Analysis
-
max time kernel
181s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01/02/2024, 04:02
General
-
Target
wexhfyjiflbfxbkpbmwi.exe
-
Size
10.1MB
-
MD5
5a3566fab9f55ddcf287aa96a60ad579
-
SHA1
247839d601b36bd2c0411241e4a89b28c6ff70da
-
SHA256
54df213162ccbb081e13f8cb5bd84022f7e6587a68a04522da08f9fd56b8ef53
-
SHA512
46f5b7e2524f29ca069da75a0a4c3958d2dada86c7bc7db814ed73a737e5906b6c6cb20cb113d5982975ed6443be0deac9c56338a7c2b5424cfd86232a52b807
-
SSDEEP
196608:VEzDgHsNFdc2k9dYnqFc9PzzGZnjurXuwLs4PCE4+HtrHpRpfxGjpeQN8:4RNFdav26pjujuwhaE4+HtJRppGsl
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\eap3host.exe"C:\Windows\system32\eap3host.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\wexhfyjiflbfxbkpbmwi.exe"C:\Users\Admin\AppData\Local\Temp\wexhfyjiflbfxbkpbmwi.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.0.990734152\1011111655" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e0ef78-32ef-4a83-9d9e-dc4cd73fe7ae} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 1952 1ecbd9d6158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.1.30366422\918845957" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfa83966-0e42-4795-ad14-244d599c96fb} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 2408 1ecb11e2658 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.2.717586704\853901876" -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {817271a5-0ca1-416b-8a30-4c1e027a00eb} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 1768 1ecbd95ec58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.3.780949276\736291062" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 1200 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9d5fc6d-4554-4e5c-b59b-fd700837eb27} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 3464 1ecb1162b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.4.434876217\272351976" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68462d1d-8adc-47dd-a831-52580fd38770} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 4104 1ecc2986d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.5.1899727422\1522679975" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4944 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7728775-27fb-49ee-842f-5cf5f427baf1} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 4980 1ecc2987f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.7.1296560999\1067016397" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd22ca4e-2579-4503-8824-79c4a11d3700} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5476 1ecc3f19c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.6.269131346\1567242477" -childID 5 -isForBrowser -prefsHandle 4992 -prefMapHandle 4932 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07b68d8-ed73-490e-9b2a-968d286c8c33} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5220 1ecc3f19958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1168.8.392691406\490272728" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5836 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {316ec806-3c56-42c6-9447-15035016acca} 1168 "\\.\pipe\gecko-crash-server-pipe.1168" 5860 1ecc5b33858 tab3⤵
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55ff1366d367991b8ba0ae65d1dcec81a
SHA101d105a2a0f90d4089044aff32c070f82b569a25
SHA256c3ca95a4d519e138c2c590b0e740db77d9576dec9048a35e12d611fbb76482d2
SHA5129d1e77b9054531f538b70e01f950da4f0882d521c60e45d37072ce83a17aabf19ce9d1bae8f27ccf03b05fd7a8321ae8c6733d3f35083c119f27245e6a6fda3f
-
Filesize
11KB
MD5a755fae31fa3ab1403df7670ab5ac792
SHA1870fc309d9103e6457cc9ebc531bbc27d0b85e47
SHA2569c304f335f2870b5485f44966b4d0b74e3d567e41b8d0b6c9b5a9c5f8e8ad33d
SHA5128994cb80595ae7ab5ff4b6ac009e967c2e2c0404c8ed83ce4626bde82dc47cdc1f5ddbebc98aac9cf0b38a14af1939e42bf1f02fc9fd70227f0ea08574e3ddcd
-
Filesize
746B
MD5a47131cfa69954e16d913427788d72f5
SHA1bff8e66bf81fc15d989fd2cff5c9d0ce2cd98de0
SHA25616824d52a30e6f89851a94e7d854fbebe95cf311e9cb2dc692f055251193f12c
SHA512a974873fce6be856995341190528a9076edcf5bedcb71e6af7425b61109cfda3f9f5705182f69e3988b6b20356679bb64385d2353a250885daf68db5ca1a1fd1
-
Filesize
6KB
MD5946c7295230d518d2f9abd30e8d7f746
SHA1d96d729c194e5846b15f857e1607b28d9856194e
SHA256d75a529b5e2a6a26ceb3184af96cbde5ee345bfbf2420ac84a99a10fb327c649
SHA5128ca3619ee5015e612792f85d5d455f28fdb28cd4a4acaba03559d2b716e0ec59c1f6459839956067d750cf9ed5338e8a43644b1013f0e98e560372dd5e823758
-
Filesize
6KB
MD5c5f277942397a39717ee692b0f6e2614
SHA172b08f7ee7b2072a159dca2bfa0d92515ef6e9f3
SHA25667bbdd8e5dfdd6ec023f1f290287f73f703f1e5cf31a318d4a4b23b896a9b896
SHA5126dd7de12103bfbf0df35752d667619d59ad47b57c155e9615b6705f664a208e24cd0e8cf4aaf952c436843d33e4791939a292f672306ddf0649aa9ac93783cf9
-
Filesize
5KB
MD54942d3a9f2e2c464121cdd988bb6dff8
SHA19b0e0c328c6b0e5ecb7991628d5398fce461add5
SHA256073f353395ce6b18c0af1e037424258e92fde95e08f4f4a0a9498a24f511c8df
SHA512c6c594abee7cc40f5dc0235671226793a00f542d7213b50bbcae62ac0202ac08106932443c455f11b0572de93840a06f8c52ab4a4a1c8dd052617ca731490339
-
Filesize
5KB
MD544ed70a8a5130c709ecb1983d09b1e7b
SHA1aa461d39f89d3097930351d276c22d2fbd77a9ee
SHA25644e00cfd2024e6a9cd5f7a8c5ab7d6776be17c99ddceb6ebb699307cb392f7c7
SHA51235acfc8f4af4f6815daebf3b72f719df8c7584abc6f93d128e5554be257dda88b57ab1930a79bce4b3b48806b4896d55da5c42503354c11420655d80341fba02
-
Filesize
184KB
MD591e2a4879f4a7d77b1152e53496bbfc4
SHA1f22752151ef7f6758d30891a996b7b5c30acd97c
SHA256198277a9823ee89020b45bdd52bf6c13641d0b7c9127ee1603b42cbd3ebc2fae
SHA5123a27afe500c522face67427db3d6611608f058432874ae9ec438b9ef9fa9db4a0c2cef49d2d2c363f8dff56f3c68525af0f6bd3dde1e0750e0977c6a28644f87
-
Filesize
4KB
-
Filesize
19.6MB
-
Filesize
4KB
-
Filesize
17.9MB
-
Filesize
17.9MB
-
Filesize
17.9MB
-
Filesize
17.9MB