03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010

Resubmissions

05-03-2024 00:49

240305-a6harsad24 7

05-03-2024 00:44

240305-a3zewahd8z 7

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

5.0MB
MD5

e9a24c7a42f9b296cc1e31dc3ea73b2b
SHA1

06e9607fb973400f0f110854ce90382965cd43d9
SHA256

03ee5437a1dad818f417db18dd50e16bc08c890b442874d841cd1a6a643c4010
SHA512

48af794e0042ce3cea37ff11e3f9b74d0a8e463018fc827d7ef459cc58252a5f436632c19b5d4674a6b54f02543005a294ef94f86d46d1ecff574ba6fab0464b
SSDEEP

98304:XrdCegVSGMzByLXMfivQayGnOht5RTc7kjRX1LNNDw7:waGMlyLXvvQdmmt5RTcGzLNe7

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3384-0-0x00007FF7FE3C0000-0x00007FF7FEDE0000-memory.dmp	vmprotect

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1868	ipconfig.exe
1420	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1812	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	2140	firefox.exe
Token: SeDebugPrivilege	2140	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe
2140	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3384	Loader.exe
2140	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 3792	3384	Loader.exe	90
PID 3384 wrote to memory of 3792	3384	Loader.exe	90
PID 3792 wrote to memory of 4216	3792	cmd.exe	91
PID 3792 wrote to memory of 4216	3792	cmd.exe	91
PID 4216 wrote to memory of 1252	4216	net.exe	92
PID 4216 wrote to memory of 1252	4216	net.exe	92
PID 3384 wrote to memory of 2900	3384	Loader.exe	94
PID 3384 wrote to memory of 2900	3384	Loader.exe	94
PID 2900 wrote to memory of 800	2900	cmd.exe	95
PID 2900 wrote to memory of 800	2900	cmd.exe	95
PID 3384 wrote to memory of 436	3384	Loader.exe	96
PID 3384 wrote to memory of 436	3384	Loader.exe	96
PID 436 wrote to memory of 1812	436	cmd.exe	98
PID 436 wrote to memory of 1812	436	cmd.exe	98
PID 3384 wrote to memory of 1864	3384	Loader.exe	101
PID 3384 wrote to memory of 1864	3384	Loader.exe	101
PID 1864 wrote to memory of 1868	1864	cmd.exe	102
PID 1864 wrote to memory of 1868	1864	cmd.exe	102
PID 3384 wrote to memory of 2576	3384	Loader.exe	103
PID 3384 wrote to memory of 2576	3384	Loader.exe	103
PID 2576 wrote to memory of 1420	2576	cmd.exe	104
PID 2576 wrote to memory of 1420	2576	cmd.exe	104
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 3804 wrote to memory of 2140	3804	firefox.exe	118
PID 2140 wrote to memory of 1868	2140	firefox.exe	119
PID 2140 wrote to memory of 1868	2140	firefox.exe	119
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120
PID 2140 wrote to memory of 1936	2140	firefox.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\w32tm.exe
    w32tm /resync /nowait
    3⤵
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill /IM RainbowSix.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.0.1525608579\956491162" -parentBuildID 20221007134813 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22a1ce74-c4a2-4620-90e5-9b40707ae870} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2008 23b99fd8a58 gpu
    3⤵
    PID:1868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.1.1829726559\1351989243" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca6fc3b6-b7ce-4ad5-af1c-6ffd28c7a4ff} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2412 23b99cfa558 socket
    3⤵
    - Checks processor information in registry
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.2.674347876\592019822" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 2960 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd93e9fa-ab83-4a0b-8a11-e3a21d8a8f89} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2956 23b99f5c358 tab
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.3.1168940524\1503979780" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14efc1bd-9373-47d5-acea-821e45af408a} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 3576 23b8d568458 tab
    3⤵
    PID:1592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.4.730840072\1654827134" -childID 3 -isForBrowser -prefsHandle 4568 -prefMapHandle 4564 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0281991b-b219-42dd-9fad-c8efb16257a3} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 4580 23b9fb42958 tab
    3⤵
    PID:3640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.5.136627909\722971382" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ada50716-efe5-4648-88b5-54d567485034} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 4864 23b9c591858 tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.6.707879140\733208342" -childID 5 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce40583b-e601-46e6-b738-e67aa22962ed} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 5312 23b9ff92058 tab
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.7.1725207175\568405870" -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d57bbdec-24ec-4464-98ac-24e2f9a16f5d} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 5584 23b9fff3158 tab
    3⤵
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.8.888359370\1805256439" -childID 7 -isForBrowser -prefsHandle 5392 -prefMapHandle 5872 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd58cb66-ea44-43fd-b470-2b142700641a} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 5316 23b8d56a258 tab
    3⤵
    PID:5532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
66103af54d7e16da34af1db2034d9269

