Resubmissions

22/02/2024, 20:22

240222-y5xk3afb63 7

22/02/2024, 20:15

240222-y1q8gsef7t 7

Analysis

  • max time kernel
    210s
  • max time network
    215s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/02/2024, 20:15

General

  • Target

    Setup_v_43.4.exe

  • Size

    108KB

  • MD5

    807fe3c11715e92bfed4d8ec568a4ac6

  • SHA1

    e4eb29ef16c6c137d1b1ce3c383dd44d6bea6a07

  • SHA256

    0c8392319b75bf41bc36b0b64476a6dcef65b3449fa93de6708d835fc680303f

  • SHA512

    a5870054c31c1d7b1647b27980af1810e6a0be6929e09766169860e957113f8f1a952da3ef1f3130225afa39f8930c8f941bd2f0be863f6113c60ebe1fb3cfbf

  • SSDEEP

    768:27Zw33FNUf6Nhd/fQ1l+0vM0iT9LsS1Kadjp3S0VYcFodSzSZ27lftch2ryIaKFj:cZ2FWSNhd/4131iGS1Kax9Sxc2qAIrP

Score
7/10

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup_v_43.4.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup_v_43.4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2712
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.0.1024630985\259016921" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 20669 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {866bb1c4-b1a6-400a-bd22-b924c836a181} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 1860 2bad71db558 gpu
        3⤵
          PID:4900
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.1.884855627\1487608827" -parentBuildID 20221007134813 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 20705 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c994109-221a-4fe2-aae7-1cd44ee7a8f0} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2240 2bacb1de558 socket
          3⤵
            PID:3624
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.2.1672492034\1408007052" -childID 1 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 20743 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f3361b3-0023-4d0e-a7fe-d0601a8baf99} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 3392 2badc4f0558 tab
            3⤵
              PID:4408
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.3.513326558\1449131796" -childID 2 -isForBrowser -prefsHandle 2856 -prefMapHandle 3204 -prefsLen 25986 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c06ae17-416c-40a2-9e80-23fab90d1f81} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 2880 2bad99e8f58 tab
              3⤵
                PID:2060
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.4.311119841\576483307" -childID 3 -isForBrowser -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 26045 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4086c129-90df-494b-87ea-4d81c8674ebc} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 4480 2bade04e058 tab
                3⤵
                  PID:5048
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.5.1263092324\1356630580" -childID 4 -isForBrowser -prefsHandle 1724 -prefMapHandle 4824 -prefsLen 26124 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f385d3e0-2a46-41e0-9d10-ed0bc9fb5290} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5048 2bade9b5258 tab
                  3⤵
                    PID:2112
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.6.790164960\778684073" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26124 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a222a81-04db-473a-99c4-60fdbe0c110a} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5184 2bade9b7958 tab
                    3⤵
                      PID:1936
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.7.1095651779\184764242" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26124 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d6da050-d8d3-454f-bf68-80c74ea920a7} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5376 2badecc3558 tab
                      3⤵
                        PID:1376
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.8.1789857464\655195532" -childID 7 -isForBrowser -prefsHandle 5832 -prefMapHandle 5828 -prefsLen 26283 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8a52d0f-a465-4d2b-801f-d7b3e01e83e3} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5824 2bacb12e758 tab
                        3⤵
                          PID:4736
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3136.9.204682791\1346133680" -childID 8 -isForBrowser -prefsHandle 5204 -prefMapHandle 5036 -prefsLen 26819 -prefMapSize 233414 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4972c6e5-43ba-43b9-8e0d-69057093a3f4} 3136 "\\.\pipe\gecko-crash-server-pipe.3136" 5068 2bade036558 tab
                          3⤵
                            PID:904
                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2304
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:1844

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

                                Filesize

                                46B

                                MD5

                                377979818dc73d23981de3925f0ae85d

                                SHA1

                                b2ae4257db80de164a0462a31f82a907be1b28a4

                                SHA256

                                7aa673f2a207f170be1ce65c2b3cb5b6603e07ce353e9c705592138f5ff0ac35

                                SHA512

                                b4dbb991541bed28c5b5d40be93d0340bedfd9cfcdc65a0d6832bd528039ab4364b62a55f9b8c3b648f1d398b6b806a9c30b896e4f329b72d98bb2552fb00345

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\cache2\entries\AE92BDA175417F9C0FABF3F0E3394C826723AC5D

                                Filesize

                                55KB

                                MD5

                                7d6948912b4e7632d8a72ad2d304e913

                                SHA1

                                e5ee7cdb289aaeced3da158ec2aaf2f129a6f257

                                SHA256

                                81c10731958c057b7af65529acf34d1ca44d4093abdbac415acae4d69287b2f2

                                SHA512

                                0a2b480c268df23991c218e8857067e91575dad08aed792b8fe6922183912035189ab50f0a0133c05bcfa8e4599850f7aeafa2cc22363bc369167b10a461f429

