Resubmissions

04/02/2024, 06:21

240204-g4e6ysbch9 4

04/02/2024, 05:27

240204-f5qteacgcr 10

Analysis

  • max time kernel
    210s
  • max time network
    219s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/02/2024, 06:21

General

  • Target

    8e53f2489c9adbaa02db230f8395a0aa.dll

  • Size

    490KB

  • MD5

    8e53f2489c9adbaa02db230f8395a0aa

  • SHA1

    48c414fdf6f73c922478843e3a89ca93ee1e4d4a

  • SHA256

    72ec93703d4e440114d578adf39f55d4f8933e76e62684e30923bfd93c1dd6cd

  • SHA512

    d8de17e999ad553ed7e41013c40779910428802d3ccedc2988c82b9f4cc35b060756bbe5b55a54ff8b2d98b3e0988cb08b6575cf5cc9e6273ec6b854a3f01538

  • SSDEEP

    12288:HU873ntBL/siV2pVRJ0hVWI97UCAX5axhsxw4zd/XSkt8Y2EB3rYdHeo28J:HU87XtBrz8zIVWOQCY6sxw4RDH3rYd+W

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e53f2489c9adbaa02db230f8395a0aa.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\8e53f2489c9adbaa02db230f8395a0aa.dll
      2⤵
        PID:192
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 608
          3⤵
          • Program crash
          PID:4972
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3080
      • C:\Windows\System32\SystemSettingsBroker.exe
        C:\Windows\System32\SystemSettingsBroker.exe -Embedding
        1⤵
          PID:1216
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
          1⤵
            PID:3872
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservice -s SstpSvc
            1⤵
              PID:2428
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
              1⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:4540
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s RasMan
              1⤵
                PID:2340
              • C:\Windows\System32\SystemSettingsBroker.exe
                C:\Windows\System32\SystemSettingsBroker.exe -Embedding
                1⤵
                  PID:2936
                • \??\c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s RasMan
                  1⤵
                    PID:224
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1492
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      2⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:2700
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.0.246661409\56843162" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1640 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4e3540d-f972-4dd1-892a-3cfc2f61c1bf} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1764 1a8178d7558 gpu
                        3⤵
                          PID:2436
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.1.78151064\961654116" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e88d8c-c848-4d48-ad3e-bbe4fd0a5343} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2120 1a817440358 socket
                          3⤵
                            PID:392
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.2.1561002824\10378658" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2904 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c3b3c3d-e234-4e6a-b93e-67ae6b88fa4e} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2928 1a81b9d6d58 tab
                            3⤵
                              PID:596
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.3.381399486\82801388" -childID 2 -isForBrowser -prefsHandle 3296 -prefMapHandle 3260 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46a65db-8c26-4d71-94f5-e4a3fe3afc5d} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3488 1a81c721158 tab
                              3⤵
                                PID:2544
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.4.1040933000\343032618" -childID 3 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e91f22-b2e2-425c-ab9e-0d35fd72b6ca} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3880 1a81cdc6458 tab
                                3⤵
                                  PID:2812
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.5.1986158966\899107581" -childID 4 -isForBrowser -prefsHandle 4688 -prefMapHandle 4656 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10651896-ce8f-4703-b17f-b3580d735828} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4696 1a81da7bc58 tab
                                  3⤵
                                    PID:192
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.7.1270709548\225150846" -childID 6 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3ed2b3-19ad-4dd8-b252-984d753813cd} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 5024 1a81da7a758 tab
                                    3⤵
                                      PID:2872
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.6.1434563910\90117689" -childID 5 -isForBrowser -prefsHandle 4836 -prefMapHandle 4840 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a317f50-49a2-45db-8cf9-4ddf5110bd46} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 4828 1a81da79e58 tab
                                      3⤵
                                        PID:4880
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.8.1531283957\467618536" -childID 7 -isForBrowser -prefsHandle 2932 -prefMapHandle 2620 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a70cdcce-e7fd-4477-a7d8-05c5fe0001ad} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3476 1a81cdc5858 tab
                                        3⤵
                                          PID:2628
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe"
                                      1⤵
                                        PID:5008

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\db\data.safe.bin

                                              Filesize

                                              2KB

                                              MD5

                                              9433e12c65ed76357477c109b930650e

                                              SHA1

                                              42bc57e227c2a3ad64c4549a36c16d9702505590

                                              SHA256

                                              c587945e9105e19e49f3574cf24144dc1272726a99cc7437a91eaa4d3499bf6c

                                              SHA512

                                              73211839a1726a1a57802613181c87113cefe766e3a537fbe1dd64ca2163f8a466706797ee4c63a737b96685d937626acf217ba977869a027c5d8f248cee8cba

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\172bab67-f742-4187-af3b-1c4ef7db2acf

                                              Filesize

                                              10KB

                                              MD5

                                              9e01d65c536fbc9a8730acad0341f59b

                                              SHA1

                                              1bd3235e67a6f83ad01004ef4e530d33d6c283b9

                                              SHA256

                                              8c5a289a199c7a10e22d61e7de228e3f4735458eb4e52b4244910b0ae01f2fe8

                                              SHA512

                                              7859715cc39881409869c4577b7de828714edafd32a3b101292c604f46765a9da34ab6a4167b0cf6b5c6fe3e5f7bfaa8f3a98d1b3418cd2adea3bf87e40000b7