SHA1
6c6abe857f9addd886ac9ba1424bfbac038a113e

SHA256
0dfb835d8aa82fb50fdac778f3dec214870c1fa5506143eeae4b67e28b8079d0

SHA512
75749829dcf7bf67540df9bbb5db6c29645af6ba4d9f50e6f64a115cefa63b173810bbb48ff8a754d8838254619fa99f580e2910ba6a44a5f1f36921d578b7fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\fab7a7df-e18a-4ab3-b1ba-909ebaab6a63

Filesize
734B

MD5
9ea20fb082b351ccd03dfa7b5cb37fc5

SHA1
b7799e80ddb014dd03e29f227917c0c2a270ec18

SHA256
4fb572a06979b3fcfc335e15f60a6c3630bd3b3c41082c9fd8ebc1251efa8dcc

SHA512
390e7c749fc6204178a0f76e5726b3979c131f13ce103205f54b2c7bf7d1fd8d60920eaf2304d852f58c5a4e00de93615144e42f154654583d0fec907f455ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
66c7c64183497310a8b8ca619a0426cd

SHA1
78d0d0c961440e20f0986c3015277bc5f7de7716

SHA256
2acf3fdb5592cd73d29e1e8a7a6fba083874d223ba1e24aae7d094093fec78c3

SHA512
00e13c1a4d7a06a412300f9c1c0d9d90065bc8e59f0e4354336258bdffcee7537ebe238d8d191b5b39b36725a24a83400294819b0f4de2fef8f9958a7c993b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
285befc1c78342dc7c88d0396378a718

SHA1
063fd769e5693d2bf54b598f02459aefe3959436

SHA256
24908b2665e39480b5fcb9b190b711b118eefe31304b1511a14798bb5d1de8fb

SHA512
d5491ad61ae6d1f9a2a5312600065fea52831295f405faaa0a06aeb3eb1c6bbc6515cf5ddbf18cf4cd7478210a4438d947e234fc40ad80902670435375ceac23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f90890452fc52b4cee6b9b30a6c636b7

SHA1
714d483ae702b18d74887e2afb08a1571e73af5e

SHA256
ee34b7e4d561e3b926b84b47d4599c4760c6ef539c8bde2ff5fc1082b6d533dd

SHA512
b326c130ebb677f09a49d8a0b47f0ace81a5dc7f3694e7b590861d9342c6f988eca9dc1521b71744a825ed435194de179fb2df79408b2e3cacd5c811c8f9c45c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
a68c59b8381891bc52a080025ebf18a6

SHA1
783ec0cb8ce3b19d8309c6bd5ce17ecf5b0abff3

SHA256
608d377177e89cbf7c34bc7a4ac520e34e4efac9df2b7291b4be73f6ef059020

SHA512
0961c8dde8f34ea771f4257a0d04117710eec35227741fcb24ad5d251c11d5e36ed82d59c94acd6bd8cf7534c9d3540ea7f217a929aa6df4aea075303110cf24

Download Submit
memory/3384-0-0x00007FF7FE3C0000-0x00007FF7FEDE0000-memory.dmp

Filesize
10.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads