Analysis
-
max time kernel
182s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-04-2024 19:42
General
-
Target
New Text Document.txt
-
Size
63B
-
MD5
adb25789180be3c10c4cda8310f54e19
-
SHA1
1bfea39823c884dcc0de2e250aedc78910ed1261
-
SHA256
71e50018bfd5def4401af9dcdb6097f904f812d73e60c3584f626caffd0b65c5
-
SHA512
adba6066f18863b689c42267de2a2deac7107c07f3c8d5ad995dc5683f750fca8734dd94435ef15bf95a32becae08a2eb9073197e2c345a2a66ee7e9a5fb01e1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.0.796407909\1493339702" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef0a51f4-9db0-401a-8d57-5a1d758f3d0f} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 1920 29fe94f4258 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.1.2137400591\1048626999" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccf80a0e-5624-40ae-b614-836c884b9758} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 2360 29fdcc71c58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.2.1391250664\52882615" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9306558e-d084-4938-a39c-297df9febc57} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3020 29fed5ebc58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.3.965721177\101217197" -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 3176 -prefsLen 26145 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd4c680-a3a2-4351-a5c1-259adcd16531} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 2860 29fdcc70758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.4.18757629\1000930281" -childID 3 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26145 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05959c3c-a150-4420-b5eb-f7ddf2ec5e34} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3848 29fdcc62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.5.2071702559\1121011504" -childID 4 -isForBrowser -prefsHandle 5012 -prefMapHandle 5048 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b2c98fb-5cca-4fa7-99da-472d53de70fd} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5016 29fef9b7558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.6.159389884\413631520" -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae8cb3bf-51e2-4c77-9b99-b82ebcaac6fd} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5140 29fef9d3d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.7.1314881698\1908886069" -childID 6 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c746b69-05b3-4c4b-ba24-4b953201519e} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5344 29fef9d4958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.8.238141508\1510027050" -childID 7 -isForBrowser -prefsHandle 5932 -prefMapHandle 5928 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44482c8c-f86a-4c00-bdac-ca951e7fd6c7} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5940 29ff0e8fa58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.9.658262920\1630339929" -childID 8 -isForBrowser -prefsHandle 6176 -prefMapHandle 6240 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3068d63d-988f-4850-88ef-b5bab3defe46} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 6264 29ff2254d58 tab3⤵
-
-
C:\Users\Admin\Downloads\Spotify.exe"C:\Users\Admin\Downloads\Spotify.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54821f2e40704df362f75686ae8dd06cb
SHA12331cc1fe740febc252d0b3267f6e7584d772daf
SHA25629389b43c2c4321e18b4ee879fc51de4767f7143cbec0f7b7b1c3d7dbdd32237
