Overview

overview

6

Static

static

1

URLScan

urlscan

https://github.com/E...

windows10-2004-x64

6

Analysis

  • max time kernel
    73s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2023 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Endermanch/MalwareDatabase/tree/master

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Endermanch/MalwareDatabase/tree/master"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Endermanch/MalwareDatabase/tree/master
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.0.21172791\675526528" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1888 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cada7255-0910-46dc-8774-f781e589b626} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 1996 178d70c7758 gpu
        3⤵
          PID:4276
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.1.658987672\1653896086" -parentBuildID 20221007134813 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d7b1bae-fea3-4258-8880-8f15584a84a1} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 2420 178d6ae6858 socket
          3⤵
            PID:4476
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.2.220867973\824804473" -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3188 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dd1496b-0a1e-49cd-bade-1dd08b846c11} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 3204 178da8fb858 tab
            3⤵
              PID:1224
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.3.337070414\998157166" -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1bf6dde-f109-4166-8e9d-351ebe6de3d9} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 3960 178dbdaf358 tab
              3⤵
                PID:1016
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.5.1814198805\1335247132" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8561887d-524b-43db-9258-ba3dd787cad8} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 5296 178de050458 tab
                3⤵
                  PID:2488
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.6.544211846\588640996" -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5500 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bffc4ff-3f44-4903-8aa0-ffa5f6dd2479} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 5512 178de052258 tab
                  3⤵
                    PID:2512
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4964.4.383115329\1222528459" -childID 3 -isForBrowser -prefsHandle 5052 -prefMapHandle 4160 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1864c2b-ff61-4781-9efa-b02c3e0d076b} 4964 "\\.\pipe\gecko-crash-server-pipe.4964" 5060 178de050158 tab
                    3⤵
                      PID:1516
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:328
                  • C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]
                    "C:\Users\Admin\AppData\Local\Temp\Temp1_FakeWindowsUpdate.zip\[email protected]"
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4328

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x00o19f5.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    22KB

                    MD5

                    d2353dcc10ad433b442fa3e2e402d4b2

                    SHA1

                    4c4e85dff6c663a8b98c9d2fd61bcb30880f141b

                    SHA256

                    9a436e8ed4ff154bfb5511bec4dfea9156860ad64f5e246705b32d8106bff9e9

                    SHA512

                    a6fb33aaa1bda58c59936fecdfb324d448422c88a73585be2b7529f655be08da18db8dcd512a179a34f33e0310e4060e4313fda8777446b24264b9abbb9335f9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x00o19f5.default-release\cache2\doomed\28355
                    Filesize

                    12KB

                    MD5

                    6d437abbf9b23273d99a960efd26c378

                    SHA1

                    f15ae430260cbd3c0072cf7ddba5268915b7199d

                    SHA256

                    80a34445240d0c3398edbb26a2dad3f0186de23a62bc64e0e9cc4cac480a815e

                    SHA512

                    5cce218de07975cb025c7875831ef90df4cfd5d1489cd98d7d2bb56395354cc3ddd753c471edea049c6daaf548dc0e125a8059d6bec6dd299a2d0d2b7408ecee

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    1003a212deb65a841179ce5a0360c82a

                    SHA1

                    3a2d915f08f09b151e252ef0c0a3993d6460acf2

                    SHA256

                    aa768669cac1c9144e86628d5c3c7c6dc584ca9839ba1ba75ffb3871e5064c36

                    SHA512

                    240ae2dbea3fdfc1e9fefe6255325ddd072c714c1db65cec9f633daa6b0eaca2831a1f8c01c6d4a885a36b0d737b65a292cbaa10f98304c70ac30fb55a2591c9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    ddf8f0606e1e68492261e21c0558f123

                    SHA1

                    018de0bb536102c3ea1f0e388990879418cc3c38

                    SHA256

                    f21b2d6374484f587c9a49563b581a410b5950ec9f70f4112fdabd38fe01d7ad

                    SHA512

                    27e25710615922681318c4fc2a10e5bd7c58dc33f5e5f2499afbd7970a6fddac7840890179eee62da588f16f58d7d2eba88fce7697cc6d771e5f93687bdabac6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs.js
                    Filesize