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\datareporting\glean\pending_pings\de87133a-900f-4f06-a3c8-09cb7a140801

                                              Filesize

                                              746B

                                              MD5

                                              0b10c36144343d077b43e2736625d496

                                              SHA1

                                              30ebd761a889e8c5e3591f63e775863d28b60227

                                              SHA256

                                              9d62b2ab6385456248e539432dd5aa749cd0c29a694a2e4f5118eef30599bd29

                                              SHA512

                                              b2148e1fcbe9fb8fdb3917943a6deed1444baf4111e14d0d80fc0c78ab5b98b7ccf6f430c76c901fb503b63574002f1f14c9e037364301b1a540a1cccb7a518a

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\prefs-1.js

                                              Filesize

                                              6KB

                                              MD5

                                              bf74602c983eae79b976d7ccd24a1d21

                                              SHA1

                                              c771fc453da224e005a462da873a4928b7b1b0e0

                                              SHA256

                                              d0a851857d66bc8fb1e86d8dd9c1588356d1964850b3f7263d3281628436b05a

                                              SHA512

                                              c5088a5e063844d56e49b7befc01793644042f89bf1697a7f4fb889152ade07b44ee1a33db68cf5573aecacae24eb0e0684a0b145ef3c4ed5bb0341e781149b6

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\prefs-1.js

                                              Filesize

                                              6KB

                                              MD5

                                              86bbf5d50025a86db862e7e78fab5d26

                                              SHA1

                                              4e84c8465ddbca501e8f1013607d96f9750e000e

                                              SHA256

                                              641e1635b37937da9ea327ffc1562498cafcf491dc82341a06c432363c709a50

                                              SHA512

                                              689b4dff8e2ccc2ecb1e0bf6ecbfc6fee39b194651dbe522f33d9c0bef46673b991570173c53d17078a71533edcfb8351e3d687a20df4a4854b3d8b62257f274

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\prefs-1.js

                                              Filesize

                                              7KB

                                              MD5

                                              070d8b1bd46b6fd7baf4ed95f92683a9

                                              SHA1

                                              1772a3eccfcac98d37af76f439e140974a6e45df

                                              SHA256

                                              41371f674a3892662dec1a536fa0ef4476707cb4ce9c9790662613297584ec0f

                                              SHA512

                                              c0390fdb2cd1182d4b91298adfb8a077b4bca9966254a7fc2ec60b19f56764ab5f6b68064590f62d9ca216521e3f9c88fb4ab83282f302b23f5918f5d24feef6

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4

                                              Filesize

                                              1KB

                                              MD5

                                              42f1f416b7ca604b4ed9e3ed7faed4a6

                                              SHA1

                                              93f35948ac86f7bec113566afc42ffae2101eda3

                                              SHA256

                                              93778633de12b83a91fe3833e0c392c2c67a7dcf9584981e48f6422fd51630dc

                                              SHA512

                                              41fcc469377a8949b475d237b77fb708d09a627240c15e306b6910d0c2292606fe88f482e7fe6ff802ef0b497ba6e2538e032c61113ec9527d248a2a1968e1eb

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4

                                              Filesize

                                              1KB

                                              MD5

                                              499309aca9bd353f29a19fedfc1baafb

                                              SHA1

                                              e859214c5bd9fc035de95ccf4da8fc8d25fe911a

                                              SHA256

                                              f4e9127140f2a3651182d714bd31c5b7a523e3a8ba48b80181c945860956a3f2

                                              SHA512

                                              6a68b28357cb5ab5cfb17f4623f64e6b4bd3c5e38f8fa1f54bf8ded271cbd77c778f48b6695001681d7ef81141e3a57d8e4cf5a94046b800daaf7a107725ab58

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7sk8fjhx.default-release\sessionstore-backups\recovery.jsonlz4

                                              Filesize

                                              1KB

                                              MD5

                                              d3e61b677da5dc7d565167a919b3bfea

                                              SHA1

                                              956bb2f67a073d2b6227f965ca6bbd92cd487a70

                                              SHA256

                                              2ee903a791b144b30a082d5e72e25db013d62c801f86dd3b3c444db8ca8ceee5

                                              SHA512

                                              eac2cf91c935d15453dd2bcf23e9cf9ec61ae3ba67e2819946b7953cad2637367f6775902b829b3e185c1ee4ca7137347a2c69294319073f322b8298abae555c

                                            • C:\Windows\INF\netrasa.PNF

                                              Filesize

                                              22KB

                                              MD5

                                              80648b43d233468718d717d10187b68d

                                              SHA1

                                              a1736e8f0e408ce705722ce097d1adb24ebffc45

                                              SHA256

                                              8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

                                              SHA512

                                              eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

                                            • memory/192-2-0x0000000000A50000-0x0000000000A90000-memory.dmp

                                              Filesize

                                              256KB

                                            • memory/192-1-0x0000000000A50000-0x0000000000A90000-memory.dmp

                                              Filesize

                                              256KB

                                            • memory/192-0-0x0000000004610000-0x000000000486D000-memory.dmp

                                              Filesize

                                              2.4MB