SHA5121e6a1dec381ce3676d5a7b815f88fa93de4c9094f9c2a73ae561505c204e96ac91004a261abf9a6613acc353b3cb47521df847dd7405f37bb9cebf39432a1ca5
-
Filesize
746B
MD5abc8cf334cac9e01141b1a6ca6628d42
SHA1e90614955af3c15b5ac746b806ebf43cfa5dccbc
SHA256d8d9793827ef1a24966be832e528a5ec59391fb9cc0b123dd34e5efc82ea5418
SHA512510d4f9d53f8627347bc2608dd188cbba73ecc5b21c0dfe8d2f1e6549f9b42d8de456e196ce9156d2e105cc62dd303ebfb479693202b5a154c30b52c24333819
-
Filesize
11KB
MD567565a7e9abc43aa70290201cf8e0d03
SHA1fcc0496d9c98577602cde700446e4feae708b49a
SHA25664e3cf303217c8027fd62edf170d0d2096a4b36af1eeffd7c5c3c1108dca9485
SHA51265720e89fc0ebf0df1195c45af2df9b1f89b14c8708047cd0f709a78588a0bc892109f87375ecb87f88a9019ab697e21531023acac18624d86dad3785f8c80dc
-
Filesize
6KB
MD5fd17c246ebf2ff7f4de256272eec1fd4
SHA1bdb680d5cc3a2ecdb946998f04b89a0fddb9d16c
SHA256a7209e2d0845a499cd1ce9219646a1f887b673c0ecd6c00d8c92832bd8960970
SHA51238daf978ae5539f67fd347da27a9112c1dfabd6fe39f76eeb34263f44ba81599509b0efd8f3c2be5f9b4b16d8889bac1f843a2ef633655872aa6eac7610c344c
-
Filesize
6KB
MD5ac69e4e387ca4688b424d5aaf140c777
SHA1218203efaa44d21ea8b67df040e366262fa0e001
SHA256445f10d676f559220ebec6469dfde9b8f2c28d1389ca11bca116a01d4cd769af
SHA51260740002737e7bc0e5ef234e595502276086c8c6225525aecc597bb031a6df2fe02f831b043845c9bb30e962d297e52e6028941280430eeaf30442684e0b058f
-
Filesize
1KB
MD54f095984e42bb5b26eb785ec7487c56d
SHA119188ffdae8f75a42b740109650131d0f1006d2e
SHA256b27edce2fbe6766c35411604bffa929ad223c7ab1132e353df01758bf04ce7c3
SHA512c6e91329f875a414f674fb2ef135263850c28f6df4ad41afd99406100022e4ef293b24e47df2bc0b44215b66e80ae04fb1caed085f07e38c89b4e63141c8092c
-
Filesize
1KB
MD55c2b6199679686f246806bf73b07a347
SHA189ca45df2f2dbc66c38fbab4fa9b50805ff28088
SHA256bda1bf424ab2d8bc27909a864620afa0ec3b5a05b73398e212ebb4d25f739ca7
SHA512b159dbc1580a477de1dce2a1a3e4bfb0f00b4e02cea3ad2ef4cc7d87dd178ec063b6f45a57836ce2d31be167f8ca224583afc213ca4fe34c29139c53868d1f15
-
Filesize
7KB
MD583ed8f129e9eebe72776338d8a79e756
SHA160d917f73529c8c7c972da0efcc8f9b88447280e
SHA256b27915df4e62bced1d41997f98d15ef1d9a8cd87d1a930dfc180534c8200f582
SHA51226aa082b87e77f5f7ba5e81cfc680d8cf1d990ed6d3c7b0243b6e526c1177ad71bafdee8b8bdf4229dc895e3c6970ddc9548ce73f3ba9330fe4582f8bfec49df
-
Filesize
7KB
MD54c3e25e88db3f9bcd9acb233f69ff61d
SHA12c318924b1e3897c8c3042941f6bd1ba71ead392
SHA256c3f1f143cde7cacd976fa5a9f497ac5a60dcc0270a67b2d0762d3eedb98efb03
SHA5121cf0bde501c220bea6a030f6a31f9d7e339a0ed6f087edb9697e9b80b8f4f94734e7fe081653e6822fe109d3dc94e34b5a8076a63ad66cb70643286a287a021a
-
Filesize
184KB
MD5b0457346a9d086c7c9545faa25e79687
SHA1b6f13ccb8c78aa4fef5790bb9a702c1e5ae0cd4b
SHA256e42821faa9f20bd2e875544109bd1edc6ae06a13f4a31861878877205ba29bcc
SHA512a13156790c00db62b59fd66cad93f011dadac9ee7aab01c3c08c78f1caa37c6152a73193f1847a1aece0a3b72685c9c5bb73f47b9a99f44a4c8b384d50dd12cb
-
Filesize
64KB
MD5993d34f02918ad4f852c1712fa63e8a6
SHA15ce3a8dde3f1599a2db4d6dc03df7da4096d5c32
SHA256c49bd50deaef3cd024e7bd2faec030271fba5f343b814205e8e56e4e03d483d7
SHA512188dd8fc06ed12d1bd7418109a6a119de828340612c5fb9e608e8f0af1611e9e67eb03084dcdcfd6b9ad4c44a727a94ac71d4de43d135bd14a40d01412244258
-
Filesize
1.7MB
MD5937bd53a5f505b8e9b00416590ad8d92
SHA15abece11f9d282ec009bf441f132676344f1ede2
SHA256662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36
SHA5122027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB