Overview

overview

10

Static

static

10

1bc44eef75...91.exe

windows7-x64

8

1bc44eef75...91.exe

windows10-2004-x64

8

1bc44eef75...91.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe

  • Size

    114KB

  • MD5

    3f4a16b29f2f0532b7ce3e7656799125

  • SHA1

    61b25d11392172e587d8da3045812a66c3385451

  • SHA256

    1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

  • SHA512

    32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

  • SSDEEP

    1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:sBOoa7P2wxlPwV1qPkSuqC

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 58 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1048
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.0.891212571\1541550415" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1200 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6de58a1-ce6e-44d4-a72a-1b904fbfe5f2} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 1300 105d4e58 gpu
        3⤵
          PID:1632
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.1.1072359249\1629682784" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c10c8ca7-8f61-4346-b3db-088c93cf47f3} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 1520 edec58 socket
          3⤵
          • Checks processor information in registry
          PID:2736
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.2.1132335728\227035812" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcddcf74-eced-490c-90a1-ce769428e620} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2060 19d37458 tab
          3⤵
            PID:1036
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.3.255271638\1614865209" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 1896 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cc19c32-ebbf-4707-bb7c-2754e823e41f} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2448 e61f58 tab
            3⤵
              PID:2088
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.4.1014536269\2044936792" -childID 3 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {661b0ace-7bbb-4fb8-9c1d-99531d154bbb} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2948 1d53b958 tab
              3⤵
                PID:576
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.5.640322718\58138610" -childID 4 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eba20a45-93a6-4269-9aac-39bd1a3b0f43} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3764 1fdccf58 tab
                3⤵
                  PID:2944
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.6.1810786535\1776526323" -childID 5 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab371c1-6213-4eb2-9a9f-7a04a6090b1d} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3860 202c7558 tab
                  3⤵
                    PID:2384
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.7.989164535\1400541320" -childID 6 -isForBrowser -prefsHandle 4060 -prefMapHandle 4064 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 628 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeadbf60-d796-4f33-86e1-e542d105a052} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 4048 1a13fe58 tab
                    3⤵
                      PID:3068
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  1⤵
                    PID:1992
                  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
                    1⤵
                    • Drops file in Windows directory
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of SetWindowsHookEx
                    PID:956
                    • C:\Windows\splwow64.exe
                      C:\Windows\splwow64.exe 12288
                      2⤵
                        PID:1000
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /4
                      1⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:2528

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Filesize

                      51B

                      MD5

                      56b174894d09d677fa4eeee8099df2a7

                      SHA1

                      b450c4f7ffacc7999f67b4eb7a7d8ca0b3c50f2f

                      SHA256

                      b2ad934b4d608bd50be17cd8ba8918b3361cd13168f8e607ea55d6d0ae885b24

                      SHA512

                      f89caf3d1caee164003113f3f6117e827fb6b3a8478eb22f1b161582d658d0731fb8ecf845e1d400e122be055f5ae6f6bbb2c6ecfa9c253e02cb1fb254d7fda2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                      Filesize

                      20KB

                      MD5

                      f8bc0a1e3548df64155aa1055f041c16

                      SHA1

                      772fadd5487933066dd87e40fac04c3ee6ea11b7

                      SHA256

                      38956ab71d7660e5b22b23e9adccd7348f20d93253df777df1c40471d80b72a7

                      SHA512

                      df61396bb99f61385ca9efb493d93100c126fdf5364546fb4024628256cf4a45c71208577788d56e0b7638f61c96d63fc5e581987f1193be39f2799fb4851a80

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      79ea6e881f617a7e44ae8ab284161e72

                      SHA1

                      34a398a9c450ab2cad0f1462c05b9b679f95005f

                      SHA256

                      1abcbd0880ac6e9b572e155972f3c7e5135f7f1d04aabef1bc0adf4665e09e0b

                      SHA512

                      c4958bc9c6bb48f8d7a505e40a8754ec26dfc811efe4cc7787b662b35fb9280061ee411e4a83f873c69e534bb071bc65b207cba3f6144e57d6d020ef0b0eeb53

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\0f8de41b-5002-46fd-846f-6a8f8e0481e2
                      Filesize

                      11KB

                      MD5

                      1f43fb7f9623164a6b2a1fe72514cbad

                      SHA1

                      4207433ab03bc193f198a0ae79c191a1a8e4f512

                      SHA256

                      7ada94f6abaa03c01ef72855458bae613b86be176eadedda664e86b669f3e588

                      SHA512

                      436e7647d38737cede6d0423055ebdafdabd9720575fe7b0514a71ab292895eb9a0bfb918dd0588de86d4c6f461fd7a632bee4f4d8e9d401b65590eaa59c2d7e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\3e97dd4e-4bce-4816-8aea-b1dd6e6fa3b0
                      Filesize

                      745B

                      MD5

                      cad2b47d74962d78c162711bb1948e5f

                      SHA1

                      af5f90a94275efb5756fef738c0aee19aacb44ce

                      SHA256

                      32f98163b3a642f4cfcf313b236bcbb6d256617bb691851870cfcd7ed0c27a82

                      SHA512

                      ced994a22be16f5fe7d57ad7d1a807f23217f1e5ce776e53fb51df0b1a602e3f75d20848a931ef89ee836e0f092e55610014f2677e2c7cb5448999a04331b123

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      bd0a670e2c4401da89624fbe5aa5508b

                      SHA1

                      016f2c4e7684ded7e0ffc00458be4fd23b680670

                      SHA256

                      27e29fc1362dfd76cf658f7bf43e4dfea75e6d23ccc694fb812a3d3ec2fb9f12

                      SHA512

                      b4e9b0dc7d82932cacda86b79f5cd24cc9d557e57fac7455d90f44dd9bac72dc1c2dff1c6b5d3e4dfe51d1b41e4f99934d2c87c51ace6d45022cdd7485adf69a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\sessionstore.jsonlz4
                      Filesize

                      831B

                      MD5

                      879ebb0c735989f551533dd18cc7c0a0

                      SHA1

                      c66da610338a9679960da8a2c277da23dd4e30f1

                      SHA256

                      35c189daae9dec2266370031839cff418ed6b72c9a9ea83c1be56cf012bdd8fc

                      SHA512

                      ee922dbbcc393a64ed451891e8495285165eb0e56bb3f37310225d36d426e4cbdc5a490665b480edb26cbb37bd8a39a27c21a8d400198db214bcc664bc4b0057

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      61625e08d46f701e176f01ac6019ba19

                      SHA1

                      a23a1a970054b95fa38fc681b34783e274e60636

                      SHA256

                      02e7bc0088f846134437f4009c5fc36bbede046616c33b37e3728513a0e1dfdb

                      SHA512

                      c7de69aef9bc8e4ae14cb402a9a2de0867071568f8160b2d625358bc08c6a9f318c2fd0553f7de6dcec03df749a6313048b8b2c41cb2e3eed5544937a57e8fff

                      Download Submit

                    • memory/956-160-0x0000000070D3D000-0x0000000070D48000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/956-159-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/956-158-0x000000002F3C1000-0x000000002F3C2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/956-196-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/956-197-0x0000000070D3D000-0x0000000070D48000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/2528-198-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2528-199-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2528-200-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download