Overview

overview

7

Static

static

7

cr-piriform.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    16s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-03-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cr-piriform.exe

  • Size

    440KB

  • MD5

    5ddc3474f5a1a20b33db76a83818518b

  • SHA1

    3e1014cd25ea3d7274ed2c8e2c8690b2400db81b

  • SHA256

    99f0875ce316761fe9dde48b1313486ba59e257f2db08d8040bee5b07067010c

  • SHA512

    2fa027d0a3d30d843337676d90a911a45f0e55620d951f12f1849a7d476783c4d20169fb1e5b85e8658b9607da0936aa2d2b609c68c4dccdfb5be232d7774309

  • SSDEEP

    12288:JL9jNy/nNFGshtYpG61yX1ri4rCmdjsKmF8H0aX:dAX5upkX1+4rrdAKmF8H

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cr-piriform.exe
    "C:\Users\Admin\AppData\Local\Temp\cr-piriform.exe"
    1⤵
      PID:3740
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.0.360052325\936022297" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1592bd68-b9d2-4b9b-9660-341a6a4a6097} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 1780 227c2bf7f58 gpu
          3⤵
            PID:3340
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.1.1173324722\746570904" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {721d6f8a-e786-45e3-844b-bb906ee392f9} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 2136 227b7b72e58 socket
            3⤵
              PID:4928
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.2.1041511084\664080827" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2824 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7639018-87a9-4c53-9269-8d0c291994fa} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 2812 227c6cb7958 tab
              3⤵
                PID:3264
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.3.1654018999\1957745045" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d7c59fa-13d1-4d53-9cab-4acedbc63f30} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 3500 227c561f358 tab
                3⤵
                  PID:3196
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.4.1823505945\645580641" -childID 3 -isForBrowser -prefsHandle 3888 -prefMapHandle 3876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df845dda-6f79-4161-8ec7-8143c6c6ae53} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 3900 227c74c0858 tab
                  3⤵
                    PID:4104
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.5.1464296448\1371527760" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4716 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2a8d61b-e6a2-474a-9622-c269e68df53a} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 4748 227c74c1158 tab
                    3⤵
                      PID:924
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.6.21148102\780244139" -childID 5 -isForBrowser -prefsHandle 4924 -prefMapHandle 4928 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2910da42-27ad-44df-a87b-1ccf51575e9d} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 4880 227c9056858 tab
                      3⤵
                        PID:3792
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.7.1441018956\353598989" -childID 6 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {303b12b9-0be6-463c-86d9-1471d5e43f15} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 5060 227c90ea758 tab
                        3⤵
                          PID:2640
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1052.8.1461447391\2067165706" -childID 7 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78727333-2503-433f-8b99-a1c328abef22} 1052 "\\.\pipe\gecko-crash-server-pipe.1052" 5664 227c8b9e358 tab
                          3⤵
                            PID:4708

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vxeeit4v.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        a50cc5729b72c7ec0e19025e81cb2e61

                        SHA1

                        2f498b6b0481ddd40825b4eb5020a24d067bf6e0

                        SHA256

                        28dec3b4f3e82e8bd92b99b2edd15ed02614bd6af033489c83e0c906cbb35be1

                        SHA512

                        defa911bff5dfc80cc447561407aae0d2bdc9895a99d2398a4dd84fabd9dc87c60cac07f340194258d64cdff5c5548c6fd86d8e256ca000c640ac7d993d104fc

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vxeeit4v.default-release\datareporting\glean\pending_pings\59060151-5aa6-4108-8ca8-2ba5cf068796
                        Filesize

                        9KB

                        MD5

                        696f1611fa17000843df94041dd6b214

                        SHA1

                        fb2b06749595e4a11c197e8992b18ca1edefac8e

                        SHA256

                        2766d0bc251ccf6a2a33eb2f657ad4ed3a7553fcbfdc92175cc522918f1d8784

                        SHA512

                        96f5cbc992909abe34fd393a20dac658348aa8ab997d8e0b537f9ade87d9d58400e84a8263cd008fffe05422bcd8685ceadcb3f470049ba8942b724f49a64b06

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vxeeit4v.default-release\datareporting\glean\pending_pings\903c65bc-078b-4aeb-9585-132a16a14498
                        Filesize

                        746B

                        MD5

                        5936d450365c96bce127e8be282ee808

                        SHA1

                        82816c3c25247b417ca72f78991fe54f045d6c28

                        SHA256

                        aaae41b919c8021abb3bab257ce663bce87747927b5e91b95b91de8e37e0f739

                        SHA512

                        e34abf96b276ad418a0794b2ad3585232feb235852335ac6e1b93daf7496cbd794aa637018efd82c865adfb1cca5c43fb6d34d96cd8392a43213099483802533

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vxeeit4v.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        54e1a5fdbc5c1a4ebfd59bcb599d9fb5

                        SHA1

                        9f7267da33fc9890bcd31eb1cadb05801b391425

                        SHA256

                        fdb6af451ea7e44eda74a1df6335f49d34579ef8d694ae25d9fe973934d46d0f

                        SHA512

                        e63b47416ec6af835f19fefceb0b1fc46568759da78919d164e8fa2f00986371cc49af8e6fc5a43f6a78a7557e1a0f10192d0455545dee6c06a85814718f6c30

                        Download Submit

                      • memory/3740-0-0x0000000000840000-0x00000000008DC000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/3740-3-0x0000000000840000-0x00000000008DC000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/3740-116-0x0000000000840000-0x00000000008DC000-memory.dmp

                        Filesize

                        624KB

                        Download