e37ca5963a85c81ebcd79d8583fdc10a164bac77c5d3c95b8f9f3f3eb6660e17

Resubmissions

13-11-2023 18:08

231113-wrd6fsed3x 7

13-11-2023 18:06

231113-wp8bhseh43 1

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guyfuyfuyf.html
Size

660B
MD5

c8517e8b0db7254adae9dd4d6857af64
SHA1

570f3b013ba656825351035b93d9ecada949d283
SHA256

e37ca5963a85c81ebcd79d8583fdc10a164bac77c5d3c95b8f9f3f3eb6660e17
SHA512

7e40b28323efef221e748dfb5b4e42c27eab1ef4085e890959982c916191016dbfe5cb7d6a059ee200909c432aee032d6ce718f9c0873d38063c843bea28d6ae

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	SymyCam1.2.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SymyCam1.2.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	firefox.exe
Token: SeDebugPrivilege	1276	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1276	firefox.exe
1276	firefox.exe
1276	firefox.exe
1276	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1276	firefox.exe
1276	firefox.exe
1276	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1276	firefox.exe
1276	firefox.exe
1276	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 2104 wrote to memory of 1276	2104	firefox.exe	28
PID 1276 wrote to memory of 2868	1276	firefox.exe	29
PID 1276 wrote to memory of 2868	1276	firefox.exe	29
PID 1276 wrote to memory of 2868	1276	firefox.exe	29
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 2912	1276	firefox.exe	30
PID 1276 wrote to memory of 584	1276	firefox.exe	31
PID 1276 wrote to memory of 584	1276	firefox.exe	31
PID 1276 wrote to memory of 584	1276	firefox.exe	31
PID 1276 wrote to memory of 584	1276	firefox.exe	31
PID 1276 wrote to memory of 584	1276	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\guyfuyfuyf.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\guyfuyfuyf.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.0.105451138\1935327544" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1208 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cc5926c-f2e1-4060-a823-28bb9a9b548f} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1340 13c04458 gpu
    3⤵
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.1.1523515174\926691849" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47078fbb-4274-4396-b1b9-d52661ceb5f0} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1520 1070558 socket
    3⤵
    - Checks processor information in registry
    PID:2912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.2.1297877735\1329741949" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2156 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15dad8d3-0a74-4a26-959e-1a0212c9d206} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 1984 19ba1c58 tab
    3⤵
    PID:584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.3.1013951349\1698825636" -childID 2 -isForBrowser -prefsHandle 2684 -prefMapHandle 2676 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae115c22-4567-4581-8678-c4a80469ebb8} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 2700 1b718b58 tab
    3⤵
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.4.1647461828\1714196537" -childID 3 -isForBrowser -prefsHandle 3576 -prefMapHandle 3320 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89bfedcd-c912-4ef5-891d-84a60ab6263c} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 3544 1cb12658 tab
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.5.1051395566\2027704753" -childID 4 -isForBrowser -prefsHandle 3664 -prefMapHandle 3668 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9621c7df-db3f-4826-8454-880ec50f6155} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 3652 1d8ccb58 tab
    3⤵
    PID:1092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.6.2008989253\629596838" -childID 5 -isForBrowser -prefsHandle 3848 -prefMapHandle 3852 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b43fe84e-ab06-42e0-8bb0-40200a715cf9} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 3840 1d8cfb58 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1276.7.1905429523\1563974580" -childID 6 -isForBrowser -prefsHandle 3240 -prefMapHandle 3248 -prefsLen 27062 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {728a0196-6272-4c41-9162-82d87cde966a} 1276 "\\.\pipe\gecko-crash-server-pipe.1276" 2492 106da58 tab
    3⤵
    PID:2064
- - C:\Users\Admin\Downloads\SymyCam1.2.exe
    "C:\Users\Admin\Downloads\SymyCam1.2.exe"
    3⤵
    - Executes dropped EXE
    PID:2672

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oali21l4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
02d3f003aaf8bc5d3c38593547918dfd

SHA1
bc4c38c22d4345d896aacbef956c78aa94adca07

SHA256
7b291964f10fae0e7b1245e10ba6e14bd60f01216c7d0029cb00555f3e63f1fd

SHA512
84cc10e9dd9df03efea1790098f448232ba4cf887c968eeda948860dcea7f6ea0fc4c315047b0c2dfd4b6fbca4a4de9469a7d3384b6fc1f2cc02bca47519a91d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oali21l4.default-release\thumbnails\a099c19b0ee7dfb1bcdd5ba57c883bfe.png

Filesize
2KB

MD5
6f5f42581aa2496a65edf815c3a861c9

SHA1
0d9d6149d604d4a4b4314b7f91c316c6bce3c1a2

SHA256
93645aae7d67339ae11f797cbb2aa3d4c9d6689b05dee9a0bb21fc02119cbe2b

SHA512
93aa3cc399732f0cedce428129b79c30f5bc18ad8e401c65eeb4b50fa3a0717480e6c3adb79c218478959d1c289d2e9315ea4182ccaaa46bb4d5440397b0f4d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\prefs-1.js

Filesize
7KB

MD5
bc983b3079081f8b71218850e65cb69d

SHA1
59aaa18475b3201d52b2888bfb40a90836c6be94

SHA256
adbc89131e0eeac4001741cb992bc5794c6287c4a05b99f5ec743877a81972f3

SHA512
3de61ace4e635e5cb4bada4603aabef7b7a33b1b0b75bc1daf9e54cf54aab978606cc2c31ec16fd2c926c3a15a131bc8c4e4acbd29df175add36a1fa5c350d35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\prefs-1.js

