1ce4e65938c05f0e03c20d26c8bcd671f2767a0bf11dae07b446e2b5b5d7a8c2

Analysis

max time kernel
205s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MinerSearch_v1.4.7.0.exe
Size

655KB
MD5

9e8c69d4c9d9be3b4a5675bc6da439e7
SHA1

767b7987ad52668520a44f6b183fcaeb01329351
SHA256

1ce4e65938c05f0e03c20d26c8bcd671f2767a0bf11dae07b446e2b5b5d7a8c2
SHA512

3673c5f5627635e4dc178d076abac5f55946ee5bea85a1390cccd086596db6a1a20ce9339b273c95a6c7d4a5c834488d157602948000c82802277fab80fd5607
SSDEEP

6144:LhZKWzws9ow1N7cMPddOCSYEsuYH8vRRyclCLDMRkMa6WrZY0AFQ+CQbN02GQZa5:9cMPddOCXEssvRRycILwqMaug3Xv1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
4424	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4472	dialer_YjczZWJi.exe
1256	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
3552	dialer_MjIwNzU0.exe
3732	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
4920	dialer_ZTBiYWZk.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
4960	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
1864	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe
2940	MinerSearch_v1.4.7.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1268	MinerSearch_v1.4.7.0.exe
4424	MinerSearch_v1.4.7.0.exe
1256	MinerSearch_v1.4.7.0.exe
3732	MinerSearch_v1.4.7.0.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	MinerSearch_v1.4.7.0.exe
Token: SeRestorePrivilege	448	7zFM.exe
Token: 35	448	7zFM.exe
Token: SeRestorePrivilege	2936	7zFM.exe
Token: 35	2936	7zFM.exe
Token: SeRestorePrivilege	4816	7zG.exe
Token: 35	4816	7zG.exe
Token: SeSecurityPrivilege	4816	7zG.exe
Token: SeSecurityPrivilege	4816	7zG.exe
Token: SeDebugPrivilege	4960	MinerSearch_v1.4.7.0.exe
Token: SeIncBasePriorityPrivilege	4960	MinerSearch_v1.4.7.0.exe
Token: SeDebugPrivilege	4960	MinerSearch_v1.4.7.0.exe
Token: SeSecurityPrivilege	4960	MinerSearch_v1.4.7.0.exe
Token: SeTakeOwnershipPrivilege	4960	MinerSearch_v1.4.7.0.exe
Token: SeDebugPrivilege	1864	MinerSearch_v1.4.7.0.exe
Token: SeIncBasePriorityPrivilege	1864	MinerSearch_v1.4.7.0.exe
Token: SeDebugPrivilege	1864	MinerSearch_v1.4.7.0.exe
Token: SeDebugPrivilege	2940	MinerSearch_v1.4.7.0.exe
Token: SeIncBasePriorityPrivilege	2940	MinerSearch_v1.4.7.0.exe
Token: SeDebugPrivilege	2940	MinerSearch_v1.4.7.0.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe
448	7zFM.exe
2936	7zFM.exe
4816	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1500	firefox.exe
1500	firefox.exe
1500	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1500	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3428	1500	firefox.exe	88
PID 1500 wrote to memory of 3428	1500	firefox.exe	88
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 5044	1500	firefox.exe	89
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90
PID 1500 wrote to memory of 2956	1500	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MinerSearch_v1.4.7.0.exe
"C:\Users\Admin\AppData\Local\Temp\MinerSearch_v1.4.7.0.exe"
1⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1268
- C:\Users\Admin\AppData\Local\Temp\MinerSearch_v1.4.7.0.exe
  MinerSearch_v1.4.7.0.exe -x-
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.0.1430207762\2101971118" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a724b259-8321-423b-92be-3983c0cae53b} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 1948 23e2fae7858 gpu
  2⤵
  PID:3428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.1.1083100808\2075010982" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2970b4-1039-4c8a-98f1-c385f0e6b513} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2348 23e2f43de58 socket
  2⤵
  - Checks processor information in registry
  PID:5044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.2.1046744425\849554120" -childID 1 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e44c9a5-1124-439a-9676-ddb8f8521464} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 3584 23e33490658 tab
  2⤵
  PID:2956
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.3.1917855465\1966731474" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 3028 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1eceab8-7a4d-4a77-8608-0c449e12d7be} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2952 23e1bd62558 tab
  2⤵
  PID:2848
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.4.946442355\502852587" -childID 3 -isForBrowser -prefsHandle 3456 -prefMapHandle 3268 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9128a5ae-1614-47d5-b3e9-d88e8c177e97} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2968 23e326fb158 tab
  2⤵
  PID:4668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.5.710296297\910213464" -childID 4 -isForBrowser -prefsHandle 4588 -prefMapHandle 4584 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {914c10fb-f379-4a8b-a073-efe6f7588fb7} 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 4456 23e1bd71058 tab
  2⤵
  PID:2332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  PID:1216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.0.1546434114\819314946" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7093529-7fb6-4ad9-9b1d-848ab50d8ae8} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 1864 1b616cd9a58 gpu
    3⤵
    PID:3232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.1.1639619969\800254346" -parentBuildID 20221007134813 -prefsHandle 2284 -prefMapHandle 2280 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91509225-8dd7-45e4-8d98-3613d04c7383} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2320 1b616c03558 socket
    3⤵
    - Checks processor information in registry
    PID:60
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.2.1501652658\671998120" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2700 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {600cf369-f4b0-4656-8998-84158f95e5a4} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2704 1b61a3c6c58 tab
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.3.1748978385\1665727688" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2940 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9252fa48-6c93-4f60-b59e-33dc006160ba} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2904 1b60a362b58 tab
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.4.2071500963\613994905" -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 4260 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a06d9246-2a90-4cc2-bd1e-506e66ee704d} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 4276 1b61bffeb58 tab
    3⤵
    PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.5.1998122125\1163674841" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e73ca57-c62f-4b0a-9fee-90342be4ce07} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 4764 1b61a906b58 tab
    3⤵
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.6.447586119\1113500360" -childID 5 -isForBrowser -prefsHandle 4788 -prefMapHandle 4320 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d95409-7605-4594-b97a-f14e5b5f7e69} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 4808 1b61c458658 tab
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.7.1743766194\801848789" -childID 6 -isForBrowser -prefsHandle 5088 -prefMapHandle 5052 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df24d346-6ae7-444e-9775-cf3d8caeafcb} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 5112 1b619031f58 tab
    3⤵
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.8.1404161045\1697249846" -childID 7 -isForBrowser -prefsHandle 4328 -prefMapHandle 3168 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d68c7858-8166-44d2-9c9e-070479ba7f78} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 4516 1b61c6e8b58 tab
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.9.1810970258\911523990" -childID 8 -isForBrowser -prefsHandle 4848 -prefMapHandle 4836 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34220ee0-96bc-4bbf-a07a-b1a62c983605} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 4800 1b61e10d458 tab
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.10.56156512\1180616592" -childID 9 -isForBrowser -prefsHandle 5396 -prefMapHandle 2852 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {404ef2fa-9877-425f-921e-440992e44582} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 5452 1b61e929858 tab
    3⤵
    PID:1304