                    7KB

                    MD5

                    509cc6d36b9c3db1a8c20e974d7988d4

                    SHA1

                    a60b531c0cd78313f3a2cb04fd976629e9648ea5

                    SHA256

                    4eecd4e157023042c1e17e0e2da9497fa61798707826a13881e4e5df58b9ec68

                    SHA512

                    db28d71afc326a5b7a231d2ebd6297f14613aa38952f66b38fe60d35053e6ba477ef0092badb1d667e9ac42788579e14cdc1c8b5bd54540d679918c3dc86fcad

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    c6c21bd384c221a3f9beef6c2062877c

                    SHA1

                    53dffa277311a7be158068be961733978f3cfb5d

                    SHA256

                    3242851a11a9fd6eb5ca69d46de415e13069b5723964f4868e5fb6f09f3c2240

                    SHA512

                    32aa73626b41c1cd0811935aea02eec6a5ec74f4595cef2da83e2a3bc6093a37b2f44b25ac612a64b16086c81612df71c6c0113ce749419a9529fab7bbc8e496

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    7a86888e001f2711b19442f7a9cad937

                    SHA1

                    54e017cd1b02896a0fb07bd45bf6f0d0f8b5bb78

                    SHA256

                    c152f109be90db5498b5e89b7514fc10eee22d21a773c32e5829fc4420e99b1b

                    SHA512

                    133de2293035243140e606a97685cdabf47e05273747c75c0da2cedd4022523ec6c9170f4a0b8ccaddce8ec49d810a52601d64c40eaf8ffa295db0e9ac60d012

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    74ef95fbce321eeb86d7659db6e5e158

                    SHA1

                    a63d81f923e421465b6946629fc159cf205e0c1f

                    SHA256

                    5397341eb9c75f7290745f4c93b668e877885ba7fbfc54a0fd284c2ea01a372c

                    SHA512

                    a0459e86e4cbeb161373f6abeabfefad2a485acc27776636eb46c815c4055da8cf135db72f6c902852b00a22b15b804a18714c1095cc50077ea6aca260827632

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    3142ef66c140a5115f12c9bb42f4e2df

                    SHA1

                    5458cc839492521727920de21a13ca5797c7c146

                    SHA256

                    df197e8b1c987ebe1bc9891191830e5974c822b7a01cbc29374b57ab502c2870

                    SHA512

                    2c4d3b1ce467b0782b4cfa9cc04f7bbd6a026b5d6ec94f18a76ae25c75e6002db775dd71cfa5609e0041f9bdfc570662310db80f1b4d5cf086f1ea130715bb4f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    5644be0b0b4793c16a7db5697ab2743c

                    SHA1

                    a956c9c407f3218d50f124888a958568d8c05c70

                    SHA256

                    88dd0555e2ac69583e49a78da6603a67656ac174303df6897cb11dbdd8168058

                    SHA512

                    ce90a084b36823d4cc771563d5db277f26f0bff1c5094aebd44e67a447dcd07d62e276ebc46f7bc63938a7db5f7c97bbe66f66d4bfae4386ec117f3dd06f849c

                    Download Submit

                  • C:\Users\Admin\Downloads\VAnVaJo-.zip.part
                    Filesize

                    604KB

                    MD5

                    9e94a2a8c092b611420f8bfdbac7beb8

                    SHA1

                    38e21ee8cfa81fd26dabfb0923b108b54db6f409

                    SHA256

                    8f8f4fba17fdb1538ddff73763cf6bac274f2dd1fd53c4656d45f496ce690f12

                    SHA512

                    dc550716d82bbd3f44ad25f67d8d894d94e5cc1e15c996c9a6e3d9fe5fa9acfe5d2b9134736d72c4e2a72434298e6419987319242776e7bd68e0a87783c0fef4

                    Download Submit

                  • memory/4328-299-0x0000000000530000-0x00000000005EC000-memory.dmp

                    Filesize

                    752KB

                    Download

                  • memory/4328-301-0x0000000004FC0000-0x0000000005052000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/4328-302-0x00000000051F0000-0x0000000005200000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4328-303-0x0000000005090000-0x000000000509A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4328-308-0x00000000051F0000-0x0000000005200000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4328-300-0x00000000054D0000-0x0000000005A74000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4328-324-0x0000000074590000-0x0000000074D40000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/4328-298-0x0000000074590000-0x0000000074D40000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/4328-333-0x00000000051F0000-0x0000000005200000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4328-335-0x00000000051F0000-0x0000000005200000-memory.dmp

                    Filesize

                    64KB

                    Download