Analysis
-
max time kernel
155s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
10-10-2023 12:55
General
-
Target
DS4Windows.exe
-
Size
465KB
-
MD5
e04a76a4b5a4c802eb3c228909f60bbb
-
SHA1
5ebb77a556b04faceba7f89b9b4f13343298889a
-
SHA256
f81c1245f856b7764ef90626a708c684f6117f6e2125582b2c5de1d1218b634c
-
SHA512
bcfe476f8b01601dd7411e97b7895a340c65c720881cfbea5218f4a2aba8ab8757de19e8729edafbf8c711efe8ccf07a1f16bdf4034855fced43ce0a9bd97331
-
SSDEEP
3072:t8vbzyQ6Y1YXrbNK+3FNxacPEMk6VRQAaTWHAxE53PXJagcxjiitVqDRHFljXfuk:tszAXNK+3FVBRQ9TWgi3P5zMmh
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DS4Windows.exe"C:\Users\Admin\AppData\Local\Temp\DS4Windows.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\AddUninstall.otf1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.0.1921177483\1630449065" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1848 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c3208df-6bee-49a8-b2b3-0a313fecea60} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 1980 1e66b7e5458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.1.416851285\969285353" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55712542-e3f1-4083-a6fc-2e8dc0e94d9c} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 2384 1e65ee6f558 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.2.2026953210\290898937" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e02471a1-f602-4a47-b792-199942ee8eaf} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 3320 1e66f7c6558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.3.1839935318\901382244" -childID 2 -isForBrowser -prefsHandle 1328 -prefMapHandle 2532 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f011b58-9133-4b6c-82de-9ef9c3527ae1} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 1012 1e670605758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.4.1049996629\856934127" -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 4476 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72e981f9-76ac-4ebf-b35f-26163d303535} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 4392 1e6715b1258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.5.2098516264\1933299653" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0e27a0-1e20-4ad3-a332-4ab78291f73a} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 5052 1e671dc1f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.7.657225166\1362560589" -childID 6 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3932b05b-2970-4195-9bf9-9efd2e8da554} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 5432 1e671dc1658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4408.6.1737597258\1416942061" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0501f70e-953e-4b41-b926-d6848676a344} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" 5152 1e671dc0a58 tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb779046f8,0x7ffb77904708,0x7ffb779047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,13492291383795898929,4136830526371601928,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
840B
MD5eff965395148e415e072fe9f5fdc5f71
SHA13307496846d572fd3fb8346684be09228326d778
SHA25686a9b12bcd5a6c1be032c61d9d0477df52d136c398f7f7b90386b82263e111d4
SHA51230abc4f6ff16c36b7497f4abed76f84ff1cbcd9169034bad53c4b2c0f1f2f9a17a6bad98f27d8d7eb5c797b67b1fca7dee87d20cff928461881c8d313dc5b42f
-
Filesize
317B
MD53dc452e26ec96639f59eca64e487f175
SHA1b82675b6fb6fea962b0bdb99c09dcc0821fbefd9
SHA25634d960ff5ce97ac6ce5609307b0ae4b8618002008528c29d731e0506b132d39b
SHA512e212eaa94f1f28e1970b26313e0c8d7bf7c5711d16b3a708871812655940486d4d6d76f279b8ac041e47a94d7b5a369411d947ab6a2828b77e66682538c0a129
-
Filesize
6KB
MD51d6981610c9be976fc1987811c4c9923
SHA1c5b7b7446188c1a13e75e0613ce20e788a7edc71
SHA25683dca452f8c596fdd733445f3fb13c5f0260e44ee1b814f5894cab7e65b447c4
SHA5124c4ad3abca71cff40985eb1efa93962d34ebff11e118d26b76fd98ea2efc3eb3bb7ba09e8c5ccc048162784a6d0e21e9bbe84821ef5636947be9800deb0d7ae3
-
Filesize
5KB
MD56a975da0495f6ad5921dd2d7d0281283
SHA1fa9b199a36649fce6d4622e1e59dd15b64b289b1
SHA25629081299f60868db35bdf98181b352942aab68a23c942e76ef99ecef52f3021a
SHA5122f7d026f45b0305a61b15f7810c7cf176f4fa874e39618cd220b4fd2a174677f091d550b000b926e1057d16fe2aa7300a92c70e20ea7c675527e4209efd3ed01
-
Filesize
24KB
MD56588c5d8aaf00d97b9ef97850f2762cc
SHA16794a544fd51475bfff0a7714c9ba968cbd6af64
SHA2568d43f925685ec7ff2771dea2f2aaf06f829319498170d930bf838f67ee138d14
SHA5125ca702362b0908e07dec475b683ec0f69700186b1837b1a081191a2097c54b6ebe7f1e943afae27b87403129a9699f7c98cc4b6bb98c326b6aa788050b052488
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5163934395c428c1897aa50065d7aa6df
SHA1c5ad16eaf91b48526b4f88f23910adfd9223682f
SHA2566ee53bd9dedde38c37465c4750720597d9f1760098a660041108a847700023d0
SHA51272d0eca7852b9de94a9227fbc15f9e1bef972d6eded92ed5413edaf0aef77160d6307e6a1af4396d11820728a5fc8854d31642e8e6d66672252395409b295b65
-
Filesize
10KB
MD54b054dd2b030f5cc88a774ae0c8534cb
SHA1128d1db937662ab190bb1739721359c16b688fb4
SHA256c8f71f2ce7bdd93c800d67641854be98d27f2c2fd1d5bf3a45375153f5d67f7b
SHA5129ce4dc67bd8e44fc7007f708965f6ba72dcbf1b4a5f054adb8edf8a1c3ebd97e24b637ff514e812eccb9a603d6492deb5fc6976cbafc2530eed692bb3d2353be
-
Filesize
21KB
MD57a404e8c27047f69901645a3b31d2ed1
SHA17cc28b9e722142d2793cd1441557c1073aff7040
SHA2565d724e40e880886f4f3f7f0bfd8b488e651422ac4dd0558f3ce9a3c064cff6d1
SHA5124bb015e6c3fde0e964c3499af6e17529c03cecc13c7ce65d75b7c08354b4dfd23b19d63552eee712b97b7949dfb9b4739c5b28fedaf0d822fdea42376fcb4fda
-
Filesize
6KB
MD52a05793d094d8bd691b0f52e6e105abf
SHA1899cd82f88272e31121e4db9347b449f289e5b74
SHA256806255e32bcc68042c8a77298f5ff9663bd07573eb21f13cb1a43938526ff2b2
SHA5125b398e0e3899811a4bbcaa55e2ce24604f177bdb12c598366fb5b350af8185dc6649727daf5bc72bedfaf96757befd323c0afab754da855728cf01f6b7bff24e
-
Filesize
259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
Filesize
881B
MD5bc115eeef0a6b2f8956ac0c4081ce9bb
SHA13fc50d08b41f02e76d1313bd894a053eb5e0217a
SHA2564b8acb7bffcfc009e82bdcba7e05358690f8e000198965b7f5526f094bd7bce0
SHA5123a8157eeabb8715fb43c6282abf5a0061bc0e9c15ee82e87d1ca2155cd3cc0b1a0ddca73432013ba018fa43a271b6f872f6367c8c6c44b81e0517ae6164dfb4a