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:448

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2520:102:7zEvent27941
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4816

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3864
- C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
  C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4424
- - C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
    MinerSearch_v1.4.7.0.exe -x-
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\dialer_YjczZWJi.exe
      "C:\Users\Admin\AppData\Local\Temp\dialer_YjczZWJi.exe" 5
      4⤵
      Executes dropped EXE
      PID:4472
- C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
  C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:1256
- - C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
    MinerSearch_v1.4.7.0.exe -x-
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\dialer_MjIwNzU0.exe
      "C:\Users\Admin\AppData\Local\Temp\dialer_MjIwNzU0.exe" 5
      4⤵
      Executes dropped EXE
      PID:3552

C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
"C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3732
- C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe
  MinerSearch_v1.4.7.0.exe -x-
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\dialer_ZTBiYWZk.exe
    "C:\Users\Admin\AppData\Local\Temp\dialer_ZTBiYWZk.exe" 5
    3⤵
    - Executes dropped EXE
    PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MinerSearch_v1.4.7.0.exe.log

Filesize
859B

MD5
e204f3d12abd1691ce1f149399441188

SHA1
798042095539abfe857e456fca4e1035f67d29bf

SHA256
685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d

SHA512
804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dialer_YjczZWJi.exe

Filesize
4KB

MD5
ca09151858dc7bc064a061347615d210

SHA1
cdf19dc471e36a8c23502c20087c8ad267670521

SHA256
4905e70485c5fa91e7cdd450efc6d9fe0e6e475c88715c9f571682bc47ad0da0

SHA512
cc4106f4612b9d065039cd549e3668d7021b46fbb374eb02ac20d3a95345789f2d595e1e340112944b9272ff25ac7a4a4bce7f9dbc1e7fc4192f9ae6d882c551

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\prefs-1.js

Filesize
6KB

MD5
1d1c2682794895bcffdae2e7b7c010ec

SHA1
60f0741b69c68bf5ca74697618d2d6b87bd3c70e

SHA256
9da7f2050cf9dbc5af136cf384dff133478ad228af9e510b1f3e3eccb2615d78

SHA512
996dcbcaaf7124624f18c144f4d8fe6912f58fc665177171949fbcdec31f5737737876a8290b3c4a451d1ff560f518b07d2e0176b4124f2808e580e0897bcc28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\sessionstore.jsonlz4

Filesize
448B

MD5
9c965ef8bde4a55dd585e41f149309b5

SHA1
1ceb32ec0cceec5d783206b389619b1a17666453

SHA256
944493a382f13fa0e9c66d4e2aad9612fedbe686583077de9bb1ae8f1e63d7b8

SHA512
dc498028e18fb54468914ec7f97111f1e2329d15bc7f97118295264bdbdefdad3527abf078c06adfb7e6a681e738e57ee41ea1182bb15ac15f07c6591fddfa5f

Download Submit
C:\Users\Admin\Downloads\MinerSearch_v1.4.7.0.exe

Filesize
655KB

MD5
9e8c69d4c9d9be3b4a5675bc6da439e7

SHA1
767b7987ad52668520a44f6b183fcaeb01329351

SHA256
1ce4e65938c05f0e03c20d26c8bcd671f2767a0bf11dae07b446e2b5b5d7a8c2

SHA512
3673c5f5627635e4dc178d076abac5f55946ee5bea85a1390cccd086596db6a1a20ce9339b273c95a6c7d4a5c834488d157602948000c82802277fab80fd5607

Download Submit
C:\_MinerSearchLogs\MinerSearch_11_14_2024-05_27.log

Filesize
4KB

MD5
5d051bd6656fdb43c6fc2f89563fccb4

SHA1
2e2dbf92be8de8cdcaa51ceffeb147dc28e416b2

SHA256
abc34a57f036d29cec1626726699d176f84a3dff2196e8c7a4c56cc0ae7bfe60

SHA512
35fb2209a980f1d2d2f1c55f73f1d05b00b55e0ef688f2c367a57a99ed3df54dc587f784b144e1b62ac999e271fa187354b4b981ce31b94193cdf8ab0262e30d

Download Submit
memory/1104-50-0x000001C456FD0000-0x000001C456FE0000-memory.dmp

Filesize
64KB

Download
memory/1104-42-0x00007FFCC8950000-0x00007FFCC9411000-memory.dmp

Filesize
10.8MB

Download
memory/1104-76-0x00007FFCC8950000-0x00007FFCC9411000-memory.dmp

Filesize
10.8MB

Download
memory/1256-469-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/1256-448-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/1268-41-0x00007FFCC8950000-0x00007FFCC9411000-memory.dmp

Filesize
10.8MB

Download
memory/1268-14-0x000002194EC10000-0x000002194EC20000-memory.dmp

Filesize
64KB

Download
memory/1268-0-0x0000021934510000-0x00000219345BA000-memory.dmp

Filesize
680KB

Download
memory/1268-5-0x00007FFCC8950000-0x00007FFCC9411000-memory.dmp

Filesize
10.8MB

Download
memory/1864-449-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/1864-464-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/2940-492-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/2940-470-0x00000236B16C0000-0x00000236B16D0000-memory.dmp

Filesize
64KB

Download
memory/2940-468-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/3552-462-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/3552-463-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/3732-467-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/4424-85-0x000001D7C0940000-0x000001D7C0950000-memory.dmp

Filesize
64KB

Download
memory/4424-87-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4424-84-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-104-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-103-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/4920-483-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/4920-484-0x00007FFCC5A40000-0x00007FFCC6501000-memory.dmp

Filesize
10.8MB

Download
memory/4960-90-0x000001BD686F0000-0x000001BD68700000-memory.dmp

Filesize
64KB

Download
memory/4960-445-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-363-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-88-0x00007FFCC5430000-0x00007FFCC5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-89-0x000001BD686F0000-0x000001BD68700000-memory.dmp

Filesize
64KB

Download