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                Filesize

                                10KB

                                MD5

                                d787e644a5c87ff0d529178be370af85

                                SHA1

                                1cc3e85b27bb7a602becada3674e2ca3f06cd674

                                SHA256

                                609b79e146732b2231318bde6338788a61124f8d22841566ed27d563200bbb32

                                SHA512

                                9386d7ef12d90ef90816a80b4c5f6f6f6a840a0745d81aa8bb4e8ec773ca852107d4ff3ae81e4165d2e6695813121aff836404e0c2d29ea44f063a6cd55a02d0

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                Filesize

                                10KB

                                MD5

                                5dd2e58c8cfaff1881ff7bc283ef1ddd

                                SHA1

                                0ae988c23106f1983d82c01cf135803a647a1697

                                SHA256

                                81aacd0916b4d7a8543a99621a36843406e301567f9248877efb1e804fe5ef71

                                SHA512

                                d509064e13ffcf45d2833a801195292a2ef0e0fa2f7065459023e8c778e30f1daa64382b9aef9eed5c2de3f0a229924b20d1b6246135c089e257d91bf714852f

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\db\data.safe.bin

                                Filesize

                                2KB

                                MD5

                                899a4d8e087c8c6d822b96d3aed2531b

                                SHA1

                                d852441a136a159fdde6ce3a4fbaaef62bd86456

                                SHA256

                                d83dfbe6d4710cbb34866646d2315d747f48c1c45491fc2179cafdb0300d6b9d

                                SHA512

                                bb7e5f368ab1c4872b48564b28dcfd17d22e2e8d8d9cd8a92f5563f0d1b9f4032225bcd2ea992ef389d72041232bb9042f9099eb033f64889a14c0bc6b747bc2

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\8e85a79c-3f95-4185-84ac-19fe65dbe570

                                Filesize

                                12KB

                                MD5

                                1483e9d1bbe1f3e95323fe3ec6abf81e

                                SHA1

                                7e4353694a28e94d39a99d68ab3e80ee645b40c4

                                SHA256

                                95c3f0fd7af0cef8512af435e093db497b7bb24cfdc9f540d7a5111f55efcef5

                                SHA512

                                97c837a88a05364e67f17b95aa38ed705e064e13657bfe1b1cf54e04ffd9e80bb2bd71fa3d98e4bc07237cd6af238bb1e6856cee051406108da9fd34aac3a9e4

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\d636f567-3cd7-4851-aa91-94f628b4674d

                                Filesize

                                746B

                                MD5

                                f30cdb8a326063d4b9e1ff8a05f09d4a

                                SHA1

                                b9a1d7043a236f11ef42fe79e400ec8f294603dd

                                SHA256

                                2b2816bdf90fbd41bfaec925507b828f99ff8ba145cc10b4c6415473744062c8

                                SHA512

                                1e0c3a9f7e69e1645eae47c1b256d03e376f33347b00e4f8912a8a359076c476730928bfd865f99b08100fc54b17533a9f08b0561ac05e8c0488b8e114bac9ec

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs-1.js

                                Filesize

                                6KB

                                MD5

                                f8090e33624edd1cc6e84649f067fcb7

                                SHA1

                                8ca4f7c9946ced67eff18136a319e1aa60b709aa

                                SHA256

                                f36325cc8d16503ef19ac6325af2c1f4273c0d0610f67be8ed42b5bcc7a76901

                                SHA512

                                f6311061e62ecd4393e3f4458a5c64dc3f5ae6d4831d6428a4c0f9aa4d7d31bfd3a3d5e085a6cb7206ffb51a56379e374c5737df3334bcd4087a6f2deea126dd

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs-1.js

                                Filesize

                                6KB

                                MD5

                                03439b58270f35cbc865d1dd34b7645a

                                SHA1

                                d3eaf10a05822e5ad7c3c59b1f27a72c6b6be2e7

                                SHA256

                                bcd380bcd3bb7ce024d8948b2b6eedf11f78cf7a8a6b941246886538e68b3591

                                SHA512

                                78e34c7f7fb98c1c0dec90ab15583cfb50ff829ee3ef6495ace3a8a9e80149c651351df5435e34e688d6d9d7837dd9ee2cdd6d38ee719e5ba56a20f2a2d06163

