Analysis
-
max time kernel
210s -
max time network
219s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
04/02/2024, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
8e53f2489c9adbaa02db230f8395a0aa.dll
Resource
win10-20231215-en
General
-
Target
8e53f2489c9adbaa02db230f8395a0aa.dll
-
Size
490KB
-
MD5
8e53f2489c9adbaa02db230f8395a0aa
-
SHA1
48c414fdf6f73c922478843e3a89ca93ee1e4d4a
-
SHA256
72ec93703d4e440114d578adf39f55d4f8933e76e62684e30923bfd93c1dd6cd
-
SHA512
d8de17e999ad553ed7e41013c40779910428802d3ccedc2988c82b9f4cc35b060756bbe5b55a54ff8b2d98b3e0988cb08b6575cf5cc9e6273ec6b854a3f01538
-
SSDEEP
12288:HU873ntBL/siV2pVRJ0hVWI97UCAX5axhsxw4zd/XSkt8Y2EB3rYdHeo28J:HU87XtBrz8zIVWOQCY6sxw4RDH3rYd+W
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\INF\netsstpa.PNF svchost.exe File created C:\Windows\INF\netrasa.PNF svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4972 192 WerFault.exe 72 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 632 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeShutdownPrivilege 4540 svchost.exe Token: SeCreatePagefilePrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeLoadDriverPrivilege 4540 svchost.exe Token: SeDebugPrivilege 2700 firefox.exe Token: SeDebugPrivilege 2700 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2700 firefox.exe 2700 firefox.exe 2700 firefox.exe 2700 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2700 firefox.exe 2700 firefox.exe 2700 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2700 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 32 wrote to memory of 192 32 regsvr32.exe 72 PID 32 wrote to memory of 192 32 regsvr32.exe 72 PID 32 wrote to memory of 192 32 regsvr32.exe 72 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 1492 wrote to memory of 2700 1492 firefox.exe 89 PID 2700 wrote to memory of 2436 2700 firefox.exe 90 PID 2700 wrote to memory of 2436 2700 firefox.exe 90 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 PID 2700 wrote to memory of 392 2700 firefox.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e53f2489c9adbaa02db230f8395a0aa.dll1⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\8e53f2489c9adbaa02db230f8395a0aa.dll2⤵PID:192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 6083⤵
- Program crash
PID:4972
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3080
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:1216
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:3872
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:2428
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:2340
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:2936
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.0.246661409\56843162" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1640 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4e3540d-f972-4dd1-892a-3cfc2f61c1bf} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1764 1a8178d7558 gpu3⤵PID:2436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.1.78151064\961654116" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e88d8c-c848-4d48-ad3e-bbe4fd0a5343} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2120 1a817440358 socket3⤵PID:392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.2.1561002824\10378658" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2904 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c3b3c3d-e234-4e6a-b93e-67ae6b88fa4e} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2928 1a81b9d6d58 tab3⤵PID:596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.3.381399486\82801388" -childID 2 -isForBrowser -prefsHandle 3296 -prefMapHandle 3260 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46a65db-8c26-4d71-94f5-e4a3fe3afc5d} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3488 1a81c721158 tab3⤵PID:2544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.4.1040933000\343032618" -childID 3 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e91f22-b2e2-425c-ab9e-0d35fd72b6ca} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3880 1a81cdc6458 tab3⤵PID:2812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.5.1986158966\899107581" -childID 4 -isForBrowser -prefsHandle 4688 -prefMapHandle 4656 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10651896-ce8f-4703-b17f-b3580d735828} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4696 1a81da7bc58 tab3⤵PID:192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.7.1270709548\225150846" -childID 6 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3ed2b3-19ad-4dd8-b252-984d753813cd} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 5024 1a81da7a758 tab3⤵PID:2872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.6.1434563910\90117689" -childID 5 -isForBrowser -prefsHandle 4836 -prefMapHandle 4840 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a317f50-49a2-45db-8cf9-4ddf5110bd46} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4828 1a81da79e58 tab3⤵PID:4880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.8.1531283957\467618536" -childID 7 -isForBrowser -prefsHandle 2932 -prefMapHandle 2620 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a70cdcce-e7fd-4477-a7d8-05c5fe0001ad} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3476 1a81cdc5858 tab3⤵PID:2628
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD59433e12c65ed76357477c109b930650e
SHA142bc57e227c2a3ad64c4549a36c16d9702505590
SHA256c587945e9105e19e49f3574cf24144dc1272726a99cc7437a91eaa4d3499bf6c
SHA51273211839a1726a1a57802613181c87113cefe766e3a537fbe1dd64ca2163f8a466706797ee4c63a737b96685d937626acf217ba977869a027c5d8f248cee8cba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\172bab67-f742-4187-af3b-1c4ef7db2acf
Filesize10KB
MD59e01d65c536fbc9a8730acad0341f59b
SHA11bd3235e67a6f83ad01004ef4e530d33d6c283b9
SHA2568c5a289a199c7a10e22d61e7de228e3f4735458eb4e52b4244910b0ae01f2fe8
SHA5127859715cc39881409869c4577b7de828714edafd32a3b101292c604f46765a9da34ab6a4167b0cf6b5c6fe3e5f7bfaa8f3a98d1b3418cd2adea3bf87e40000b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\de87133a-900f-4f06-a3c8-09cb7a140801
Filesize746B
MD50b10c36144343d077b43e2736625d496
SHA130ebd761a889e8c5e3591f63e775863d28b60227
SHA2569d62b2ab6385456248e539432dd5aa749cd0c29a694a2e4f5118eef30599bd29
SHA512b2148e1fcbe9fb8fdb3917943a6deed1444baf4111e14d0d80fc0c78ab5b98b7ccf6f430c76c901fb503b63574002f1f14c9e037364301b1a540a1cccb7a518a
-
Filesize
6KB
MD5bf74602c983eae79b976d7ccd24a1d21
SHA1c771fc453da224e005a462da873a4928b7b1b0e0
SHA256d0a851857d66bc8fb1e86d8dd9c1588356d1964850b3f7263d3281628436b05a
SHA512c5088a5e063844d56e49b7befc01793644042f89bf1697a7f4fb889152ade07b44ee1a33db68cf5573aecacae24eb0e0684a0b145ef3c4ed5bb0341e781149b6
-
Filesize
6KB
MD586bbf5d50025a86db862e7e78fab5d26
SHA14e84c8465ddbca501e8f1013607d96f9750e000e
SHA256641e1635b37937da9ea327ffc1562498cafcf491dc82341a06c432363c709a50
SHA512689b4dff8e2ccc2ecb1e0bf6ecbfc6fee39b194651dbe522f33d9c0bef46673b991570173c53d17078a71533edcfb8351e3d687a20df4a4854b3d8b62257f274
-
Filesize
7KB
MD5070d8b1bd46b6fd7baf4ed95f92683a9
SHA11772a3eccfcac98d37af76f439e140974a6e45df
SHA25641371f674a3892662dec1a536fa0ef4476707cb4ce9c9790662613297584ec0f
SHA512c0390fdb2cd1182d4b91298adfb8a077b4bca9966254a7fc2ec60b19f56764ab5f6b68064590f62d9ca216521e3f9c88fb4ab83282f302b23f5918f5d24feef6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD542f1f416b7ca604b4ed9e3ed7faed4a6
SHA193f35948ac86f7bec113566afc42ffae2101eda3
SHA25693778633de12b83a91fe3833e0c392c2c67a7dcf9584981e48f6422fd51630dc
SHA51241fcc469377a8949b475d237b77fb708d09a627240c15e306b6910d0c2292606fe88f482e7fe6ff802ef0b497ba6e2538e032c61113ec9527d248a2a1968e1eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5499309aca9bd353f29a19fedfc1baafb
SHA1e859214c5bd9fc035de95ccf4da8fc8d25fe911a
SHA256f4e9127140f2a3651182d714bd31c5b7a523e3a8ba48b80181c945860956a3f2
SHA5126a68b28357cb5ab5cfb17f4623f64e6b4bd3c5e38f8fa1f54bf8ded271cbd77c778f48b6695001681d7ef81141e3a57d8e4cf5a94046b800daaf7a107725ab58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5d3e61b677da5dc7d565167a919b3bfea
SHA1956bb2f67a073d2b6227f965ca6bbd92cd487a70
SHA2562ee903a791b144b30a082d5e72e25db013d62c801f86dd3b3c444db8ca8ceee5
SHA512eac2cf91c935d15453dd2bcf23e9cf9ec61ae3ba67e2819946b7953cad2637367f6775902b829b3e185c1ee4ca7137347a2c69294319073f322b8298abae555c
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9