Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 18:47

General

  • Target

    tesseract-ocr-w64-setup-v5.0.0-alpha.20201127.exe

  • Size

    42.0MB

  • MD5

    e3e83d9e59dc66f9328940640910a731

  • SHA1

    aff9d47058b4b172c65db8f8d0d486a3e297a916

  • SHA256

    459b0cb9830f52ace1106ac9a2d636423de893fe301743891e0a2879fb8cd8a7

  • SHA512

    8c46106ffa2caf8ef03cea51b871c1b3cf756d2a3c9f2a34c3a0959abb8708fda7378dcd432c84104294c2e96ecbc3278a547a0ba0a21ff9e8b1cbc2c76705da

  • SSDEEP

    786432:WtHoZOx0E52L17X274NtKP8ih/WahlNel6wBcImhSZ4+S/buMdMPDTbU0k0vJhHZ:WtDx0k2L1WMKP59WelNeltcdd+SDDWh7

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\tesseract-ocr-w64-setup-v5.0.0-alpha.20201127.exe
    "C:\Users\Admin\AppData\Local\Temp\tesseract-ocr-w64-setup-v5.0.0-alpha.20201127.exe"
    1⤵
    • Loads dropped DLL
    PID:1620
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.0.1241203281\1197857695" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1816 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87029e8d-9af7-4c2f-b090-774578167ec0} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 1948 284d24cfb58 gpu
        3⤵
          PID:4304
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.1.1216710473\46501566" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05b04deb-843b-4517-b0f1-1bb3171b1a77} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 2348 284c5c6fe58 socket
          3⤵
            PID:4080
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.2.1699232332\1577311126" -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8586419b-d0b6-413e-aaf6-a7d76dba2577} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 3016 284d245e958 tab
            3⤵
              PID:1844
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.3.1946018537\648175936" -childID 2 -isForBrowser -prefsHandle 1084 -prefMapHandle 1080 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d3e2b79-b462-4b68-b650-bff313eabf55} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 3556 284d4d67958 tab
              3⤵
                PID:4692
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.4.482049353\561087020" -childID 3 -isForBrowser -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1804735-e15d-45e7-ac9b-1bcdf682b381} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 4660 284d83ea158 tab
                3⤵
                  PID:1496
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.7.2063774858\1454383888" -childID 6 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9d2535d-9391-417b-8416-c34deac58d67} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5444 284d89ea758 tab
                  3⤵
                    PID:3960
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.6.339772548\1501645817" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87e3ff3d-ed7d-404c-abc8-11807088fbce} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5236 284d89e9b58 tab
                    3⤵
                      PID:1408
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.5.1528498224\553417276" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04cf661-dc2b-4ba6-9de7-6eebd164a5e6} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5104 284d6cc4758 tab
                      3⤵
                        PID:864
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1620
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    1⤵
                      PID:3060
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:4068
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
                        1⤵
                          PID:1692

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\LangDLL.dll

                                Filesize

                                7KB

                                MD5

                                bc11f58aa5fb1a877d5a236eecf105a2

                                SHA1

                                8a9fe378027ef83659872f80d75d90d65b44cf5e

                                SHA256

                                9a70dd9e812fb61f11c4bc9335461cd44f3076fb70c898aa42858047c2b1a93b

                                SHA512

                                2f1fdfd9ba5761e48b39850122f20adbb5ad3d3a5827fd2048d5679f1f298dc7859794c090fd44f254da065fcb41efabe5b4110a01dbbf9b591a843c355bda72

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\StartMenu.dll

                                Filesize

                                10KB

                                MD5

                                18e0d3949bd0d1a9f45dbee66ab2ebcf

                                SHA1

                                cb32adac5ffbd82dd550989bd7fe990f71cf9b99

                                SHA256

                                372dc5534980d79d4e20147fd8d7bb20e76d91cad3d086cc1ed7bd03bd581a78

                                SHA512

                                c41b35df327933f4ba9218b326dead3724049676df5cda0a0f7f57b28b92a7efde3832af262a96d545db5e1f7e01a1191f1b68b395c592d64fdbcae80273ae45

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\System.dll

                                Filesize

                                26KB

                                MD5

                                ebf5c733481e2f6ddaa04fab99553616

                                SHA1

                                7a979fa5609dd29315089c8640fabf3ca01be51d

                                SHA256

                                3b7ae06666fb4277974766409349d0f14d4358e15a20c6c078a29c6021b4a779

                                SHA512

                                37a61a13ca08bcd0c7bf84c0d1ec4c4d7320b57d60fa702a1c06f8e2a5a8a9c16b4b6756147357713ffafe26dea9ed42f45e5279c4999121a5589f1069760d8c

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\UserInfo.dll

                                Filesize

                                6KB

                                MD5

                                468810235cebba9d311137e11ff0fa49

                                SHA1

                                72b1173f1ca6f3d1733e5487b04a89f7e7adf385

                                SHA256

                                48e8fe27774165eee31fc04266c80b553bc80799c103ba7a0e378d68dd023172

                                SHA512

                                deb5ffbf92e9668af544a88d329434fe271c8663517ec2d20609f015d447b254d17b44f3259db6d7d8b4fd9c22a645f0e1b4842dac1434eff892dbab28cdac76

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\modern-wizard.bmp

                                Filesize

                                25KB

                                MD5

                                cbe40fd2b1ec96daedc65da172d90022

                                SHA1

                                366c216220aa4329dff6c485fd0e9b0f4f0a7944

                                SHA256

                                3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

                                SHA512

                                62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

                              • C:\Users\Admin\AppData\Local\Temp\nsp4623.tmp\nsDialogs.dll

                                Filesize

                                12KB

                                MD5

                                87cdd064d650b3cf72f8a103bd73bace

                                SHA1

                                f8ea12681f5a5bb97ad9b525ef12e88fda832f8a

                                SHA256

                                a29754f0b21fbb92265f1fb924b3423a330704bbf56796da67aeca876dbd3326

                                SHA512

                                6ef757c6e8ad737a3755d0e387c60b596b2261ae10d02b293c1da2c1732901079a00d7f8a5fdb203f8cf984b2d8dfcaac99a43fb8ac011eaab85b56270223a88

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\db\data.safe.bin

                                Filesize

                                2KB

                                MD5

                                4f13bc9627be2228072d2d8fd43074d5

                                SHA1

                                d249f7e2850d3dc5d1ade760e5fa11b51e580543

                                SHA256

                                8a4af4adaa62713644ae9090c725c0870e7f6558d36e9c878c2a17dc0825bb21

                                SHA512

                                873396407ec4cb235ba0dc2583c043076127a765f043c0f35817f05be08f33b2ba619e356f7d7ce39e7b132eff2f2093118269abb169ce6afcf52e32775eaedd

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\pending_pings\10d27390-eeb4-4712-b67c-d969ba40d036

                                Filesize

                                746B

                                MD5

                                358666c28fac730fe2f1abd5bdda394f

                                SHA1

                                60b2c765807b33e8a218f2621cfd2a9d8a1bbba6

                                SHA256

                                e95073ee04126888616ababc1976956085728d051dd3fcbd1f18cfbe8c48b435

                                SHA512

                                21ebe377bcb6b1635a8955f33b66c8de1a5d42693b4111faaf7faea51c2c68511e8982d6d8a7dcc8c4ec8932461e1786e8da9edd0c0887732fad3e3df3d442d9

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\pending_pings\a47f2e61-2dac-40be-b55b-060425ea82b1

                                Filesize

                                11KB

                                MD5

                                b21b8bb8effe5ab23928c8d734af5086

                                SHA1

                                6413f52e5c812cf4205c3ab1e59a8f02f471b1c2

                                SHA256

                                7abc3ec51dedd30409df2918362e3dff04fe1f3a374c081374613f03054d46af

                                SHA512

                                7c52facd4f46511cdc9965babadb62b44ceaacde963d77da126d930879978f9e34c002e5b0eed6794c9e224d8307cabb5d1e99103ae5cf8d2ce1fe71e19ef7a1

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\prefs-1.js

                                Filesize

                                6KB

                                MD5

                                9487681c2a3c013e5c2a5a20d6c3af56

                                SHA1

                                b3ade0a5ef01e129c308e0ee3a70458a4328d1da

                                SHA256

                                0bf7754645a2023789f6ca46a7a55bbeedb643fd1241184efab80c202853e143

                                SHA512

                                2ace93b6cebefb6039d1c6562af473fda674a9e20b6bb66ce40ad729a21a02b2e2f622fcc86108761a58e4b35b35fca8a72598179e98a178aef86719b5427fd5

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\prefs.js

                                Filesize

                                6KB

                                MD5

                                75583a7d9010e71bfe8d12ab5ce0230a

                                SHA1

                                208eb04bfdd3ecafd478d7735368758610f641b9

                                SHA256

                                4a8b8a31d11e3f8e2d4a8709478895cc1b373376ae5b297c55ceedbaccc4d5bf

                                SHA512

                                94f1c56bd5903a3f120bf6d926966bd8a4853cd3e14ebe1a5b2fa52ee0715f8b6ab213b66a3b3f5351ee377205aca4d70e8ec01137102f689e7c4694c54e05c7

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                1KB

                                MD5

                                1f5aa7c9ba69ef03283612f8346625a9

                                SHA1

                                64f05ee5fba80f6effee806c3a76524318cb3eba

                                SHA256

                                bfeaf981c45f3a8270ad996375884d1a268067790a96441525fbc126ebf4fdcf

                                SHA512

                                750a0368a6d1b2adce195b0635f62e4f364c0caf1d8d5c9d1f8f22608304f79b77f03a5813ab1a4102a3e5d62e531634de9c8d2612ecdd6ad5e2007d3838f975

                              • memory/1620-265-0x0000000000400000-0x0000000000455000-memory.dmp

                                Filesize

                                340KB

                              • memory/1620-297-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-24-0x0000000073CE0000-0x0000000073CEA000-memory.dmp

                                Filesize

                                40KB

                              • memory/1620-268-0x0000000073C40000-0x0000000073C4A000-memory.dmp

                                Filesize

                                40KB

                              • memory/1620-23-0x0000000074330000-0x000000007433E000-memory.dmp

                                Filesize

                                56KB

                              • memory/1620-286-0x0000000000400000-0x0000000000455000-memory.dmp

                                Filesize

                                340KB

                              • memory/1620-22-0x0000000000400000-0x0000000000455000-memory.dmp

                                Filesize

                                340KB

                              • memory/1620-295-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-296-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-25-0x0000000000400000-0x0000000000455000-memory.dmp

                                Filesize

                                340KB

                              • memory/1620-307-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-306-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-305-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-304-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-303-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-302-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB

                              • memory/1620-301-0x00000129C3920000-0x00000129C3921000-memory.dmp

                                Filesize

                                4KB