Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
21/02/2024, 23:15
General
-
Target
startup.exe
-
Size
2.7MB
-
MD5
0c3c4751da6a247b3229c8a94b40fc74
-
SHA1
0e783415e91f632bc74240bee35463fcc049c283
-
SHA256
d40d7b877916f9c27391436f740430a4ad8fccfe1300cb86b8518f790d33a6a9
-
SHA512
24a0247c66624648ec47048846e5d79e09460f0053699d97c9b450c5168f9fc7d99738a2b916e905bbe5d07b62d71163d2a1bf50114603fe050c2087f66065e6
-
SSDEEP
49152:UA4GxC0r4i4zQwmGmgetbQG5pXWVg9tq2Kqjgyi79nb3Ug5G2Pju1yg7JWdLn:ZFrR4zQ/gKbQ45870gzRdAlK
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 45 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\startup.exe"C:\Users\Admin\AppData\Local\Temp\startup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{48db9351-d10f-11ee-b7a4-7a44028241b9}\startup.exe"C:\Users\Admin\AppData\Local\Temp\{48db9351-d10f-11ee-b7a4-7a44028241b9}\startup.exe" /-nodrop /-"install=C:\Users\Admin\AppData\Local\Temp"2⤵
- Checks for any installed AV software in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\82fc322556f5435b8191d7728c4b16e1 /t 752 /p 50041⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.0.1776228708\659501000" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daad1fd7-b723-4a58-85e3-3d99b0ab10b3} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 1964 1456fdf5258 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.1.81757922\192740794" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292e4802-4c73-4938-8943-db6c0eb5c5f0} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 2364 1456f934f58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.2.521673203\1492707981" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3136 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f437862d-02ba-41de-b3a6-6f635772b8f9} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 3112 14573feab58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.3.1956828518\1624542745" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ed6ed39-41e4-4446-b5a8-4b7df86914da} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 3604 14563569f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.4.2068373785\1567863795" -childID 3 -isForBrowser -prefsHandle 4168 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9756f5d-e0f3-43c3-9ea5-397264e67bac} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 4320 14575d39258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.7.159187690\71100469" -childID 6 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d886e05-a3bf-4c70-94b0-b7f43ace8cb3} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 5424 145766f4258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.6.883542730\23288430" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1da4a2e-554b-4117-8d46-69f11ae9c38e} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 5232 1457624e858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.5.1570495591\1968594455" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5036 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b15b3c7f-6e67-492b-8835-277b23ac59a3} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 5088 145743bbf58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.8.1178032502\903168944" -childID 7 -isForBrowser -prefsHandle 5936 -prefMapHandle 3756 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b6c320a-3a7d-440d-b120-81fe1e1fa356} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 5924 14576242458 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD55fdc26992229db497d98aa88fc437241
SHA1b281c749c68500947c8168a55247883b24f675f4
SHA25622f01da36db1a9a9d08066e03ba8237e1017afce04522f3b5f8c2906ccce4d32
SHA512ca0d2dc62a6454549deb36ac211336ad446fa53f31957c525fe2af445ebf8333f82e5cf4724767d5cbf143be53a0d2f66dcdaeaa8e1850ec83161ea9eaa18be4
-
Filesize
57KB
MD5bb5da115fd467344fd6f8039654ac632
SHA13f48d1b5d2bef8e657caa145845c4340d12cc146
SHA256cba272c6ff4f024d72a546c92dd442b44c54e8ae281980c3b8061ab561833875
