Overview

overview

6

Static

static

3

exelon.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    88s
  • max time network
    90s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 16:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    exelon.exe

  • Size

    1.3MB

  • MD5

    72e89e69385280ebebe27bab29a7758d

  • SHA1

    fef4a8f1033fa2dcaa2e6f67c75b927bfa6eda2c

  • SHA256

    464f5f7c802939d7b5753cfcf51180e1ce6678bbe96a1ccd2717e49cc48e2854

  • SHA512

    c787d4f95f7fd0d94dbb85c9d3f114ad084359c49e5a8f7eb069e0f33e2d0d1c3e63862320e431aaeb1780ae7c33bcfb4ce1cfe6547f2bf723a3039d976b94a3

  • SSDEEP

    24576:bhgc72LsfMMWnPwwNETev1jpvrYLJqh+EvS3GSQvQAl8fr:bhgN8/WnPwwNEevue7vSnQv3

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\exelon.exe
    "C:\Users\Admin\AppData\Local\Temp\exelon.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2732
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3004
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.0.1009187465\355435948" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60a8d2dd-ed00-487b-9193-3952043291c5} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 1964 272be0d0858 gpu
          3⤵
            PID:2324
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.1.634239418\1875494986" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f7ace31-0da5-40e3-9d39-9b922d92c890} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 2364 272bdb39858 socket
            3⤵
              PID:3132
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.2.2018863078\1487275212" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69dc673a-47b6-4cb7-978e-1a590244fff6} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 3188 272be060658 tab
              3⤵
                PID:4368
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.3.1925779544\653038698" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76a401c8-2296-4136-b396-a6cc6097ca44} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 3588 272b1764a58 tab
                3⤵
                  PID:2356
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.4.745397909\591517855" -childID 3 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ccccb22-41b1-4007-a841-3059340adc2a} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 4012 272b1761f58 tab
                  3⤵
                    PID:1276
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.5.1086483855\3566591" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 4924 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade431b0-77f3-470d-8c8f-2f95dfc33087} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 4956 272b1758758 tab
                    3⤵
                      PID:5168
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.6.2056874252\899986637" -childID 5 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {760f0461-5145-4185-9579-28e63b7041d8} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 4976 272c4492858 tab
                      3⤵
                        PID:5176
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.7.1323142626\960025465" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {032035cb-b93c-4782-953c-fab8c41ccb0c} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5156 272c4494f58 tab
                        3⤵
                          PID:5200

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            22KB

                            MD5

                            cfe162b829c75d24abc2c8bde5cb97a0

                            SHA1

                            c1703ff9ffb8ca655be2e5d150e488bbe23b3760

                            SHA256

                            b48f6539c0e12ae79da95b96095ae8da88cb768eebc86c75562b7487390e5239

                            SHA512

                            66d88767f9bb8f7056c90caaf5225a6cdc5226ead2308e23113262ffbe42b9c297c25b8456d019a9383e82465032ac05f9106b6e85179c4e0171181fe4625745

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            fb58502d1ec175fc995d1bb41c95a980

                            SHA1

                            1e316bcad0d7883fe73df814917e3ccd74dec237

                            SHA256

                            8638246338eebc47f0348414378c9b6adc9beaaaddd086cfee3632d3caef89c9

                            SHA512

                            459de0dc922a2dc6e0c549940fe70bb90fcc1006f51e7ea6979c537755027f2cf3eeb4ba166d247ec1c6c781351bb1ee20f544470a12557e4e63513a7ec8c22c

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            8e4a4ccaf3dbd4a5463738c92b9f592a

                            SHA1

                            6d21d07d8925ad643d452a7bc7737e3bfaaf41c6

                            SHA256

                            c78f7382605f23831515f6afcc262a436a00f51fa5480728ac9f9d4fb90fdd7e

                            SHA512

                            7c264bb0727e596998e9e048a45798f240863fa879dd52d3683f3686405463141dd37316f082cefcc1a4026bfae09fd3892a3d2e5fd7d8d5e1a31b73a41bc4da

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            bc702af65d072ab3dc6a638d092c270c

                            SHA1

                            e4052de5931a375f4b2a241e03e876a35c5e0955

                            SHA256

                            4a43cc71f105d25fc34be8d4f05a1aed940b77f23bbcaa23c82fa8208de90e87

                            SHA512

                            a507ff34df16df899047f51a260871674508fcc2f61670091fb4c4f99ade437cf8fd75e200fa884197716ebd32dc2c67672eaa2d212436e598574a2966085143

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            95a355720a19211c281111b43650d405

                            SHA1

                            fe78114a620416aea9dea07c143228f8f952c86a

                            SHA256

                            77b04cd07d0d22a05bddded2e89a9663e0e557847d7b9ef50c2f85b83e5ec7e1

                            SHA512

                            f07d0c3660442ed2b2edc38ffaf97ea44faed416d22c3424955f854a20dee4fbf56297ecba0534ddadccb17d9984e31add1b403353cb222c22e0b43e62e9f1e9

                            Download Submit

                          • memory/2732-3-0x000002410DFE0000-0x000002410DFE1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2732-6-0x00007FFD6D730000-0x00007FFD6E1F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/2732-7-0x0000024128160000-0x0000024128170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2732-8-0x000002410DFE0000-0x000002410DFE1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2732-5-0x0000024128160000-0x0000024128170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2732-4-0x000002410F850000-0x000002410F8DE000-memory.dmp

                            Filesize

                            568KB

                            Download

                          • memory/2732-58-0x0000024128160000-0x0000024128170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2732-0-0x000002410D8C0000-0x000002410DB1A000-memory.dmp

                            Filesize

                            2.4MB

                            Download

                          • memory/2732-2-0x0000024128160000-0x0000024128170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2732-1-0x00007FFD6D730000-0x00007FFD6E1F1000-memory.dmp

                            Filesize

                            10.8MB

                            Download