Analysis
-
max time kernel
205s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
21-02-2024 20:11
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblRxdU5jZFRDYkxETzhuZW9LWFYxQzFTLVJ1d3xBQ3Jtc0ttaHBKemxFMHpfSmppYk43amZIS05jR2ZIamwtelNXMTdsOUxHUzZ3WjQxOHBWakRzOU41TVFMdHFweXFmcDU5SnQ0cFo0UFVDZjZPTEdENl9yWnNZVFU4aXRmbUVWdEtPa183ZkR0clM3YVp2RDY2QQ&q=https%3A%2F%2Fwww.wemod.com%2Fhome&v=XOxY96GmOF0
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblRxdU5jZFRDYkxETzhuZW9LWFYxQzFTLVJ1d3xBQ3Jtc0ttaHBKemxFMHpfSmppYk43amZIS05jR2ZIamwtelNXMTdsOUxHUzZ3WjQxOHBWakRzOU41TVFMdHFweXFmcDU5SnQ0cFo0UFVDZjZPTEdENl9yWnNZVFU4aXRmbUVWdEtPa183ZkR0clM3YVp2RDY2QQ&q=https%3A%2F%2Fwww.wemod.com%2Fhome&v=XOxY96GmOF0"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblRxdU5jZFRDYkxETzhuZW9LWFYxQzFTLVJ1d3xBQ3Jtc0ttaHBKemxFMHpfSmppYk43amZIS05jR2ZIamwtelNXMTdsOUxHUzZ3WjQxOHBWakRzOU41TVFMdHFweXFmcDU5SnQ0cFo0UFVDZjZPTEdENl9yWnNZVFU4aXRmbUVWdEtPa183ZkR0clM3YVp2RDY2QQ&q=https%3A%2F%2Fwww.wemod.com%2Fhome&v=XOxY96GmOF02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.0.716645624\386055476" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5564c1b-7bae-4b21-9abb-4fcea8c40847} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 1948 1899edee158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.1.225509511\2104597230" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aea5e86-7f9f-40f9-8efd-af2f706f3443} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 2388 1899e8e1b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.2.719757509\522363704" -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 3160 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1ae1e19-6910-4e13-9602-d88584cca307} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 2996 189a2590158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.3.1227486629\855828271" -childID 2 -isForBrowser -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d828cab9-9a34-48d2-a1ec-d264a14f16c5} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 3856 189a3b9e858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.4.684532404\612407127" -childID 3 -isForBrowser -prefsHandle 4784 -prefMapHandle 4780 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cedf9617-8d5a-4c8f-be0a-31338dc14f9f} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 4808 189a4ed4b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.5.964362260\1076321710" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a993b3-9932-4124-992a-821e071d7853} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 4992 189a4523e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.6.98079665\812141626" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cee4e22-80a8-4403-9979-ce55d7b81057} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 5228 189a4bfb858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.7.1870697250\584882720" -childID 6 -isForBrowser -prefsHandle 3024 -prefMapHandle 2952 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f945d6-70ad-441b-865b-8ea887c7f426} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 4104 189a4b74d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5000.8.1449133500\1929831702" -parentBuildID 20221007134813 -prefsHandle 5760 -prefMapHandle 3236 -prefsLen 26381 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb8aeacb-59b0-40fb-b770-9584cd759f64} 5000 "\\.\pipe\gecko-crash-server-pipe.5000" 5748 189a4b34e58 rdd3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92fd846f8,0x7ff92fd84708,0x7ff92fd847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15899185950362375486,16054284623558885490,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
Filesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
Filesize
6KB
MD555168bf1f891393430261ce0b2e2cd46
SHA15a53fe6f8343ec770993cdd50b73a52d27d8c340
SHA256a2d4ad5fc6b29d0e56a429a983fba52d1a5028cc1065a27c1ccbe94792e03272
SHA5127f07fc86877e74255dfd2442dd33bd06866ccb02fcdacbe1141fd25b91f9ca464288c6f6e5ca4ca1d3cbe27d9742036d8f0d6ac8d9053af54e2ecdf82d104125
-
Filesize
6KB
MD5f23d4e14bd58178443e7971229cb8028
SHA11e69d385b28dc5e7fbfd38101d7d1736293312ca
SHA256e8da9060bce770a0fc7522d2ca7ff24ad1f215f2125bce642ebb7d10e3a7e647
SHA5128b3f27ef3f0fc68ef1308c46e00bc60e5566fbc35e54c8f21f719b18c881fa3ac3eeb1f734c690804c9ccc76771efd21b69708da090199e00ba93750876005de
-
Filesize
11KB
MD57d764bf4885c18ad018c1873ec63efa0
SHA1b9adc141de38d48ce26cd3fb484d4f4ebb274813
SHA2564b90fba4e2f6988fb29b5727de5af334eb7cef826bb0faafea120faa5277a83f
SHA512948f4bbeb36f0fe5fdfeabaf61ec6486472b59ff4bc43ef595991befacbffc609d3590cceb6ea500d56d6a31e4791943b31a7f2dcd19f236ca4936052ad3b27a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
9KB
MD507d238eacaae281f94ee44e80b9a96ee
SHA151e010c66fa8b013ec76801c8a581d6e071ce186
SHA25639e9af00939a80c5b0a2cd96e20cff72568904c3c9135890e0084280cc32e199
SHA512b6f8cd670a3fed927a3b58ed450d120047ef09a2bec61169637544dbf9f48cb72fbdb3b873b4568632d4974e865128cf2c34c43f689ed2cb68531bf65ebf0bda
-
Filesize
734B
MD52eb3397b7d308e95588e17f46c38073e
SHA154b8df9731e8b3ee34b206ecb5b7f762e382e051
SHA2560443a944b3daaaf6003d01e5adbb4fbeee9b7c85cddac119896e067a5f6e8631
SHA5129ad125306a0f2b6b2b302bbbf3df285bf304ec577d18fdedb2f14f202d03efff94a9eb97781f16300d21d20edcbdb400705cc68204d7a67933a7717c0fc604d9
-
Filesize
6KB
MD5d8e44e2f1ad5ce86dac3f603ccf93f95
SHA173e3b08ec38a7696e6bccdab1a1a64358ef8f668
SHA256fc579f5fdf40f3d1303fd03662a7ed1b574c018ae31b60aa6547289a92966d2d
SHA512f0974e556dad970fb8d58b6535dd68ff3a8ce4cbf4b61bff5244ec8c19d5f6732fc47f88696bd5221f211e2cbf859d202767a4445de5073d53872e164c6f2f51
-
Filesize
228B
MD566bdbb6de2094027600e5df8fbbf28f4
SHA1ce033f719ebce89ac8e5c6f0c9fed58c52eca985
SHA256df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc
SHA51218782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660
-
Filesize
2KB
MD57c48833a512b83c2bc1970bb059ffc2d
SHA1f80b5ad2506e19c06061bd1b89fec4d547475b64
SHA256ba0a126f30b945bf8c76ded6c56fd3ac2436eb8092964505036a034058123a15
SHA512b9171f6064a69b2ddc76b71f4b79fc647e380cd2831f774a82c1c0ea976db8ecbf22ddb321042f8a710fa3019e48754781fb06f42e3964a5eee50a618e4bd07c
-
Filesize
4KB
MD5cbae5707d062a65ba04a89574a48e25d
SHA148714f1d8b1d2eb96f8f4fe6917c106bcf8b8581
SHA2565845f21a113e8c704d08e00c11682cc8c59f328439564c49d041324a2235e1df
SHA512ae04f51b322bff4f90a2bcb669628934019429fe19e3bf889efa6d32e818652a30c761fb8d6861dd891873408800789eb1856e9ade5032887f6809020db5662d