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs-1.js

                                Filesize

                                6KB

                                MD5

                                0026f04806b5b82c3cf8b2f4dc6c40cf

                                SHA1

                                4ca2e8d948246deda3259f4b967db81f0707b579

                                SHA256

                                7551480609cb1edf3a8780af851a014c693561d549769ebc30977c91a38b00ba

                                SHA512

                                170506f4c09268c38fb17b6c5771c3d8975c141760e61e9348e082915a15dc0c3337975c10dc20b9cf5ec73ba8fc7c4b87dfe3bb2ec5ed37a712be1cf9fa12d0

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                1KB

                                MD5

                                cae9a1669f473c09b83459e8276b8d92

                                SHA1

                                052144a3acb5b2a26899873d96d7316d12014a55

                                SHA256

                                0e50f57f9f44597eda016aff8d805dd02cd8aa6cc77c4991e8aa19f12b10257b

                                SHA512

                                750108d4f4f2005663a9c2c1c2e5f2d51c98ba79d7a30a551a1d2b806a06e1a115236a43dc802725daad3b67d6312a5a3a9486909a7f9e177cb70cc8a78ffa59

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                3KB

                                MD5

                                bf19401fc46eb10d7f2df3f3243b9df3

                                SHA1

                                5b223fdcce262256663483256d021a06bcbbeb88

                                SHA256

                                c4aa4885f5670058bd7e3b85a7b78b083672b7a6101662e6ea69fe180e4e80fe

                                SHA512

                                c2fad6a75df405a58ad4e8e02ce130e51acfd92a735f59b2cd1ec61fcba17d55a9297e6caabbec38465e541002b9cd9e82a6c7cfa6aab4243774fcf6e170dd42

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                3KB

                                MD5

                                e02512bbd41d8cc5a7647d89ace5c154

                                SHA1

                                83eee1543eb39088443874fba49ffb6435d66854

                                SHA256

                                4f3d9ee2cd173b04714660377dd32eb70c5f2197938c9923a3da3f8d1b6f7a5c

                                SHA512

                                69c7387efda1303d81c88b99a7dbbc27203d4671bb733b9983795e2fb46f3f3c81f1a10fbd754c49ace707b322429a287af1235ee26b7cab29f32dbdc6990a6a

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                3KB

                                MD5

                                42c678b89cdec5846f6cf1d80a30f83d

                                SHA1

                                2d139b77bb7df4ef5e136b3ebe472121911d20c0

                                SHA256

                                6891676d84d54e073e934ee5df4c60fac5d112ad5590db832625cdc510764f8b

                                SHA512

                                9346b581d20a58ab86c22a2a339c698b2d98207c2d57176de5d3518fabb99f18e2ae6a99ce20098c361745a3597daace299468b74ceb9bdc973f5bf008fcfefd

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                3KB

                                MD5

                                16c04b62752a167fd95fb6765aebb49f

                                SHA1

                                9c13f64e322e32715777322618e59b29bba189b3

                                SHA256

                                f9b76d8ca0bedfa93a90b8c50a2aaf749e30caa2fe13a8e5ea7f65f76de38107

                                SHA512

                                546c2eb1bcc02e21eed72b07a638da66d0e88b6f2a2287a0409aaef6bd1762fa7280ba7e2528f482de1ceee0f22a39f567c0991d760a287eaf6fa2b4491e9526

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

                                Filesize

                                2KB

                                MD5

                                84435221d4ba625f19af21bf87498e8f

                                SHA1

                                d63fbd9615cc9aea3773e144035575d15f1a5da8

                                SHA256

                                e257dd5a070f74c7a5d5fa88c7d0734ce3e87d350450523631fd02b695e447b2

                                SHA512

                                adb8d387a048e8b9a4e8f77faaa3dfe87cca1ce144d979ac7cb60ba1b7a157908f83b9ba56e91a523c257d6bf50b79e3c1bf1f658924b26c67c7e9d4bdfba839

                              • C:\Users\Admin\Downloads\Seturp v_43.HLkI-s2D.4D.zip.part

                                Filesize

                                1.2MB

                                MD5

                                5a7ac28c8df452254d058cc1ef77671a

                                SHA1

                                63c534913347ece74348ecc174f8dd1d761e2dc5

                                SHA256

                                cbff66ae1ff672c8d5f1ec362020d679d679c91ca2b6af6ad30c6b29194af8d9

                                SHA512

                                0f4ce808181f57c6ea86e0b50b3980324a032b43edbfedb8a7fac1b6f6be941156173c767f773ec92d3ccd2d00a60f25e4ed9543f2b87f89b6ef880d5d11d689

                              • memory/1576-13-0x0000019A02420000-0x0000019A02421000-memory.dmp

                                Filesize

                                4KB

                              • memory/1576-5-0x0000019A02440000-0x0000019A03440000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1576-15-0x0000019A02440000-0x0000019A03440000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/2980-0-0x0000000000400000-0x0000000000425000-memory.dmp

                                Filesize

                                148KB