Overview

overview

3

Static

static

3

MetalSlug.exe

windows7-x64

1

MetalSlug.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    128s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2023, 14:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    MetalSlug.exe

  • Size

    9.1MB

  • MD5

    5721d1dfb037f8b6437798289f3996af

  • SHA1

    858d27c6ce8128be2ba6976d9eba49296b57be2e

  • SHA256

    54f2d65fd27f7063132cc26cb2be6fadd94c3a5be8e01eab01b72a0e3f8785bb

  • SHA512

    9ecf5ff690283e1e002d807035e511cd77ad2523948aac381a995e0901ed1fc85710ef3f7f5040bbc020e83e4e4be923c201c57f46b3a6f49de78daa0f2c1de7

  • SSDEEP

    196608:hjWIYfUoJrZbfN/4q9oF29rlFSPD24Ql7byjprjp5bPPWFKNmCER:BWPfUKFF/rvFSPa4QRypp5r6Kza

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MetalSlug.exe
    "C:\Users\Admin\AppData\Local\Temp\MetalSlug.exe"
    1⤵
      PID:2268
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2720
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.0.1538209054\870397311" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ff994d-757b-4164-8459-2dc5a2ba7117} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1280 11ed5d58 gpu
            3⤵
              PID:2156
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.1.234352378\760919952" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21019 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6321807-f539-4b8e-b1cf-89fec882c4cd} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1484 e72e58 socket
              3⤵
              • Checks processor information in registry
              PID:2248
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.2.19732517\274942336" -childID 1 -isForBrowser -prefsHandle 1856 -prefMapHandle 1852 -prefsLen 21057 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5424e669-c078-4a17-9d7c-85058c7dd600} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 1820 19ba7858 tab
              3⤵
                PID:2948
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.3.280388712\442661129" -childID 2 -isForBrowser -prefsHandle 2496 -prefMapHandle 2492 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56de3953-c2a8-4af7-b975-983592560d2e} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 2432 e68158 tab
                3⤵
                  PID:2968
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.4.642455221\547565259" -childID 3 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b9fed91-34bf-4b6a-b347-27d2cbb8e824} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 2956 1b72bd58 tab
                  3⤵
                    PID:952
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.5.1961843542\1674684556" -childID 4 -isForBrowser -prefsHandle 3544 -prefMapHandle 3552 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fae3e8bb-4503-4a19-bd30-15c31eddb8fa} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3832 188fc958 tab
                    3⤵
                      PID:2784
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.6.217194741\1468890283" -childID 5 -isForBrowser -prefsHandle 3844 -prefMapHandle 2708 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33bb13f9-208b-48aa-9787-e0028c8d32f6} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 3820 19ce1258 tab
                      3⤵
                        PID:2864
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2752.7.1428662006\957841383" -childID 6 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26622 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b56924-792b-40db-9a50-480ed53ca301} 2752 "\\.\pipe\gecko-crash-server-pipe.2752" 4024 1a7cf958 tab
                        3⤵
                          PID:2792

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\crb94j8y.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            21KB

                            MD5

                            0fa53d21a1a2405e1aa3c0bb72b321ff

                            SHA1

                            3521b83ebed5e3d6e3b1e684bd6275a11150b403

                            SHA256

                            3a4a00fad2c846bc5b559ba1887779a57c690b822171af0deec4693b992273e5

                            SHA512

                            706633dffc098f866f53e3f45bfdebb8ade9459930aeaf77c889e115c690dcc8e31a726614f532b61f31a638a6d99f47ea4df7f2d06cce736e3a1f035afe8758

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\crb94j8y.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            8e267749fac35fce05f2b808e6704ede

                            SHA1

                            d070bf7d45c62d313061346b63654e497d887ddf

                            SHA256

                            dfb47e7f54af65828f792553fb79dea34c4d4aa6d2c69eb5b80934f15c65ea8e

                            SHA512

                            fe0cb68ac4fd7e06e879a7e5ebdaf56b31700adea010b430b9b838b7f24f354db5ed08897d78018d082c9ae01e8198f2254b6c0ddfba34386a8818f7ce4d716a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\crb94j8y.default-release\sessionCheckpoints.json
                            Filesize

                            181B

                            MD5

                            2d87ba02e79c11351c1d478b06ca9b29

                            SHA1

                            4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

                            SHA256

                            16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

                            SHA512

                            be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\crb94j8y.default-release\sessionstore.jsonlz4
                            Filesize

                            884B

                            MD5

                            de48d56fdea13f255cd5cf10a530e7fb

                            SHA1

                            36d4c35deaef8e8b887a8becfda595192ed5f7d5

                            SHA256

                            2f83e840916f67e7a41efc6de2897fd3e11c632eeb1c4940cf7dcd6b08150e8c

                            SHA512

                            66a7001113e836f164d3590492abf4c7437a8841005ee1608d3e88a5422daa43c87e4549b4963c9bc2dc616aaf8edbf8714236745aa684945ee5fc9cd8adf864

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\crb94j8y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            176KB

                            MD5

                            62f6f034c9440461e2fb21e2eed84b99

                            SHA1

                            77cb0bb385fca6315bab5b2768583f8737f90a00

                            SHA256

                            c2a1d489f353d721122a7c2d5963891c9da454f3d58832d0b0d4aa551e1874cc

                            SHA512

                            0a6b0626e5965a6949bad445a2b98cf79279c79ce982770eb8c14eca322de980aca22e653a227d8a3bfc33c4787c28aaa4014ad30f8e263591dfabf01f8baa4c

                            Download Submit