Analysis
-
max time kernel
235s -
max time network
233s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
22-04-2024 08:53
General
-
Target
0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe
-
Size
56KB
-
MD5
214add3ebdd5b429fda7c00e7f01b864
-
SHA1
7cead6f1e4c4b0824365268cdd5d168acf56265c
-
SHA256
0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909
-
SHA512
6a3541878c3134d7dedbf9dc182cebf12689aa4b4d3f2b4071981175db79114a66336e6f41e73ede21d8c80ec42fec7fd48b17698df0e28feeb81df4d53b6219
-
SSDEEP
1536:qzwshK8pUMGxo0xwwW9VemFMGfpbbVDoANyCa:wwshK8yMexbW9vJVDoANs
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 10 IoCs
-
NTFS ADS 2 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe"C:\Users\Admin\AppData\Local\Temp\0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909.exe"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.0.410433366\401266351" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1176 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e722c3c-92f3-4a94-92ce-c46092708380} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1404 fcd3458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.1.1545999586\1020657343" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4802c100-1560-494e-b1a2-2375bc969caa} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 1556 e630158 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.2.1376284676\1113999325" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2024 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfe2489-378e-40bb-807d-4c3fe1766513} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2040 17183258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.3.809851999\109766144" -childID 2 -isForBrowser -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eef928f1-493c-45c4-8fdd-41e927211c17} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 2496 e62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.4.835365866\1876534657" -childID 3 -isForBrowser -prefsHandle 2556 -prefMapHandle 2544 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {953984d3-00c3-4629-b386-fc1ed0905dab} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3064 1cac6458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.5.999235069\127725067" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76f55ce2-e9a3-4377-ba87-f2c9c3dda098} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3784 e61658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.6.64579045\1473133508" -childID 5 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f5bb0a5-7875-4907-96cc-449789e8dff0} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 3960 1e8ade58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.7.1407257796\1050975809" -childID 6 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e612b4d1-5705-4abf-a56c-938d5640a97a} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4008 1e8ae458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.8.755594030\1528011911" -childID 7 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c907faf9-fb61-45a8-be10-20317340c345} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4436 1e1e7e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1896.9.383339822\1209836963" -childID 8 -isForBrowser -prefsHandle 4384 -prefMapHandle 4400 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b022536-3c74-4dc3-861a-3ed2c861df8b} 1896 "\\.\pipe\gecko-crash-server-pipe.1896" 4364 e5f258 tab3⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_Exe_BOOT.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_EXE_BOOT.IMA1⤵
- Modifies registry class
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_EXE_BOOT.IMA"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AntiExe.A.zip\Anti_Exe_BOOT.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5a062c25b6b4fbb592fc4b66226ed95d5
SHA1f59ddcfe6056ca7d482af6f9273ed23c8fce2ad9
SHA2567913b37c89568f5952bd0dc49257f465c8def02d30919518249b65c8106eb4de
SHA5126a4c2fdab9b1d40ec71453e4b4223a5b8f583be17da5118475edaffd35ac11e67161e778d4d2d6334ce3344dec661306e35e593a3301d72735bec06a859c46e7
-
Filesize
16KB
MD5154fc854356658c9c2d026e7f89d5a9c
SHA1a4cd2de8d6bb1b62d6df283b274ecb843514b265
SHA25657ad23a4ea89cc8902d0d294e2e65f79f45758d9279c0ca2ef80ed0d264512f1
SHA512e36aa5168f61d11ffb7d9a311e330b00dc1ab9374844fcdc930be41f32f0d38e9ee1275d43420b6385e9d17eb0c3fca557efed3a9e85a56bb7799be03c2969a6
-
Filesize
13KB
MD5617824f788c43031cd4568cbe54e5a39
SHA1853ed48e423375b72af95c2a1858a7e7bdfa9cf7
SHA256c8aeeaf0258d3e86cfdc2ed57ab8cedba46ba2616e41c521d7f5059a31feb923
SHA512b20c723cc8c6fea528fd42c92d975c5810d0e9b97e76ddf59e734cab53b683c904ccd8ccce6d72daa40aad5a8fa3d81b1001d9750fe5628bf8293050d66c6152
-
Filesize
16KB
MD516b84e3eaf52aadc657d882f39d49cba
SHA128a2f6562958b1c079171cc1cc3165dd3ee77504
SHA256503b027c1022e1502e64d7bc277dfb61d19084c4e21500ea2c93f9cbc303fa2b
SHA512887824e1a01f6eb1d7062b74b02b68d0de6131c2fe855c7357924160396cabdfd63b55e93484e296f5e78ecbe6f36fb477c090859b3e1be27bdbeb53d356ad52
-
Filesize
16KB
MD5069d93ec4f9bce976394607ceb3042f4
SHA19a70cacbe24625928a143e70a2a39d48945c5759
SHA256109c3cda196e73c7a0754be364d28e6e99f241a96e4e06067cda19ca8975cb04
SHA512e0282312dc16b1f3f15e502d427f9953382412e4f8dd2372648d375233675e1e261d724213f65662596195c8c7e3b44315e0411946dfdb3abe0314e3fdc1c21f
-
Filesize
17KB
MD536108556be9c21b454697cd0ca99a3f3
SHA18e55505e4bae65d423205681f69cd51111824bc7
SHA25691e0f2ffa6d45b61e68af23fbe8e2216ba05b875c18ec3a9bed707945d9dd154
SHA512dbcb6b6325a3a1d566fb67743b54213225cafe89283a057fd68d14fe97f93c77d1f689a37f6aab8812e141459f2f9f022baca7d0dd8e40c0eb619f3eaf00a855
-
Filesize
2KB
MD507b4586d783cca3fe556f5d61c10842f
SHA1e768cebc77aad60b68b5659a6e57b9f7e7e512aa
SHA256b87c2c6ec1d2e0ad6b644f2f0179bc85e563079568aa5ae8ef6ae154731880fd
SHA512e1983dc3e5940c9499618f34022cb9b339392f2447c427b371956cc4a165613134749ce741eda218dd60b2a082d4055e905db12a5eb8906ccd5e045cf8422597
-
Filesize
10KB
MD56feed068b7cd53d017af7671dbc72168
SHA1c5f05e9fa285a410fb6b8bfa96faabd3d8272998
