Overview

overview

7

Static

static

7

sa-mp-0.3....ll.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    154s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2024, 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sa-mp-0.3.7-R5-1-MP-install.exe

  • Size

    23.1MB

  • MD5

    73a87cf012e86852de65f34c443e6a07

  • SHA1

    80bee91fcf3db727157c75f6b904f8946b0c8edb

  • SHA256

    a182af458587bc40897073f5adb2e144daa5fc34334ce43e30992cc6efac562e

  • SHA512

    1d273462ee06931ba7723440de607a9ed1e5b6052538ede5ac4adf065111511674d61025f3783c5f82e19cd4c0b0baba191777fb7e389d2683f49fa05a19799c

  • SSDEEP

    393216:QKMmflaNtY7G8K9C3xiVEDmzWhQZiCK9vwfqVAz+rEwU/hCx2XDrxmfJtU4ZBoRs:QlklUt3VExnDKmQZnK9WyrEH/bfxatZN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\sa-mp-0.3.7-R5-1-MP-install.exe
    "C:\Users\Admin\AppData\Local\Temp\sa-mp-0.3.7-R5-1-MP-install.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    PID:5104
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5024
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.0.383619949\1735491845" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4db47e40-61a8-47f7-bf8e-53fed185b7d0} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 2012 1a8e26be358 gpu
          3⤵
            PID:1924
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.1.1417805830\1468440918" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b439fb75-0731-42fe-b4a3-fdf785200be2} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 2412 1a8d5e72258 socket
            3⤵
              PID:4072
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.2.1617849816\1964512665" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3012 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {205f358b-1fb6-4d99-8df7-c5ecef9b17bf} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 3184 1a8e689e758 tab
              3⤵
                PID:512
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.3.1877046734\389743123" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37fe2b20-24e1-4609-8bb6-38ff26dec5b8} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 3580 1a8e5190558 tab
                3⤵
                  PID:1628
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.4.1605143765\251374927" -childID 3 -isForBrowser -prefsHandle 4392 -prefMapHandle 4444 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f825fa-6e18-4133-9600-1ca10f33171f} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 4476 1a8e82b9258 tab
                  3⤵
                    PID:2092
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.7.520062403\18734259" -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e374c6aa-5f54-491b-81ba-23bba43db2da} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5492 1a8e4eebe58 tab
                    3⤵
                      PID:3916
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.6.1537331061\1575551633" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d16f840e-9aff-4ace-9d37-b486c065ae42} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5304 1a8e4eeb258 tab
                      3⤵
                        PID:2948
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.5.104486566\1759276841" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5124 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c020bb5c-3488-4490-8a8f-1724e21aedc0} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5144 1a8e4eeaf58 tab
                        3⤵
                          PID:3444

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      eb5a8a1b1814f0710ebb125e47a990b5

                      SHA1

                      78161a408566e683bdf315f87b1e6cbce8f397d9

                      SHA256

                      c204afda27d448fc667c902a3b3eb73ec7304669cedb3c405eadcc7c691db8ec

                      SHA512

                      72feaba812085ffb9f6f7d4249c678401456a6d7ded4976bf52e66dc4667870cfdd83cc9e4985d1346e7feb590105cb80b8b226dcb8150be1699df882c512774

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\3977ef25-ec99-4dd9-8df2-b224bd29171a
                      Filesize

                      746B

                      MD5

                      061b04ffb93e95582a6140320fed10e9

                      SHA1

                      96a31e499db1ec0dbe3bb891e2c840122d93793f

                      SHA256

                      0d7e9737e1fe95440f2b71eb74be9778b80ec926a8c3af18fe24829dcfd43557

                      SHA512

                      671c13e49d632552dca924a6cd2be0a4d0de067bb9b1319177c6ab0dced43d93a0d70103b60f9bc03bf2f4ac0de2d8bd697aa679df00afa0280a764bee4c2d66

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\98a42c18-c5ae-4c4f-8be6-1cf2484c1fa1
                      Filesize

                      9KB

                      MD5

                      e4ed13a38b814c9b21fef8485c3629b9

                      SHA1

                      671fcf1018cc88ba61dcce7e2b5f0489c51015eb

                      SHA256

                      e89d0087bddf1d5f74205c82fa1489e982a6190540c443e0ce34dc11895543ba

                      SHA512

                      4fb5043016485e32a3b4d187d36cdfda43379963ca269415fa481e277c636f73e99c723033e1f5209c37915708464caeee7abc08969dd042241587680757bd76

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js
                      Filesize

                      5KB

                      MD5

                      0cbceae9a528c8e54d0629f4ea13055f

                      SHA1

                      147e55335a00bd2e5e84a0cee58e644fc2576680

                      SHA256

                      007383a4e9c17af1b16b7de4483cbda8a08e0b38b3000d21bb01b51fa0d6a207

                      SHA512

                      631d8979c60b4a758d82afc91fd9960c73ed2d9e6f9dbc544942b7ce2a892b1c9399442557208b4899acfd49559972b1b414d619a40fbb903eaf3aab339af577

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js
                      Filesize

                      5KB

                      MD5

                      c640b0b886bf4c18d10bfc525818da32

                      SHA1

                      87209e6970f009fd3f1ca9da4be866c78efd5d0c

                      SHA256

                      c3b1c7a42c43535538887b16616fe98fb0606b9853d4d590a4bb8f1d005ec5d3

                      SHA512

                      4140c6feff25270336b1a7acd9a723c7904c02fdfb8cedc164acfeaedc39d7664b6f166a3294e1f86251614efbed467c9a6e28bbb4d89c3ca5176dc706235e1a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      181d02db5f300fd385b6b91dc63484a2

                      SHA1

                      a9612b7cbd602751d8a14795753ce95fe35128a1

                      SHA256

                      22719862ce46214cb457f9bb7f997fce9dd0e7cd32c98afa392d8f3d5e7db67f

                      SHA512

                      114a9d1239e3402847510387b2908ee4aee7796237622d0de731aa9c825e5c61b003c4f0248971e3a9593bbc7b1c3f394f197dcab4f542390a985695dee4298f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      d45112043b8107bbf1f8dc6da1a51a67

                      SHA1

                      08a23d281107ec94713d3b40b4266e98685a0086

                      SHA256

                      58064f9b3273d5de6bd15163dac6a09fc10d6818f40f875eb33da4d4a39f1375

                      SHA512

                      b254f39751cd31730b241cf2372a90538043cd0724723a2ae0d32aa70f211e56ac42cc5c1d81341bbeb1ee0329f6010774dcb3c8dd1351e05693a29a124e322c

                      Download Submit