Analysis
-
max time kernel
66s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
17-09-2023 13:23
General
-
Target
https://github.com/sorayuki/obs-multi-rtmp/releases/
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/sorayuki/obs-multi-rtmp/releases/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/sorayuki/obs-multi-rtmp/releases/2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.0.1179696434\215372193" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc789632-c4e3-4b38-b3d4-3719169d70e1} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 1980 1e2e99f4e58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.1.136377925\1135888194" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f56a41a2-775a-43b5-8c19-8ac185ab195a} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 2400 1e2e990bd58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.2.2051848482\1605160684" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 21714 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcfc6a77-83d5-4ad0-942c-c6fc7d3fd57f} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 3108 1e2edbd1058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.3.1840406570\29172547" -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {180a80cb-70f3-4cd8-b122-fad3cba9fffe} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 3968 1e2dd062058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.4.1674989592\623304788" -childID 3 -isForBrowser -prefsHandle 4440 -prefMapHandle 2744 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c35ae198-998c-4f12-a5c4-b0b62443ae78} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 4364 1e2efec8e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.6.1392459570\1852692891" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bf5e617-d503-4d61-bbbe-5665a5284f8a} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 5236 1e2efec6458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.5.247665299\1970905999" -childID 4 -isForBrowser -prefsHandle 4512 -prefMapHandle 4896 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7358a9b-88ec-4059-896b-116adfce0292} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 4968 1e2f0126358 tab3⤵
-
-
C:\Users\Admin\Downloads\obs-multi-rtmp-0.5.0.1-windows-x64-Installer.exe"C:\Users\Admin\Downloads\obs-multi-rtmp-0.5.0.1-windows-x64-Installer.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD525bbeef606f113026008d6a71a6dbae9
SHA186204158bdcb4fd9d04e0f97d230dbe66f97ecbb
SHA256a6902e66e5bdc6992292b6fe8e5bb7e7ab4011b47c248dd067b04460f38f0386
SHA512df39cb8451f44c4062fcda1d0e3587b244a94d2bbb12be81bd7085ae561e26a84409ccbac163fec66e40a3ee4656e682d965fb2739345e8fd9152c4a51d42b11
-
Filesize
6KB
MD5af701ab4d39f5f9dc5c73f6f0116bda9
SHA192036c176770272f76ebfd3a7fe4492e16a6cb84
SHA2568db58e6da208b97b0e0bdb0fa1b625100ef09a47016939627a8c6e65ccdf0b99
SHA512857e5576e14f2727b774f2afc6819cd0b5a5f1524987d517c08db51962b6dd796d2c40561ff91f6f8488a2bfb3dcf92883967b2fe7743fbbfaf1a7621d3989d1
-
Filesize
6KB
MD59b064e7cec5727d782a2f469b851d9e3
SHA1b8ad039aff622ea267a218b0f39bbf25ada67a8b
SHA2563f2770318d48600784059328d9ef1fe5197661048060169c6e27a09b1d16a952
SHA512e9501a6f2dbd2f03f7a8cccc9e4dc3bd2bd2cfa5ae6beb576e215c4bc4dcddc868b30ab34cf52e0013631572b8af10c9026d912230868c8d5f47edf5b9575ad4
-
Filesize
6KB
MD5d0b961f1c07d48febcdbe5cb480ed599
SHA1f452b4ef0ec194abc7fbfca642cadbb4345a8caa
SHA25621d429e5da56382608caf0174ccd3f13d8e37ae1f6f03986b8c72036f45fda5f
SHA512b3b4e286582b48b0f4fc75d5aba01a0afadf3a973781c4cf4b748d771029e563fccc6c86e0874b40fa5d523142099e32b4072babd8a450cfb6b04f2840f17fc5
-
Filesize
6KB
MD5036df6f37f6629f841d85b12c20c44a1
SHA1c850bd3753b1d1bc1bed8a69992a640773e1896a
SHA25630d094e635c9b96899a86ea5769c75faed62c7d41797296c91d1aebfba637a82
SHA512ef50997a61f676065677f0b5383e3ca0a924b0cbe17b568fe567eb3545cbb15046cb109034d5c20bc9f9fabca62dad45bce44666f69dd379927d4e629e742919
-
Filesize
6KB
MD54125e247733c93252c19ff1ba3478d78
SHA1cd09e923c88c9c98ef3c2fabfc354b782c1f9572
SHA2568dc3b325059cbd993b34dcba09d60713d6d07817d1cf0b3d5506ba0c4357005b
SHA512a603c183132f50b6dd20ce6a2a23913ad4c39916d210b29c7e62da39b8b7df17755ee47aca966a5e6153acf844783d8d1a6a475d2e788e84452b9fd6cecce62f
-
Filesize
3KB
MD5130370f9827f01bfea5e883124e56856
SHA10246973aa53dbbeb6a65ecf7fd8e24a953a4c126
SHA256aa5a45bfbb1f73eb33656027113e617b838ed5e7e33410e5f52deca1374f5cf3
SHA512b7fbd98cc1ff2d51f8f9bb360775986c5a82db47db4eb99d621c070146c5355d5d7897ae19ea0f67ad8c78482e1d0775f3f031cae469519dc6375e6b6be4dc81
-
Filesize
3KB
MD5c479df249c0b101175b75285acf6b9bc
SHA1db1286d66415eb2fa3f0ab5571cea04408354acf
SHA2563b4fc5f49d449452a235499adf55e6e7ae562816df52a108c2658b5549918401
SHA5121b7d36acd9d84305528a060663d569b570b2fbe299b7d644aabaec375fff3c4c3da6ba8b4c9a3dbd58217e7884e79c1fa70ba6cb250ec5f29ac84c9e322a4aef
-
Filesize
2KB
MD5fca2bd4ed88e99d4eff5bb65d4efa1a4
SHA13790f326e57320ef568fdd37b3853ce00c839c49
SHA256d078ce7201bf7c8a6d0442ce340761589b1f27f824ecdffffd79f6842499427f
SHA51211390f3214645df25bba3a3f86970e8d458fc90472bce239e97cfae3bfe61002a627d64c90684f417ec468e9533f587cdc19a5cefc483321940814aa7085f613
-
Filesize
1.1MB
MD5014adb355818bd01e78ff7cb69a45a7a
SHA1a60d47172c3d79bb304c983694d7898e61518648
SHA256877de4f7acda5262f29277492e9bc1269173c5f6a764e141bca7b50cf1a51c1f
SHA5126aca0062269b836342e4dbabd486c83aa6b1c4d714b05ff0a50149d7064f48cf90e8c4ccc98dbfc24e081acb07f3ed9b4618921834200fe8c7518109a0a7951c
-
Filesize
1.1MB
MD5014adb355818bd01e78ff7cb69a45a7a
SHA1a60d47172c3d79bb304c983694d7898e61518648
SHA256877de4f7acda5262f29277492e9bc1269173c5f6a764e141bca7b50cf1a51c1f
SHA5126aca0062269b836342e4dbabd486c83aa6b1c4d714b05ff0a50149d7064f48cf90e8c4ccc98dbfc24e081acb07f3ed9b4618921834200fe8c7518109a0a7951c
-
Filesize
1.8MB
MD582515ff9874d6b26287cd59d9c8f0a06
SHA1e2da13e32742c1ba783da7e895477b11ad9e3b07
SHA256f2529cd2895a942452b6e161e05411051aafba0acd53840936139a824dd1f524
SHA5125c02b784040a1efb8ee72387729975bcd20cf71f03ea7dccfbd3ed102e81a6443ea2ded4883bef024949f397522598cbb4cb40a39ad0265a341b5f2674111af3
-
Filesize
1.1MB
MD5014adb355818bd01e78ff7cb69a45a7a
SHA1a60d47172c3d79bb304c983694d7898e61518648
SHA256877de4f7acda5262f29277492e9bc1269173c5f6a764e141bca7b50cf1a51c1f
SHA5126aca0062269b836342e4dbabd486c83aa6b1c4d714b05ff0a50149d7064f48cf90e8c4ccc98dbfc24e081acb07f3ed9b4618921834200fe8c7518109a0a7951c