb8bd1271fb080589fd2ae1476138078c3794955b24d49f23a6292397be92e0e89c5a98
-
Filesize
12KB
MD5c85a424c3c026d6e81aa0ac020290320
SHA1d3becbd4a3eac51bd7c035ac7ebd343d523afc9b
SHA2560608c918787bf05d0b9ca3a8509bd5d1cca3309bc3e0f9ef576a128ed80e46e4
SHA51287d1133aaf0a09b7982cbc69a930e95d290c8bacf6163b859c8de9478b8f55c1915a85915a4cd0b14bc3981b51a17412cb983e68e6a8e1b0d2cb7c8b32b646dc
-
Filesize
12KB
MD5eee8f5816c4bb6164477ed304349537e
SHA1ceb93fce32355204d57dde58c2d137ce64981013
SHA256a4586745d93a3f2bf2588f2cc95c4d2ee01a94eb05b968a9edf8290d0cdc72d1
SHA51287c325e070983adb4d9b5c01674295d35576f2885032f4ac5a5193346098f896c1f8ed8672dd54d37de16a3d6c15ca103c76b9770724be611801b706df3da2dc
-
Filesize
13.8MB
MD5f2cc0522771b61ffac078a82d8d37cbd
SHA135690c8a870b8ca103b58374b30a1201de094b7b
SHA2563f0dd953267d3e5b4fbaeecc043bafa852ab3da926b5a2fc750779dd4573b520
SHA512717f027d9068d5e4790e8d888df40740a7308ddeef4fe3b1f45051a71bd443e64b4dc6c29a371b4db4e0f8666d9a71cb8e83adb2511dde8afdc7f2f2384ba1ba
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
7KB
MD5473ce3b9019b68385af2132cd9bc0daa
SHA1c8cc589ab996adf20c72a02c4bc6ff5cda3307c9
SHA256b39f96d82fd1bd466e9d4ff9f9dda39a6c11cc606e4dc877f4d067460e0ccf6b
SHA5129b3b0a55ce81f224fc832870e33072ba5a0679bdca12d7c8e238537138e29811193cef9bebe0d256cd5a90f091f47863963de3de3182ede455fcf5a48770631c
-
Filesize
7KB
MD5ce82b329fb4b1c526ef22ab24150ebce
SHA15f1b8e730cce9e35b106425d491f987030bd008f
SHA256ee5fb60808d874537425a76edaae5c8fef0757b2b53ad2ce26a11defa92784b4
SHA512eb3c46928024a741af7e7069d20a50be94a5cf481a2dc24423b3eee4bb55f4c95bcf81b2ce8dddb712a96a6fbe2b86f6f86a83ef726fc311940951d36d4fa543
-
Filesize
4KB
MD5f4f9ce050a61f4a2486101faa033f07c
SHA1a6c8434b59ac11f2eb289be88c85f6ad3773d0f4
SHA25637d54dcc80325608619a207804cc430e509443d1398e86917bbc773892c3ae6a
SHA5129f692123f6dadbe034646eaa069ccf39b8b69454ad59f8db912a45fa7006a5253b950a84358d7374783723b9db34869e574af8084cc454c9125672d8f0689882
-
Filesize
3KB
MD5710c000bf9c6758dd5ac5c747549339e
SHA1fd7399fad3ed5991a98f25aac385405f389de55e
SHA256a240eb3223e7712e08b61817a72de78b74fe93d62406381796ade2586495ae0d
SHA512d3bc52da69f2b5427ce0927fe7730b748ae693f1bc716fe6adf562fc53831c6e094876d69cdb38ac047964348f6ede75ade0c4e993b95752daf4eb8e9b213323
-
Filesize
5KB
MD53cb6719ed6e7837ce6440f12d255169b
SHA1300e98f6afb92b3999f193101c48e21036b23124
SHA256be7c31e610bd1eeb80d5585cdc90bc3e40251d72bd75afea995444fcaab4a778
SHA51278df38595cc5c630c72248bff1c9aa026d845b58a299860285061b27e730f1db59a34ed48fec6b2525f32a47ee9911ab45f61f111bb9984cc9eed769a86244b9
-
Filesize
4KB
MD58bc6c1e269d73abc3a021dbafb61793c
SHA1d947eae72f3be65f3e766ac654d6fd1051584a80
SHA25691d761633cd1d66a54b67cb99e6014ed5812edcef039a14e39539a58ca2651b8
SHA5124b58bb4121ff95aa3a2c797f1e9f7577dd31cd1507585cbf5a8e7c606b6f7ff817a4a6c831dc7aa1329a4adae263954015f601d68c4b7f69236ffa40e38d3377
-
Filesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2
-
Filesize
1.8MB
-
Filesize
1.8MB
