stealc | hxxps://bazaar[.]abuse[.]ch/download/a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76/

Analysis

max time kernel
445s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76/

Score

10^/10

stealc stealer

Malware Config

Extracted

Family

stealc

http://aidandylan.top

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe

Executes dropped EXE 2 IoCs

pid	Process
4496	a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe
4856	2497852956.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	4496	WerFault.exe	129

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5680	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308064410bfad901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31062539"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b03000000000200000000001066000000010000200000008738f370f1f8198a88a12a955c957696e64a437c8517efdfc050a750dc51c50e000000000e800000000200002000000049ce0aa16e78c6b83d099ef9cc7cff98873a94dee8a6e0384b9bdcbb09b7ab1320000000209b5e1a274c1461760399b769aaeaa4703b78970ae50072d09ac1f962c2cabd400000006e0d1242978860de379198c205a2202ce62705b9d874925636c461a90efebff14e8c238f04012276687a2761fa970c16f77155a6cade7eedc1314aaf57920a72	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b03000000000200000000001066000000010000200000003f1c3719a7670954b8e9836f6b2093971763b6462595ad1f882e7bc4b0d303fe000000000e8000000002000020000000168c4babdbc1d6a504d2cf27df5d53cf9a1e862cc615368a6c570fb621967ed020000000cddac1f23a063de97ee1ee44b0fec47f1fd68a9bacd63890f788b2bdf7bce1d140000000aff62fc12fca957eb2473fb40afb7315286308a04f01b4a16be36feaf761d1da03946576d8e3589424d6e9a0bb1f586f9fd0afd67d48b030323a59135cc147fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062539"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b24c410bfad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1009765636"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1009765636"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{675141C5-65FE-11EE-B0C5-C68ECCB5A471} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
744	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2824	msinfo32.exe
744	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	firefox.exe
Token: SeDebugPrivilege	2080	firefox.exe
Token: SeDebugPrivilege	2080	firefox.exe
Token: SeRestorePrivilege	5600	7zG.exe
Token: 35	5600	7zG.exe
Token: SeSecurityPrivilege	5600	7zG.exe
Token: SeSecurityPrivilege	5600	7zG.exe
Token: SeDebugPrivilege	5680	taskkill.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
5600	7zG.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
5764	iexplore.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe
744	vlc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
744	vlc.exe
5764	iexplore.exe
5764	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 1320 wrote to memory of 2080	1320	firefox.exe	39
PID 2080 wrote to memory of 4268	2080	firefox.exe	86
PID 2080 wrote to memory of 4268	2080	firefox.exe	86
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4036	2080	firefox.exe	88
PID 2080 wrote to memory of 4676	2080	firefox.exe	89
PID 2080 wrote to memory of 4676	2080	firefox.exe	89
PID 2080 wrote to memory of 4676	2080	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76/"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.878094746\1022960239" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d049c833-a10c-48f5-84c8-02cb40b460f0} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1980 1e1431d9158 gpu
    3⤵
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.1.970045341\1267500266" -parentBuildID 20221007134813 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581da64d-2d78-406e-a3ad-5e5da6883765} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2420 1e142943d58 socket
    3⤵
    - Checks processor information in registry
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.2.663667682\2052385669" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2896 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d82013-7a4b-4529-9b1d-a25435d778a8} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3184 1e146be8a58 tab
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.3.1397446547\534324382" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ebee35d-ba68-48bb-80f4-b868cea51114} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3616 1e147e82258 tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.5.373044195\312080590" -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54a4690-0fec-4f5d-adea-7c4476ec9b7d} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 5308 1e149e3a258 tab
    3⤵
    PID:2892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.6.1845276400\833446413" -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6605b025-0825-470b-bbfd-4ecd90724d27} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 5588 1e149e3c058 tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.4.168005453\1856779641" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5060 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc764bb0-1da1-4e64-a051-1a0235f99a63} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 5188 1e14a033858 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.7.1112583226\274327253" -childID 6 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22074c34-e139-48f0-812f-e550ce6df867} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 5776 1e149e3cc58 tab
    3⤵
    PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap23623:190:7zEvent7938
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5600

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\StopRepair.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:2824

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RenameJoin.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5764 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

C:\Users\Admin\Desktop\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe
"C:\Users\Admin\Desktop\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2497852956.exe"
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\2497852956.exe
    "C:\Users\Admin\AppData\Local\Temp\2497852956.exe"
    3⤵
    - Executes dropped EXE
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe" /f & erase "C:\Users\Admin\Desktop\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe" & exit
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 748
  2⤵
  - Program crash
  PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4496 -ip 4496
1⤵
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ob75hbeb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
96ae5e3b04def3f044d7830fcea6467e

