Overview

overview

1

Static

static

1

Malwarebyt...om.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    124s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    21/11/2023, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MalwarebytesPremium4.6.6.294.p.taiwebs.com.zip

  • Size

    336.8MB

  • MD5

    273e726bbaa1993caed7d273adc8d32c

  • SHA1

    6fbb3de14bce7cecba0059f23befa4475f1c6d3b

  • SHA256

    91136441bd4f0b249e2deb61145d2f57df930af55795d222c026157579f446d7

  • SHA512

    e4d00e7b0e81e90a29ab47891ad043d940ef5b3517be1aa36aadc93544dd06717c37e3c10a51d88d50c47c309632f221d3bc33ad3d3b34552d1fa637fc22625f

  • SSDEEP

    6291456:O/jJWY88qcqVkXPWK5Q7WeX+Wd3aJUHFK0YVU6TcrdRUMeGlOk/r8RZ8XYu:8FW4rf9Q7jVd5PJzU+OkwToR

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\MalwarebytesPremium4.6.6.294.p.taiwebs.com.zip
    1⤵
      PID:3572
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2436
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4572
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.0.552986546\1290140244" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d258912-8732-4a8f-b514-86da5b7e025a} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 1976 1c66ddfb458 gpu
            3⤵
              PID:4960
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.1.1575118335\19935373" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89120d7-c084-492c-82da-f33f40e2200e} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 2376 1c66d530858 socket
              3⤵
              • Checks processor information in registry
              PID:3844
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.2.1202600569\479093002" -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 3000 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6a7aa2-d8e8-4484-b71b-f80f4334c9e4} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 2760 1c671bb5558 tab
              3⤵
                PID:800
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.3.1432261245\997438972" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5e17db-3ebb-4597-a99f-dac9d63657a7} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 3600 1c66112d858 tab
                3⤵
                  PID:4932
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.4.1630358365\881172114" -childID 3 -isForBrowser -prefsHandle 3996 -prefMapHandle 3984 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {375d0374-e9ab-44f2-8b42-c630d00968cf} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 4016 1c672db9258 tab
                  3⤵
                    PID:4528
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.7.785833871\2078634972" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {805162ae-f37f-44fb-9d38-56435300c3b5} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 5460 1c673de9558 tab
                    3⤵
                      PID:5284
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.6.1316719567\1677556574" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a192c4-d003-435f-8a29-fff9d7ca2786} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 5268 1c673de7758 tab
                      3⤵
                        PID:5276
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4572.5.782836612\1303206034" -childID 4 -isForBrowser -prefsHandle 5136 -prefMapHandle 5108 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1120 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6404cee0-0b9b-417b-918b-756b08da844d} 4572 "\\.\pipe\gecko-crash-server-pipe.4572" 5140 1c673de6e58 tab
                        3⤵
                          PID:5268

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\err804pm.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      22KB

                      MD5

                      3fbbeffb9377db50a94695e4daabe17b

                      SHA1

                      d100e6f7e1a3d4b5a5f3b722270f8265f8ec557f

                      SHA256

                      b1dce3946b8e08bffd649fa19629ec4b5291958cc6c9f3ea9ded1d822309cd7f

                      SHA512

                      807ce192fc3f78addb7533255f150007cdb11f7b098091f2daab3e7089c6cda7a2987ae082881fc965d63d128e311c63d4a92b3b4c9bf6be4c65046b4a8c2cce

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      7fbe5cc62a70111a331909876a4f19a5

                      SHA1

                      f7fb63c835c6c5c3ebf2bf00ec49220fedfab251

                      SHA256

                      c2978758b26845bae7fe9b018bc51c2fb00f8423d0376bd2c6a701daaa6f0823

                      SHA512

                      29182a2c3c05cc526ca461107bb16d53ae96e1677669390f3d5278e86ab9906a4a562db8d590ab6fc7b36937bad659119edb5c990d39308fa9eb2013b5f814fe

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      f190aef8c44b10ba20c207a770f43e77

                      SHA1

                      22e1b11ef0613cb0193220f18e1193167c613957

                      SHA256

                      26862ee16e1fc6d52c89b54c404d906710a94962dbf9b00ee9581eeba0e05d57

                      SHA512

                      e5b8f0302f1e3a3b35ff25163069afe62ed9639651192fbc858c252af8a21be9a55c1372013736ca5c962e68849ffad8507c806a22f0ae095d50968e13263f96

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore.jsonlz4
                      Filesize

                      881B

                      MD5

                      92256863b91e2858c5c1b18b1dd03397

                      SHA1

                      0b641b1e995d932fc98c0df853eb13e3945c1271

                      SHA256

                      3f7176ff6eca22fbd783a670a71b9ee32c45e86a7d7d62ec0126f714c6ff7c81

                      SHA512

                      b4c61483726e6f05d206260964b68c6281b9b7a9423d3e1e352dfbf5121629c943fc0a4bdcd04987e0b0759bf9aa8a307b24198aff1e16f82d69444a726ee529

                      Download Submit