Filesize
7KB

MD5
75ef662f7fa2ca17408e3c612c266d83

SHA1
f0b3fa2bad4a0d32605cc38d74da2520015a42d0

SHA256
4be30fa165fc3accf4b916559ff94eca83156dc3e3aa590424850a2655c664fa

SHA512
a7d8f266b9a08dd9c6bcb4ba4e7c9b03a665dc27b09cb70c19808000cd9eb9931d12a8d52db5f7b1e4cf7d92a7c91705bec7005c06f95aa84e50ee491e3b9dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bfddf8abd06839ae0ebd5305ef6b702d

SHA1
bf707002f9e883f55999672d203e343e6ecdbf11

SHA256
f3b58d8eec147a03e91c49e1880b870a6bcfebe0054205180a2ab1b755b70207

SHA512
bac963838f2dac19be4f4db803276d49d2b09a6f74a9c00d578db28c616fdd708c897617feaaead85845c4983b51bfdf985dc4038233b01a001c4fd75e256ad1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1c2fdd28fcecbce6ce95c4ed1ae231e7

SHA1
00677f0eb97072a86cadf9f6b60ea73a59c75de4

SHA256
9748010d27c44dd382e5a0a2bb80a4f4bedc9fecdb9d2e16099e86db06bab176

SHA512
fe99bce354ed56fe6f1e36c2f28018783b427d46b7fee1bf3a3d67dbf8fc7d2ef1d970ace8759bac2f867b9f62fc7098d7825cbdb4fd08e45159f1d38a435924

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
70d340e4feab9fcaba57f77409a2fa46

SHA1
cdd91c0f4d7789c3db2338fb54ac0d66d54b7741

SHA256
07ebc195d4710effd4566a78165a4e0b67ad630d2fb53310cf9c63a1ea9e482e

SHA512
2c44496499b72e277307bf32b4e664b8ce3b33408e647afc3c4ef0c669acc2b6cd8d51dcc3ef6a54475796a81c1cf79e27e136020a42c93031b735cf56ae202d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9536333811a8b294e9d034089037f6e2

SHA1
27c820148c104e3de6f25d75bc36e1b22974bba0

SHA256
f3a45508b1f8acf49ad28aa37b7ad7294668597938e13f276a28855315f61ee7

SHA512
633b218451760e81b681868714f5c8e22cd31d38d6921a0acdebe4927db4917c0bd03573a0c5c04fd2d41c09018c0895747a6d50dcf1c16d806dd43bc686139a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oali21l4.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
968d917f824d175ee3f5015533de9991

SHA1
d8aeda9bf196a54ad3d94197e32710f02cd06834

SHA256
83a30edebfa76907423c40dc3a0fb04d7c8f47e8e4beb68c73a33f5f99335676

SHA512
18000b35f0e4d8d4014c7d740379a44204d798cf1a4a49127af6b6ed84711a5579ccfac566aced4533d5e8c90f2bb4da8752c630a9a45d39f286f43eb895b3c9

Download Submit
C:\Users\Admin\Downloads\SymyCam1.2.exe

Filesize
10KB

MD5
26c9c49d0d4cd855e822c867f5c4e724

SHA1
f6be1e336a01b89131fc92ad5d800f49692c35e5

SHA256
d148abfb12fdef7de529d65c2b93435d723cb9160ec2e2bd052d93af206f2e34

SHA512
a2e650491c97b20bbeb996b62f0b1d5a66098c3275cad4820f4358c09937d415040af80357e3a14d9594c7546fcd2f954cc0dc106474bb466b35fe9f14a61412

Download Submit
C:\Users\Admin\Downloads\SymyCam1.2.exe

Filesize
10KB

MD5
26c9c49d0d4cd855e822c867f5c4e724

SHA1
f6be1e336a01b89131fc92ad5d800f49692c35e5

SHA256
d148abfb12fdef7de529d65c2b93435d723cb9160ec2e2bd052d93af206f2e34

SHA512
a2e650491c97b20bbeb996b62f0b1d5a66098c3275cad4820f4358c09937d415040af80357e3a14d9594c7546fcd2f954cc0dc106474bb466b35fe9f14a61412

Download Submit
C:\Users\Admin\Downloads\SymyCam1.2.exe

Filesize
10KB

MD5
26c9c49d0d4cd855e822c867f5c4e724

SHA1
f6be1e336a01b89131fc92ad5d800f49692c35e5

SHA256
d148abfb12fdef7de529d65c2b93435d723cb9160ec2e2bd052d93af206f2e34

SHA512
a2e650491c97b20bbeb996b62f0b1d5a66098c3275cad4820f4358c09937d415040af80357e3a14d9594c7546fcd2f954cc0dc106474bb466b35fe9f14a61412

Download Submit
C:\Users\Admin\Downloads\SymyCam1.2S6ksiry.2.exe.part

Filesize
10KB

MD5
26c9c49d0d4cd855e822c867f5c4e724

SHA1
f6be1e336a01b89131fc92ad5d800f49692c35e5

SHA256
d148abfb12fdef7de529d65c2b93435d723cb9160ec2e2bd052d93af206f2e34

SHA512
a2e650491c97b20bbeb996b62f0b1d5a66098c3275cad4820f4358c09937d415040af80357e3a14d9594c7546fcd2f954cc0dc106474bb466b35fe9f14a61412

Download Submit
memory/2672-156-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2672-157-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2672-155-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-166-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2672-240-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-241-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download