SHA1
6aff9a43d37fdbfdcd1f7a4c864bba8636f50a44

SHA256
41d9853653a8dd1a62a295d92e4493dea307ca3a6324ba33743447ea2adb0dcf

SHA512
842ba113998ca249e36e99be0e4c0137745c335606d7e4e55140a5b932514029d7ec6cdbe9f25633b9b93f5c0bcc4b77229b3e5901e3d541b51f07bfed749c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2497852956.exe

Filesize
277KB

MD5
9e83f05f8785873ea82dbb4d94abeba6

SHA1
838d3b9c8f94e40059ca0254506e3affbf2ac5f8

SHA256
af4782d38d1bfc3ebb1ca8ae69885076cc1129a7dd2eaa1822756681a2af1c17

SHA512
03d226308bcc475e6940fcd28484674811c809d728ea5e06571742485470bee7609bf8210eecc2c34b51bd740ca32c97e316047440526f0faa94fb9b217b5ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2497852956.exe

Filesize
277KB

MD5
9e83f05f8785873ea82dbb4d94abeba6

SHA1
838d3b9c8f94e40059ca0254506e3affbf2ac5f8

SHA256
af4782d38d1bfc3ebb1ca8ae69885076cc1129a7dd2eaa1822756681a2af1c17

SHA512
03d226308bcc475e6940fcd28484674811c809d728ea5e06571742485470bee7609bf8210eecc2c34b51bd740ca32c97e316047440526f0faa94fb9b217b5ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\prefs-1.js

Filesize
7KB

MD5
34db4c9906dfae17d88c7017e661235d

SHA1
2543ec11f60f1bbd9079157f41f04ec1c58721e0

SHA256
6136329ebbb15db6ec8b8ad68f730071390ed80ca851bba6a22056d3092ad47f

SHA512
5fd04af17a433fd173e533039c58384b6914262a4ae8ae0a23852296fd1741ff430619ef3f77b0d6d2622af8717e7e22dd1277e8e7936fe1325e95491050a49f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\prefs-1.js

Filesize
6KB

MD5
2ecdd57708468a3f177666dee30074b9

SHA1
24afc5968801489f11e3cf3885da7991765fa99e

SHA256
c5614d2fe7b12e8348ffc9f88178f541575a17eda79de09057b2cd488974b000

SHA512
0a14f8aae8f48193f93ea44675bea7f92f9b59889befeea8940bdf1ea8651ce1c980f03f848cdfb803c99be79573bd66f9a485180a7d1c7c57f94f3e76c20520

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\prefs-1.js

Filesize
7KB

MD5
1a3a35346954c63e6f24ff4b87aa1c20

SHA1
ebdcdcd2d7c2d976edda4bc7b7947d847c467cb3

SHA256
c8590aa32021998bcf2b8854d3b31b82899f8046eaa122c69c61d57beda5aa37

SHA512
8cc185d62f221ae67c8000cca5ef234e582a2f9a310dfbef6ab9417217d189cf516d93a97f7a6cffc1b14041815280e794168be2a2462b83cfbe07697ca1bbbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
7665cff8a1ab7b77dc92ea55b1fa87c5

SHA1
d3af0123cc17a5e74ddc25ad06a72f63c2935878

SHA256
3bebb83266191cfd151188f9a51c4e73fb9e508061265f18f3f24a232051044e

SHA512
e9a7e54cf1c7658cdc3750c3d8dae948f658a08b913c39c818bec1c62f7d4c1d9c007486cef3ce24b5df94466c4b972bed928e0719197f9908cc9c98c916cd72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
c906623672f7fe0e1c4a571fd15a861e

SHA1
0921c633382b7df1ad7e8e4a72ca1f1b87ee8933

SHA256
99469fea6b2cd28f3764b8b5bddb811538fdd89a4774b2de98f8e45fdbcca0ab

SHA512
c32b2cfb04245242058d0cb42c590f1f4552fc2e2af5fb4b06bf1dcc8a6666d68d32a23311145f714966f1299473c0a631b148f72020ce5c3c79df04f5029fdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
77cc4747a0262fa636fd47cfea19f5cf

SHA1
b94c8fe9014c9c7a23ecedb7b11f160aef1d44e9

SHA256
1dd57971b5218806aff50173e153f284c372494a3b0100efe66d23bf1776a179

SHA512
628b67239126667157e4ab6037dc3e9040dd358b3dde2f343ccf91e407dde42af2438d3fd6593d587d4935d43cc4a142e6afd9213fb39583a5976266e5ced8bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
c966428cfbaa52c9851b88cee05ddda5

SHA1
308351fa62dce3dc7b129c0bdba6fed33bccba6d

SHA256
bf4e6d6ec29674dd7d0688a92f6660d7fee2a922bcf728bcc6ef4f5713bc168a

SHA512
f62097f43e91f555a7da6aa3dcc42ae804f537a7858255654cea2429c64b37ac3b7b2ef07bf6b7f438e7c6aeda8dfb4d4805efdfa6d72063f92a6c4b7124b8e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
f42e6ce6a6c7798251ff3174703d86da

SHA1
0ee674fb8dc4bd25db6611bee13f1c80b79b1fea

SHA256
a2ff9160a7b88a4fb308c1d4c23a8314f63dc580faf2febef2ff17fe94cd7f51

SHA512
a2b6931f069ebea49ea2c1f1d45d8e355a931436d06bab3e2c5c2bd058fa9bb675588f2d44c251a4347981771e6aa515558124fac09888fddeb8a2912a1f6aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob75hbeb.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
7af8d0a61caec9e292e75de9a2442562

SHA1
1de70be2dc7e3ed1a171e34ac65fb9f75755a37a

SHA256
4c2a7480bf67bad4010638c8873c1d842947d2af8c298de4887abc0e9cc114ea

SHA512
fe5f0706c21d0fe2939f77d00de5077f8668cb96551f27f7bc85f9f8289cab1998902592331692c68f228f2fc62aac22597eadfe97d582702822687ce5e12e33

Download Submit
C:\Users\Admin\Desktop\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe

Filesize
357KB

MD5
304bd02b2e8e3a13c51b44667e69a894

SHA1
34782c16874728a9468a571083cb14e21d8dff6b

SHA256
a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76

SHA512
967442075b9decc38354c3199795c8bac0b5b5401762401e71dff5f883b1077cb5f49896da9acc3e740c90b63312eb1ce0f46c7b605628e9b04990f0abe8f6bf

Download Submit
C:\Users\Admin\Desktop\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.exe

Filesize
357KB

MD5
304bd02b2e8e3a13c51b44667e69a894

SHA1
34782c16874728a9468a571083cb14e21d8dff6b

SHA256
a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76

SHA512
967442075b9decc38354c3199795c8bac0b5b5401762401e71dff5f883b1077cb5f49896da9acc3e740c90b63312eb1ce0f46c7b605628e9b04990f0abe8f6bf

Download Submit
C:\Users\Admin\Downloads\NlcIsfgY.zip.part

Filesize
199KB

MD5
7a9fd5edf32d426e8027b519aa97d0cb

SHA1
b2600d59f9dea8165429ac643998b708fa392fd4

SHA256
982672c745d3c63b1f63a91c33abd29a0f897b64dccb1b2402ecaf1bff3e7e35

SHA512
a2f8cebfabc5723833a502fa0c42de9f83ab0c54f9454a3c6f0f69241b51f1e3a18f8d3545dd7f859ee91a5d3fbe485fbb45c8b9a6e343b41aa66ed7df972961

Download Submit
C:\Users\Admin\Downloads\a4f2367e3e2e9a8ce919fde4522d4a347e30fa7625ff391b082a5c830acb1a76.zip

Filesize
199KB

MD5
7a9fd5edf32d426e8027b519aa97d0cb

SHA1
b2600d59f9dea8165429ac643998b708fa392fd4

SHA256
982672c745d3c63b1f63a91c33abd29a0f897b64dccb1b2402ecaf1bff3e7e35

SHA512
a2f8cebfabc5723833a502fa0c42de9f83ab0c54f9454a3c6f0f69241b51f1e3a18f8d3545dd7f859ee91a5d3fbe485fbb45c8b9a6e343b41aa66ed7df972961

Download Submit
memory/744-324-0x00007FF8005F0000-0x00007FF800624000-memory.dmp

Filesize
208KB

Download
memory/744-331-0x00007FFFFC830000-0x00007FFFFC942000-memory.dmp

Filesize
1.1MB

Download
memory/744-328-0x00007FFFFA2E0000-0x00007FFFFB38B000-memory.dmp

Filesize
16.7MB

Download
memory/744-323-0x00007FF7488B0000-0x00007FF7489A8000-memory.dmp

Filesize
992KB

Download
memory/744-325-0x00007FFFFD030000-0x00007FFFFD2E4000-memory.dmp

Filesize
2.7MB

Download
memory/4496-347-0x0000000000400000-0x0000000002296000-memory.dmp

Filesize
30.6MB

Download
memory/4496-346-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/4496-344-0x0000000002500000-0x000000000253E000-memory.dmp

Filesize
248KB

Download
memory/4496-343-0x0000000000400000-0x0000000002296000-memory.dmp

Filesize
30.6MB

Download
memory/4496-342-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/4496-397-0x0000000000400000-0x0000000002296000-memory.dmp

Filesize
30.6MB

Download
memory/4856-394-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/4856-395-0x0000000000400000-0x0000000002282000-memory.dmp

Filesize
30.5MB

Download
memory/4856-396-0x00000000023B0000-0x00000000023CB000-memory.dmp

Filesize
108KB

Download
memory/4856-398-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/4856-399-0x0000000000400000-0x0000000002282000-memory.dmp

Filesize
30.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads