ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add-certs.cmd
Size

3KB
MD5

5ac423d78077c6ec8d99974dd9681d11
SHA1

0d91d80de298fb008f522ed95842932bb92f6099
SHA256

664e3b7b27995e01fd31dff1699b39b995c0e9efebaefa16247669eafce08e08
SHA512

dce34c3dc7bb2cec567be2e12c0362be260c59b940efc869a2421f647af9ce847c4793c86f5a155206c2d41c40ee07144b81992f629ba8d9d2644834effdbda9

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs

pid	Process
2036	certutil.exe
2040	certutil.exe
2444	certutil.exe
2584	certutil.exe
2288	certutil.exe
1808	certutil.exe
1432	certutil.exe
2724	certutil.exe
1844	certutil.exe
1256	certutil.exe
1980	certutil.exe
1976	certutil.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2036	2168	cmd.exe	29
PID 2168 wrote to memory of 2036	2168	cmd.exe	29
PID 2168 wrote to memory of 2036	2168	cmd.exe	29
PID 2168 wrote to memory of 2036	2168	cmd.exe	29
PID 2168 wrote to memory of 2040	2168	cmd.exe	30
PID 2168 wrote to memory of 2040	2168	cmd.exe	30
PID 2168 wrote to memory of 2040	2168	cmd.exe	30
PID 2168 wrote to memory of 2040	2168	cmd.exe	30
PID 2168 wrote to memory of 2444	2168	cmd.exe	31
PID 2168 wrote to memory of 2444	2168	cmd.exe	31
PID 2168 wrote to memory of 2444	2168	cmd.exe	31
PID 2168 wrote to memory of 2444	2168	cmd.exe	31
PID 2168 wrote to memory of 2584	2168	cmd.exe	32
PID 2168 wrote to memory of 2584	2168	cmd.exe	32
PID 2168 wrote to memory of 2584	2168	cmd.exe	32
PID 2168 wrote to memory of 2584	2168	cmd.exe	32
PID 2168 wrote to memory of 2288	2168	cmd.exe	33
PID 2168 wrote to memory of 2288	2168	cmd.exe	33
PID 2168 wrote to memory of 2288	2168	cmd.exe	33
PID 2168 wrote to memory of 2288	2168	cmd.exe	33
PID 2168 wrote to memory of 1808	2168	cmd.exe	34
PID 2168 wrote to memory of 1808	2168	cmd.exe	34
PID 2168 wrote to memory of 1808	2168	cmd.exe	34
PID 2168 wrote to memory of 1808	2168	cmd.exe	34
PID 2168 wrote to memory of 1432	2168	cmd.exe	35
PID 2168 wrote to memory of 1432	2168	cmd.exe	35
PID 2168 wrote to memory of 1432	2168	cmd.exe	35
PID 2168 wrote to memory of 1432	2168	cmd.exe	35
PID 2168 wrote to memory of 2724	2168	cmd.exe	36
PID 2168 wrote to memory of 2724	2168	cmd.exe	36
PID 2168 wrote to memory of 2724	2168	cmd.exe	36
PID 2168 wrote to memory of 2724	2168	cmd.exe	36
PID 2168 wrote to memory of 1844	2168	cmd.exe	37
PID 2168 wrote to memory of 1844	2168	cmd.exe	37
PID 2168 wrote to memory of 1844	2168	cmd.exe	37
PID 2168 wrote to memory of 1844	2168	cmd.exe	37
PID 2168 wrote to memory of 1256	2168	cmd.exe	38
PID 2168 wrote to memory of 1256	2168	cmd.exe	38
PID 2168 wrote to memory of 1256	2168	cmd.exe	38
PID 2168 wrote to memory of 1256	2168	cmd.exe	38
PID 2168 wrote to memory of 1980	2168	cmd.exe	39
PID 2168 wrote to memory of 1980	2168	cmd.exe	39
PID 2168 wrote to memory of 1980	2168	cmd.exe	39
PID 2168 wrote to memory of 1980	2168	cmd.exe	39
PID 2168 wrote to memory of 2088	2168	cmd.exe	40
PID 2168 wrote to memory of 2088	2168	cmd.exe	40
PID 2168 wrote to memory of 2088	2168	cmd.exe	40
PID 2168 wrote to memory of 1976	2168	cmd.exe	41
PID 2168 wrote to memory of 1976	2168	cmd.exe	41
PID 2168 wrote to memory of 1976	2168	cmd.exe	41
PID 2168 wrote to memory of 1976	2168	cmd.exe	41
PID 2168 wrote to memory of 2084	2168	cmd.exe	42
PID 2168 wrote to memory of 2084	2168	cmd.exe	42
PID 2168 wrote to memory of 2084	2168	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\add-certs.cmd"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -L -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1980
- C:\Windows\system32\findstr.exe
  findstr /i "AddedByUser ca.cert"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -L -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1976
- C:\Windows\system32\findstr.exe
  findstr /i "AddedByUser ca.cert"
  2⤵
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db

Filesize
64KB

MD5
f246333f077ea7b490a063eeb7e22913

SHA1
bf10c0615b50279b3d75ef83fe8c594d4868f95f

SHA256
3af11109e80d49b16554050e2d90565d1e849512f4279445b6b8f6a80bc41dc6

SHA512
da7abc23817a8cfebe3b970a28eaef0eb97b6750439c56bcabb1e6e85056050c8291a17ecab6f7b98193ac30c0554d673321eff138ca03c379860113c85f9c45

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db

Filesize
64KB

MD5
54026638677f2ed4d24a452821a5be4c

SHA1
9653ec968c1c2595a343f9106a3e7546bc454df0

SHA256
2522bb7036f417d293f7c978c414bc463efd281d218d51f90b6d973e3da104cd

SHA512
9fe10855179f52dd2f7d3be1fb10f84c9e707b8b6580753f5a21c3ead859463d800906da0424b8ff3ee1f59c734d7ee65c31a2af0701f2e2c6627978b7fefa81

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db

Filesize
16KB

MD5
f6cd36aaa8773caf03a15628d8943951

SHA1
b473fae3265f2023f91396529dce3224dd2b505f

SHA256
ae6d6cb4716eceb1447850ee6105e982718c8710c1488bb709338cd074715222

SHA512
f32fb28353590c98d61d79afeef7415023542f2833bec43d4df68ee696c5a95ad10160d9d94d3434792b0301a942037bf61f021f82941231ed043a9b43dda7f6

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
13KB

MD5
72f4b5f1d161c1ec50693cd2f57340fa

SHA1
0d558b1c2701bdd4b5095183b8723de4b9cf012f

SHA256
ab250dc9456c82fa836a6918b2db2b3e715bf4beb7613889689e5c19d6801d4e

SHA512
b31483cd6c8c2098641e291dd9830a21d2c82e40e81682c8d26fb9d9ea4e977d92c4734f00b56ae1438e8a43f0fdcdc7b22bd9ed16e773f6d373fc1944f5f18c

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
9KB

MD5
e45c3fb0f28fe6590e3d75c785e65c1f

SHA1
d96690392e6428cac59bbaa9b2bcdbac27e683e5

SHA256
020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

SHA512
be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt

Filesize
480B

MD5
55f9a6dca041467d61ec63f314c1fcc1

SHA1
60900d9f7a0280c4658dc5ba630bfe9cdcddb57b

SHA256
98c1ca2204b41fe090cf2273a5ec1bc5f74d69eead900ddcfc3958613e59a4d1

SHA512
10e86f5ef2c51798f9214bd5785a50777398efd35531caacaaebcc343f869bf332d1402d55a7e0f235bb6aa6da8075b02e9218f5789f0dbd60bb315bac95993f

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db

Filesize
16KB

MD5
02a3b00dafc8c7fb117bfcb1de9859cb

SHA1
c0dbc33717ea22ca740e6039fd3459d614599a74

SHA256
38ada995217652d8e48eb6b8eb49e84a0b246ca336254b669285207db61622c1

SHA512
b9e425df73287de15714930e8236cd4e4624887d6193d6ccb5f37850b31e94bfbd737992817bd8b47ecacfc04948207e6bb71a3ff5e30caa41472826d7d44a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin\cert9.db

Filesize
40KB

MD5
ff56eb28f74d652ec0a1bc9f66597ae9

SHA1
35f2f1fb0bf68e2acc8e5eb24e97c8e6b6d066de

SHA256
832d4489d5b1fb22521c4895881e7db73dd8043f3415f5731e214153830afbb2

SHA512
73f5143c2c4a1804ee81048328132d1c2315a5f65032511cdb507f4b74581816805100be1ec00555e51a60530bc115a25da1221a2673bc2a21c7f73cc7e78f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin\key4.db

Filesize
13KB

MD5
a4e8a9e0d4ec660065de34b44411690c

SHA1
7eed8beda009e9e73a8808e76b8e2ccfae8f8631

SHA256
dc1e4b7041d8225428a6b0653cb88e0e8f03184a6f4231557f7b28b6ae13b410

SHA512
b445a88244740fad3570e7de19d81e4b3c345c0081e164f9fd2310a0f0fcd9e734a7ce986c890663603ccddfa7f298491b0ea2425f5338771327d7a517b048f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin\key4.db

Filesize
13KB

MD5
ce360839bcf8852391708c026fd5bc5a

SHA1
f619f68481f3591813df820f48e0cfd91fa090f1

SHA256
14a9f868f45da43038c3b8d4be80c2e427155c2256107dca70eb71ea7ffd6d96

SHA512
070f67815dee2609181131edc1be9ca0e0fff214e19e528488143cb1861133f91ed07316617180d2c647d504993a846a443615089923281e753a090e87b2bdc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.Admin\pkcs11.txt

Filesize
496B

MD5
094763edd0733ff8a00f111556aea228

SHA1
1d9c2e5545e10d741d2ebbbcbb6a80715a662581

SHA256
d1663e4b909be60b96a8dc2c1bace2d6a64b7134dab0e1e7bb31581893e4f900

SHA512
3720d947426818b38372ee3ba955675cceb3c6bd54832ca3623b07e40d28b492a75e3163b35d46732fc6f504662383b10e01f2341544d5eab4d919796de1f1f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\cert9.db

Filesize
224KB

MD5
fe510473b70e2cdf334a53399273411b

SHA1
5da99b5fe62043529d26d6e0bd3d3ba0173c7143

SHA256
d135248bf3efb0c987b042912eba2511c5b9e969e2c1c126171a02610c27037d

SHA512
a5054f620a910bec0b164d62434dcb80f121cac66e932d9d52aa5563d01e5bbd304984d5101fcddd3fab576db60a1ef8d1d3ad7b1b85afd2f38c952b19ebd4a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\key4.db

Filesize
288KB

MD5
193e2675a07fa76e64649c3c47abc022

SHA1
9bdc50220f79cac972cfb3fc9743ef7f5b8e441b

SHA256
3102721846020772c2359ef8bc13e61421b488c9ec359beb8c8962c77f5de0b9

SHA512
22ab9b640964311033cd746996f0a9d59f7b8fabefc320a7733080e1fdef001d57fd63d59f603a0aa1333d055732da9cbe0ec4441cc411cbe4f7fbf526e5244d

Download Submit