SHA5125d30d2cc25f703f23cd91a32b10b435c4154e6225504c542eb165a04ef5b08a39d4b4f1a8ba36c17567f4994615c1694b494c065a05b8fb9c106ecb567038151
-
Filesize
1.8MB
MD59cc9b31d4e4ba51f103baaaf22deee28
SHA1600c2b9651d411943e425a271599bd4e63251253
SHA256ea247fae19abf44e3788bd76e0fa696dd51c0c31119b489b2c910f06489cdcd9
SHA512e66beac05548e71e3078761514369099a2a41de33ee72e56084280921f7f1ebf6b3df1042056b5437bfbb620a8f752f048721c2c6416aae2fa8fab1ec1c5d2a6
-
Filesize
2.7MB
MD50c3c4751da6a247b3229c8a94b40fc74
SHA10e783415e91f632bc74240bee35463fcc049c283
SHA256d40d7b877916f9c27391436f740430a4ad8fccfe1300cb86b8518f790d33a6a9
SHA51224a0247c66624648ec47048846e5d79e09460f0053699d97c9b450c5168f9fc7d99738a2b916e905bbe5d07b62d71163d2a1bf50114603fe050c2087f66065e6
-
Filesize
7.3MB
MD577b8c752e366381fb8f9ecb5da969d10
SHA152ad6ef1a9d1dc0d4eaaa8db7246f49846ecbab4
SHA25680af3f4eea24dcd733165eabeb409fc8f2ec966cf172a59b1d672c0ff2e67481
SHA512d5c06d47a64b2f1d1e6a584ee4183390fc75f5f1995baae17522a9db7764c6a66eec13e3be1814d7117552fcbda9ba43ec5bb12e3618588731c54d2d9938b1cd
-
Filesize
9KB
MD571ac3653be38ffe001a8ce690823e78c
SHA178c29fd1dd946bc2974fabbf649d2d9d5821ff42
SHA2567114d5ccc5886c9c49dd0d13bff2bb5babbacb7e1b363e88751e72d85b9c6cab
SHA5121270accf2c552a3c2ccc65b3f9927097048914b103c1e290c36fba0dafcf696ec193c300698f936115c832070be2a83d059d69b659fe96ce685f7931463c826c
-
Filesize
734B
MD58ba76e769d1c316e4c69b9bd0967085b
SHA1417d7810d111cddcda22fbc71afb14e0672acfab
SHA25604f7fd34dad686ffb3f9316412176eb4e8a462be7d85c39559051570dd1499c1
SHA5126157d46ec3bbe94b82949aba0e22c248641bf424995fb54b0dbf8cdc12fa3aff6b75d96677884d9b2ddf29463696c82927e1e0c880e2a6a97213c4c74742bc51
-
Filesize
6KB
MD5a51e93806bfb0871bd383c8ba4ea8985
SHA19707f820c45049e264e9aaa1b6834ecfc8ef6cbf
SHA25672b0fcd38ca81d02094b49457c8b3b730067aa48af265c180d80ee31d67fa977
SHA512216cb3936c230d9137bfd1a9c36e012ca17b4c6aa8027f6e3f129f2bedb44adab0a0a399f51e5da210e087cbf272d596b1681c21d0818f398cf56d88c4cbf5a6
-
Filesize
6KB
MD58afd7f7c572446b75aee8b27917ca04c
SHA1c646dd6699d42ce52677f1807a4a5fffb1ec0d52
SHA2567f589bb949a0afb458d4e5f7bb6078db41e74b954bec1fd38e2e946db30ed4bb
SHA51244d950bcfc39b7bfa56cc7bd34675e4b30b62c3b661d35f80e432d1ec7f0467af41294a0cbfd711f54856d73e348b59f4ad1c6718698d5c6a3165fe97efa12e9
-
Filesize
6KB
MD5a6136bc1af4dde2b89cb1ad8d424d074
SHA19f991ff91376b82ffab2b2365c7b3a2013aba554
SHA256028a70fad106b045be0434f1367f49ec802bbcba90dc00f253c1c8708318ec7a
SHA51272a8071083690377b525736c1c35166b844780498e228860d3affd14b2c9bf77dd2eaca9044d04b9d5f8ef05dc63f8b7ca850f5325fd776cc2f24efee515ecae
-
Filesize
6KB
MD58d40d925cbe77c539e99db643da247ce
SHA12891a01749149310dec765b46e9b69ca1e2cd80c
SHA25672f5a471c9e78bb20bd8a5e155604e1735c7e2404c65968faa3bcb0dc8677b0b
SHA51255c72e6bf179c59370d829f009ecd0558c38036d802a9f31148a34c6b3b4b924b5310c30162b9de5324e9470c0940b35afe0f5ab8fdc17d71905134bdbdd8dee
-
Filesize
4KB
MD5ba19ce97d39c1d618fc308f88cb97b08
SHA14c7f80ea8057105b6844a8647285cf8bc9e262ef
SHA2565f27e4d33b0be2ce690ce07eab4195a2c108cc9bab11754f147590b7ac81e9a0
SHA51237119f9fec764a1dcaa57de81cfa6826c25fd6eee1b2b31563b916296f5d9635c3de662fc74185378e8976e40c7fbaf9da356af6754be9819ece4ede00840537
-
Filesize
4KB
MD5014734e65a3130ac04e0ba516bcc59b7
SHA1b4ce255172c7c8b509ba4761be515b0f55b67b6e
SHA2567e2d2f8979c26f1ee0fa160885f2eef857ed07099ec8733a0f25f8d058b7844d
SHA51270196ab31a7856cc50dd3f18f1e6336fda2251533ada92c178af1de5fb8e7c90651e691a74a7cbbfdfc8751d0b6edc08854d2ddc1028edd78bb4b48c327596aa
-
Filesize
3KB
MD5e5bd62e291e30b51e9add0ec122d8bfb
SHA1e3ce3cdcd8bd265b2bb170a2fb68551b159348a6
SHA2564410cee155a36fb3ffcafac1b028a499e9d7e66125fd80cb1feeab0d2054012f
SHA5120f0feed312963585cd14a7dabb23865d597a09825a2abd6d8aec1bcb7aaa07284c14691b98601aa8e9ef24b98918a2e86ba2e8356ca0e5cfdd8932a10609d115
-
Filesize
4KB
MD59e0010282f67aa122bd521236032bf64
SHA10f7ea32a50a4848ed52662635d1f88a27e7617cf
SHA256e0a8df28c12fb7e786e311344bd7d17c3c12eb46b9e70f9ef73adfc385b9a749
SHA5123bee17d9978ca30a8534ddaa2ae620a03768f032ba3bc304af155bf230cf027cb644f6a22bfaf83bd613384e36ddbfea24083fa913bcb071aa19a58636db9567