ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add-certs.cmd
Size

3KB
MD5

5ac423d78077c6ec8d99974dd9681d11
SHA1

0d91d80de298fb008f522ed95842932bb92f6099
SHA256

664e3b7b27995e01fd31dff1699b39b995c0e9efebaefa16247669eafce08e08
SHA512

dce34c3dc7bb2cec567be2e12c0362be260c59b940efc869a2421f647af9ce847c4793c86f5a155206c2d41c40ee07144b81992f629ba8d9d2644834effdbda9

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2352	1656	cmd.exe	84
PID 1656 wrote to memory of 2352	1656	cmd.exe	84
PID 1656 wrote to memory of 2352	1656	cmd.exe	84
PID 1656 wrote to memory of 3692	1656	cmd.exe	85
PID 1656 wrote to memory of 3692	1656	cmd.exe	85
PID 1656 wrote to memory of 3692	1656	cmd.exe	85
PID 1656 wrote to memory of 2092	1656	cmd.exe	86
PID 1656 wrote to memory of 2092	1656	cmd.exe	86
PID 1656 wrote to memory of 2092	1656	cmd.exe	86
PID 1656 wrote to memory of 4036	1656	cmd.exe	87
PID 1656 wrote to memory of 4036	1656	cmd.exe	87
PID 1656 wrote to memory of 4036	1656	cmd.exe	87
PID 1656 wrote to memory of 1164	1656	cmd.exe	88
PID 1656 wrote to memory of 1164	1656	cmd.exe	88
PID 1656 wrote to memory of 1164	1656	cmd.exe	88
PID 1656 wrote to memory of 3512	1656	cmd.exe	89
PID 1656 wrote to memory of 3512	1656	cmd.exe	89
PID 1656 wrote to memory of 3512	1656	cmd.exe	89
PID 1656 wrote to memory of 4500	1656	cmd.exe	90
PID 1656 wrote to memory of 4500	1656	cmd.exe	90
PID 1656 wrote to memory of 4500	1656	cmd.exe	90
PID 1656 wrote to memory of 3572	1656	cmd.exe	91
PID 1656 wrote to memory of 3572	1656	cmd.exe	91
PID 1656 wrote to memory of 3572	1656	cmd.exe	91
PID 1656 wrote to memory of 1068	1656	cmd.exe	92
PID 1656 wrote to memory of 1068	1656	cmd.exe	92
PID 1656 wrote to memory of 1068	1656	cmd.exe	92
PID 1656 wrote to memory of 2640	1656	cmd.exe	93
PID 1656 wrote to memory of 2640	1656	cmd.exe	93
PID 1656 wrote to memory of 2640	1656	cmd.exe	93
PID 1656 wrote to memory of 712	1656	cmd.exe	94
PID 1656 wrote to memory of 712	1656	cmd.exe	94
PID 1656 wrote to memory of 712	1656	cmd.exe	94
PID 1656 wrote to memory of 1644	1656	cmd.exe	95
PID 1656 wrote to memory of 1644	1656	cmd.exe	95
PID 1656 wrote to memory of 3776	1656	cmd.exe	96
PID 1656 wrote to memory of 3776	1656	cmd.exe	96
PID 1656 wrote to memory of 3776	1656	cmd.exe	96
PID 1656 wrote to memory of 2452	1656	cmd.exe	97
PID 1656 wrote to memory of 2452	1656	cmd.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\add-certs.cmd"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
  2⤵
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
  2⤵
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
  2⤵
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
  2⤵
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
  2⤵
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -L -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  PID:712
- C:\Windows\system32\findstr.exe
  findstr /i "AddedByUser ca.cert"
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\certutil.exe" -L -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
  2⤵
  - Drops file in Program Files directory
  PID:3776
- C:\Windows\system32\findstr.exe
  findstr /i "AddedByUser ca.cert"
  2⤵
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db

Filesize
64KB

MD5
f246333f077ea7b490a063eeb7e22913

SHA1
bf10c0615b50279b3d75ef83fe8c594d4868f95f

SHA256
3af11109e80d49b16554050e2d90565d1e849512f4279445b6b8f6a80bc41dc6

SHA512
da7abc23817a8cfebe3b970a28eaef0eb97b6750439c56bcabb1e6e85056050c8291a17ecab6f7b98193ac30c0554d673321eff138ca03c379860113c85f9c45

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db

Filesize
16KB

MD5
f6cd36aaa8773caf03a15628d8943951

SHA1
b473fae3265f2023f91396529dce3224dd2b505f

SHA256
ae6d6cb4716eceb1447850ee6105e982718c8710c1488bb709338cd074715222

SHA512
f32fb28353590c98d61d79afeef7415023542f2833bec43d4df68ee696c5a95ad10160d9d94d3434792b0301a942037bf61f021f82941231ed043a9b43dda7f6

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
13KB

MD5
3eacbe406c6f9f9352b8548e5095a8b4

SHA1
7b0f757c8db2eb15a6691f727e71f024803b5cfb

SHA256
c208d8bb1568b65ac81e62e19ba5e838b7935b111f4a99fdf057c557b3d2d211

SHA512
886ce8edbc3acf7c6e7afafa1511aeeb42623c5bc6cdbf39328b19a247e2460ecef24d29484e89aa90da8726a8509e0a5a10e27f5138f51df83006b91f39fcda

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
9KB

MD5
e45c3fb0f28fe6590e3d75c785e65c1f

SHA1
d96690392e6428cac59bbaa9b2bcdbac27e683e5

SHA256
020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

SHA512
be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt

Filesize
480B

MD5
55f9a6dca041467d61ec63f314c1fcc1

SHA1
60900d9f7a0280c4658dc5ba630bfe9cdcddb57b

SHA256
98c1ca2204b41fe090cf2273a5ec1bc5f74d69eead900ddcfc3958613e59a4d1

SHA512
10e86f5ef2c51798f9214bd5785a50777398efd35531caacaaebcc343f869bf332d1402d55a7e0f235bb6aa6da8075b02e9218f5789f0dbd60bb315bac95993f

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db

Filesize
16KB

MD5
02a3b00dafc8c7fb117bfcb1de9859cb

SHA1
c0dbc33717ea22ca740e6039fd3459d614599a74

SHA256
38ada995217652d8e48eb6b8eb49e84a0b246ca336254b669285207db61622c1

SHA512
b9e425df73287de15714930e8236cd4e4624887d6193d6ccb5f37850b31e94bfbd737992817bd8b47ecacfc04948207e6bb71a3ff5e30caa41472826d7d44a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\cert9.db

Filesize
40KB

MD5
ff56eb28f74d652ec0a1bc9f66597ae9

SHA1
35f2f1fb0bf68e2acc8e5eb24e97c8e6b6d066de

SHA256
832d4489d5b1fb22521c4895881e7db73dd8043f3415f5731e214153830afbb2

SHA512
73f5143c2c4a1804ee81048328132d1c2315a5f65032511cdb507f4b74581816805100be1ec00555e51a60530bc115a25da1221a2673bc2a21c7f73cc7e78f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\key4.db

Filesize
13KB

MD5
eb11d32902cfb486ded867c19f7cb024

SHA1
5e255412af8f76bfef60e0848ed698fca9d618a5

SHA256
bf7efe6fbffc0163ea2f262a1b27b249c09545f41dd952b455758f9852a0df79

SHA512
71a88f576061a9cba838180c93d3aadb3959f9c4212448f12071091cd92c737f63f9b92f113560f530560bef1f61d9704bf6f1247b6d285dd76748a410afd7d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\key4.db

Filesize
13KB

MD5
1a0bdef33798f58b6c8f31a2c58aed84

SHA1
06d82104c39517a16a4ae62eb3a8563593183c7c

SHA256
20730ec506223713664782f884bc79fbba6b30244ba922076349cdc522487a1b

SHA512
8a737fe50d61c11bee327624bfdfdf5bbbb9b0a86646b06f45bd75607a4cea1a987eede0746c3ff456d13997b4e59f282815f6f91f41c97d1de615b504876a1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\key4.db

Filesize
13KB

MD5
667565566a94c0f624ea9dd657105c88

SHA1
70ec741cbb7b709376b7e28c37976002628d1870

SHA256
1c836e66aa564b4a7234ad2896af33e976886166cc9c7a4dcb593d4128bdb6c1

SHA512
4d121d089b3dcbe83bf75304be6de55142841e3f30857f4689560af08f767dfdd6e119c838c8dd7c088287f31b7ba427992d056c80482b383cea89251dae8064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\pkcs11.txt

Filesize
496B

MD5
fc3e1d31138688978672c81b07b78833

SHA1
86bdb179b7bd31ed4c6e906f262cd641e572754b

SHA256
6cdf54f160a2d6f987e275b3652c50b56fde1c97bb40dfa4c18d67d880d6b15e

SHA512
9b4ca717474f038e893be5d54dfad08bfb321e56b0625f70d05d1fc5156c96f5b81e4e2ae73642488d5df42586c862eb62b1e3ce74b87ac5e4994a21313b52e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cert8.db

Filesize
64KB

MD5
54026638677f2ed4d24a452821a5be4c

SHA1
9653ec968c1c2595a343f9106a3e7546bc454df0

SHA256
2522bb7036f417d293f7c978c414bc463efd281d218d51f90b6d973e3da104cd

SHA512
9fe10855179f52dd2f7d3be1fb10f84c9e707b8b6580753f5a21c3ead859463d800906da0424b8ff3ee1f59c734d7ee65c31a2af0701f2e2c6627978b7fefa81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cert9.db

Filesize
224KB

MD5
d2abb73f86ea2aae66da1b66d2f46af9

SHA1
319a3ea5b95a2f9c38ac6669546622f78266863f

SHA256
1d8d183e6f6df9f30e5f11a77a52cec8b5afadded8b1ea5160a8aff7e39d861d

SHA512
af6829bf20b4f6eaf71cd1c64a31b3ddfb0de6f4f2e9c55432fc289ff7a2beb0a7fa82396af5169672a793659cf5a594c7fdda77c3105be8d982d42f3a544e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\key4.db

Filesize
288KB

MD5
f75ee180287a2ede142aa60f9adbc763

SHA1
fd76ce358047b60a0720456d4ab1ff42de05c8a3

SHA256
9f320c376767c65f15a9cfb3b16540ccb836abcd6fa8f8db6352a3c702385ecd

SHA512
d4e4c6a700fd234d485af5ba14144e61c06e5e0a6866540dd2376e35d740f3e5fc7bd6c6a16529172fdec525790f7e956fd9af01c977402af3fdb86f49bc1d59

Download Submit