SHA2564088f40291aaabdb8287c97cd1b10059b383977de0e0bf2a1c60e121ad4222d2
SHA512a6d257b38e077ec51f4b8cb44bfcf8fa5b67eb680bb66b4121b6089de448f70de43de6eabd69ff14cad6782cbdf5d92df29687f556648246f1b72b677136e833
-
Filesize
745B
MD545eaa9929b9b549270417a617cf26d01
SHA1c5b3f5e0c774cf3b7853b3bf3cdcb1baaf78359a
SHA256a2c85c9c8d972bf6f26666cbcbb56b95ffe127a83af16b4d889911db6f15e208
SHA512db7d629c1deb2e525c255104835d997c473c3caa06ca6613c613157383b8c3e4f0c54e9ad2fb7175fc5a0eb07fcaacd5a171dfeda6de18dd5efb3d5a2ee0bf88
-
Filesize
976B
MD5c35b7e7bec4044093e4cc0a977b43cbd
SHA1dbc423168f0226d43bd4467959921ea3d84917d9
SHA25623f23d68b33fce84968a7b83fcc66a627c39f8613891316ea0487877dbfcef9c
SHA512f5b5c563442a2bf46054edfa7f3b039a487179a255c92bcd67c8d321e2aa03d2b0e41f00e40c8c28a127217ffd318da46553f83e31abafad71fdd33b596e0a48
-
Filesize
6KB
MD50a650924b2d844490b3c54f9363501b4
SHA1d0478b5fd064ba3c41a89b60e7f7fd9d0bd1b992
SHA256a8526dd5f74b404662b937ba55701830bd44a19b816c0caf337e7ac867970fa1
SHA5128f5739ab584d5c8b31478699c79fd462c3ccf6c16c4792aad3b091466b5346700dfa8408326b6b8125cf9c1b3c78fcb9d7049cb0cd18edc2f8afdd66b79da3d9
-
Filesize
6KB
MD5c191fb974f0682b93f9700d507acab10
SHA1f881613e5ddf88a296a98dbf2dde54c3b2407b89
SHA25656f391b2de3daaba6ef289d7fb819f35f8411ef95f01b8d82a04a7a2fbf4d969
SHA5121c680f5169061746e144f97a9b6608f4f937ee815650fd1b7171ea9539dddc250f05fae92ec7bddf2ca3d55932e13ab54cc38a522ec85db903b13cdd8a23d64a
-
Filesize
6KB
MD53d74169eef07dcddf0682f3f2c8052ba
SHA1310f4d9a8e0b62fc4f4d7e5f7f586a2287b88eb7
SHA2567d4f0666a2f03943209cc9454aaa6c10d208a3675971f4fdf948301fcdb82d84
SHA51284f1bfbd0c19d16b06b1f4fa01dc55914813f200787a4c5bf88778dc187ec6e47a5dcd8337c0724ba1b6da94e53caed9047751fa6ba5e6607ebc6cc2ce2c9e6d
-
Filesize
3KB
MD54a9f3ee73695c66d1d990c64eced2687
SHA184c66ebac8268e87a2b4f57e06545e1f93d223a1
SHA256cc802b73271b89c1a5dd82af86e44ecf939fc86e95a2a3ad54dd4e11b415644f
SHA512ca1d0eaae11fd53b22685592a7c41f1004a13cbdeec614aec15ebedd1efda0f13f98b297e6a1c80b86536d5d32ddd0d5637d6ce485e1c79d6d9bc0e64fb4e39b
-
Filesize
3KB
MD55ce4761643f2c1632d3846262ad5dc8a
SHA1d344124c9e30126815d3ca15c0f951a223c6a27d
SHA2565a75d70313b73f19dba5532215a36726dfaa51daa219c5d7cefbe28a13f87e70
SHA5129227f426fc1e099cd83e1ed6f8f008ad653c2829c7299a5aaf48e25cc5293f5f8f0c4cf517b4d276a25d9b7f645c5155e725150de1648d1b91c8b6c4d7ed0796
-
Filesize
4KB
MD58fb83377c77d151fce5fabbc3d1696b9
SHA190f53515c77cb0ad91375b55cceed998d8506faf
SHA256268a86e40913f9af1946a3cc3cc8db72bf9710e7cd4c16dd162c9b86edbf3824
SHA5125e1960e602404a11643c062027ee58feefcd2c7d1ef3b8b1a0b911e4a47f23990ede9aecb605add857cbec7dbbdd29b008f1a614a4e98d75ec0d2505984b012c
-
Filesize
5KB
MD526306d9ba0598d1826947a8772331a21
SHA1d83f4eb8e63a739abb8314032e6946f1c0281b52
SHA25631d94563931b0bd212f9e2c1dd641ff1b7b677bc7503b5300e876150c47dd6e8
SHA51240e3aa150b01f9a00140546e75a82eee80d52fd18912b9ac9cca8052a0d7fdb8a3f49a0593cb2b22e768bc55241c6638ac02578a4f59b5019a607ad967c886cd
-
Filesize
5KB
MD56c4e6e3d550831396028d9b1a308ae54
SHA175027b09b09ee92fc84426e57c92ab265d6e4062
SHA2569a5f53ccf75eaa29112ed103c1d643f65b45f13214bfae3ce5294c306c5f3698
SHA51248c45e0558ef39f45df9b4c0779fff0eaba8c71ca5b94b12770142424a5ab9149d8abd2b2bc114854f0592446e350d5764136e72e284820c1f1939cfce820ae7
-
Filesize
5KB
MD54e10b5499772a2419d42d3aa3a2ebfa1
SHA1380089ff3caf9b1c06c0491bc3f9be74be6b56be
SHA256e9470112de759a74226b2826942f84d48bea9ffdd81332069a94c952b99f9bb7
SHA512232c4b5c14fcd9f482f342f518439b483ba30a9c6728709d070c4a394b6e0d8b4ddeabc689e78857cfb9ec6e8d02409b28a6105ae1375b7fe7db6e9150b1df3b
-
Filesize
5KB
MD5944fcf04f8b3cd13294e98951441a1d7
SHA1a94074ba1ed6edfe61d8eb6e626d43b582f8ddd8
SHA256ae0610e03940c793c429333e477cd24ddb8fa5420264136202f55cb6430bd28a
SHA51262c17bb84660262b70e46f5969afb7b410cec58abd451ac0d0500718eecae056cdce52386267230ce206e27c558bbb4b74ba6361ced04c7ebc92e6687e6625ff
-
Filesize
5KB
MD5f55acbfaf7201bb83a67f8134b5b05ac
SHA1c4b618db77f60e22b68fea36839b0962aa11e00d
SHA256ca65b317cb1823af52e8e8a2a818783d8baf273d0ab98749917be0153bb1803a
SHA5120ad0d7fc59527f67075c156941195249fba4a8f15648762b61f2f0c523aa9e0c124c2147e4293e7279455858e591fa91c1859a456361c1ac99d2d4ce9f2e5c09
-
Filesize
5KB
MD501b885a1f861ac2a93665b7188073b67
SHA13f192ba9a2048c7d31d6a0905c94d541e0833a5e
SHA25697e0dda61ebecbc41e42fa6f30cf63fc93e8dff41359d5f4ad478b6dc804db90
SHA512d029e6065aeee05033441be182d2caefa9f0a8e8ca2b7d2ec242c4608f482b10f16da2d1a9c579adff9d276973680d7aae0a3c854611a9cc85720c30159e594f
-
Filesize
4KB
MD53fbeaadddecfc565380f3a330360beef
SHA1deb49fc75624892773e719a34defea0d2195081b
SHA256e03210e3f5f1cd6a4c422ea8f0b923249f64c809006cb62c61dbcd5bcaade693
SHA51293732426642596acfc4645eff336cfe90801f6b3283c0d8fca8a8637ba9ee62dc74df1c3adbdbfe450a1a890411e7e0b21dca0b0c06c70714593e62785512fd7
-
Filesize
184KB
MD524ef81d1d44aa87a83cf61c79193617a
SHA1e6b8418868619ac3ff97c62a96e47e15aa069af9
SHA256b9028ac5b4d8e6226dae0eb9592fe45c58c930342ce4c5dadd743c188ef9b465
SHA5129e0de5268f5fcd0b8faad23dc0525c908c77f1f47c625d5a7029129805b4e34b5e28fecb2925b0eefd09ae7f809f3d97ff7926645a0e359945360e1a71529a0c
-
Filesize
15KB
MD5bac4c0dbbc4c6a51f7a7b086ea888618
SHA16666d820c32486a4d1e527256f52a87f2a6292bb
SHA256b1ca27a9b5dd1ec373e6370b81e957a14dbcde93317d882dac5be4c2aec41520
SHA512a2648eeec594f166d307c12331ea07c6ef752b92337c49dc5eb8a7d0a810f37e4e66477eb34e2614fd831d16b67094805f13e722433c7fcf66ff37f594213d77
-
Filesize
16KB
MD5b39dca2050d979919d6b6138f316799d
SHA135dd379debbc1d6d56fedf76b433eb6d9b47bf4c
SHA2563d3a9103480cd4131706372c5b3e61a99cf975a06bab62e892b33fadd6af6db2
SHA5120a32ce98f73a1dc1d119acff3b5e98ec016ea19bcedbfb27cba498b24fae14dd0587133df4cafca63c7f2dd53f93661f60e36d974c8bcfe2d53d1a56e757788c
-
Filesize
3KB
MD58cee47cd109adfa5c5816685af873909
SHA18fa3b60ea7b526b46ca22fa6544443a670a7de46
SHA25693861a8aa9a4f42489d029c64bc0599c208971891c70a9b2192b60e20c57d3bc
SHA512b24d2f10927d10520e017151c0184fabca08691119893fdc04852c7caa775fbcbad29c7e6a20517c7791036d42e18b0e4b4ded2babd1707546612cc12265007e