Analysis
-
max time kernel
171s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
09-10-2023 16:51
General
-
Target
https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/
Malware Config
Signatures
-
ReflectiveGnome
ReflectiveGnome is a loader used for FlawedGrace RAT.
-
ReflectiveGnome Downloader 2 IoCs
Detects ReflectiveGnome x64 downloader in memory.
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 52 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bazaar.abuse.ch/download/b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0/2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.0.1588207249\1121371723" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e190ebfb-b880-4ae5-9610-79f1431fb14c} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 1948 21ebd0dd558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.1.678634490\659741621" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {149d4bb2-5012-4caa-b984-99de5c0c4491} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 2368 21eb0678858 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.2.511251610\793363579" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3004 -prefsLen 21779 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39fb5b19-a7bf-4bb9-b22d-944c56ceaf38} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 3164 21ec0bf2a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.3.1000565744\510163874" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3c6830-f429-4797-8930-429a0b520622} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 3592 21ebf749158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.4.615216878\1448787824" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75a56d0d-53ec-4cec-88ac-6bfe730da294} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5160 21ec3b9d358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.5.109226242\1458712908" -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5384 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a27a555-3656-4eb7-aaa0-9bd88b42685f} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 4496 21ec4350f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.6.1315184390\1033707868" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cc800d6-0a65-4537-8450-8f5cd9a38d7f} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5576 21ec4351558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1164.7.235218059\1722771920" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5676 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18d6d161-0326-44bc-82b6-efe52c0705a3} 1164 "\\.\pipe\gecko-crash-server-pipe.1164" 5356 21ec438a858 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0\" -spe -an -ai#7zMap29164:190:7zEvent148611⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe"C:\Users\Admin\Desktop\b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5e5a9c96c2af8244d5a4c75a2b54549e6
SHA19d8ba1f659a6412aa591395c4ddfec2b5363890a
SHA25611ce3e042068b3bc453a873e8fbcf3fab861d56a24e4b50c74c3da94e5373701
SHA51243574600883d7aa31ff458fc157ae9e1ed80dbcca23d86024331684ba9e80c1e9fb9725f6bd1c2dd8bd2961da039ef3d0c10129447f5533da86c3fe55ff1a0bf
-
Filesize
22KB
MD5730d1646b987f87f5b283b972eee9fa3
SHA148115fc2a8b4eae341cebd7daaddd803b8968e10
SHA256d9edd9ec08b1bdb71679c17aa778d57543f492dce9dd1a73a1875761a263407b
SHA512cadeac983615fd886aac9ae2b762242b9ad505554b48afdf3a56d901a20ffc209b05fc11023f3ae66e5ab7690a83a6bc4886de01283f56b07406eacf0716452f
-
Filesize
6KB
MD5573b3c42acf6431c62aed7012facb2f7
SHA1b3d4cdb3bbfd8769ecae48b53a7ccc99cfb33898
SHA256e5e542cf0857be004141d49fd8c704c9c175a85090f01c6f76bf23366b3946dc
SHA5121d9e6f568494503c304f51e696c4e4460c864560f43709b59757f045f34d1c3765767490d982df463b876f697afa2db5e711cb536cf439f4e22f9b5fa031306d
-
Filesize
6KB
MD50f4b067822a904644e2ec4bc2b9be93a
SHA1851353ea893fad8692b69db50ca16e8188aab6bb
SHA2562337ffb69cc13ecdaaf38d8dd98094c6fcb7ddcb88477bd1aaf27aa46cd2e605
SHA5123b9d5a057952a88f45a40a9730265ddc078c60b575e1eac45601a4e40dc2ebf6f6233ac5583919ca0ec919893a272782f8319544282ef20a15eb50e600cbdae4
-
Filesize
3KB
MD501170ebfc6c45e7b0321543c21c45f22
SHA1afce79ff5604439bfbf32e841554845ee13e3fad
SHA256c71e59def08c97483902d55fd729e73ee19d2c71d954324e2df4699d7fee74aa
SHA5121be8e3c5dd0a97623b7fec7a3843507268a07279d6dbe7e206a4b6b949d5bf7fc0045478a99f61b3b63d23d71c1594d6e130fc1a1d1fc4bc8bde8e3a2e0e84f8
-
Filesize
3KB
MD5a6bf4e941dbb2f80e1f8ee59c5c8bf88
SHA19ba33067ee6c867f838082d2ed90e28af168e8b7
SHA2560b26f421efa8945057f402018166bd890dc7ceb2723fa7f29fb8d43b1fd7d81a
SHA51233a15130a99a04bdf321aa5fb1520ce15f5682fc19a105e6b2656430177ea85b607bd29f6294f6a80edd4d93243f386f2ff51cc14c89dcea88c9b3cf6dc458f2
-
Filesize
5KB
MD525039dc6e6d5e262b059005fe2bd0895
SHA1521a9668dbcd2a7b4a9b41797d748c92ecb642f5
SHA256b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0
SHA51245b86dbd5a861f700959d4ee43f2ded80ef4546c15f7ee65b9d72f625424b7eb388fc0e34b5254edd352c28b07e3d9198a123a9ed16dd0fac13cd218e9c70126
-
Filesize
5KB
MD525039dc6e6d5e262b059005fe2bd0895
SHA1521a9668dbcd2a7b4a9b41797d748c92ecb642f5
SHA256b568614fe33d732014980f0bb083e9abf45641f2dc230571eb3d63d6bc7f10b0
SHA51245b86dbd5a861f700959d4ee43f2ded80ef4546c15f7ee65b9d72f625424b7eb388fc0e34b5254edd352c28b07e3d9198a123a9ed16dd0fac13cd218e9c70126
-
Filesize
2KB
MD5e6c719001c296ee2a56d43dd21817c07
SHA1cc1bc533286c6b9bf8f3871d32aa7c49abf8f8a8
SHA256061bb43d45c2357a7afdc33cac945d06bd73d008691b66395367592be1cc6047
SHA512535be141d0bbf7174f7177ffb6fe48ceba3245765f056327dbb46ca97b6b844340602a5a4db9dd41de05ff31bbdde4ef0f579ca13097cdce5c2e712523e1aca4
-
Filesize
2KB
MD5e6c719001c296ee2a56d43dd21817c07
SHA1cc1bc533286c6b9bf8f3871d32aa7c49abf8f8a8
SHA256061bb43d45c2357a7afdc33cac945d06bd73d008691b66395367592be1cc6047
SHA512535be141d0bbf7174f7177ffb6fe48ceba3245765f056327dbb46ca97b6b844340602a5a4db9dd41de05ff31bbdde4ef0f579ca13097cdce5c2e712523e1aca4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB