Analysis
-
max time kernel
73s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
26/04/2024, 15:48
General
-
Target
Fivem-Dumper - Main/main.py
-
Size
5KB
-
MD5
b72afa99b004a8f06584dbf587dabf20
-
SHA1
c5e65b15a78e3945b21efb566a80106038280c6f
-
SHA256
4b6bb98d6fcc2afbb2e29df64928f09d35eb9f13bfd3dda7ce41d5cc50399a14
-
SHA512
281e2a4b788b04911528f3c7d00407535bbd8b7365c8c61d8431907cfacc0f70311ad5516aff1950945e2fb5207bf8c66ec5ce670e929c3d175016e029cd3d11
-
SSDEEP
96:kDpFwak4dIIV2VyL47oJuack7hH/IIxJY5cI5QE8rlyQT18AF:k9Vf+mxOo0CBwc8h7QT1VF
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fivem-Dumper - Main\main.py"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Fivem-Dumper - Main\main.py"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Fivem-Dumper - Main\main.py"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.0.1354939951\579392877" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1660 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19504947-6492-4c18-a99f-7dac62baeba7} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 1784 20a4eaf6858 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.1.1704761332\1487737382" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e621c902-8f79-49be-9bd4-3a6323644dd0} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 2140 20a3c472858 socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.2.1357672951\255888696" -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 2944 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {955fcb87-a9d5-4d66-89fd-50b67de0ac67} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 2912 20a52acc458 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.3.1805982170\2000590431" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {695dfd87-9d1f-498d-b44b-f6db3a87fb40} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 3592 20a3c42e258 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.4.1598237844\1084459430" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4272 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66e8167e-ad77-470b-b1b0-d5619c991085} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 4288 20a54bf1558 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.5.1682655062\702663850" -childID 4 -isForBrowser -prefsHandle 4572 -prefMapHandle 4560 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25bd1496-2611-46b9-8675-4efdd0133e5e} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 4568 20a3c466e58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4480.6.37108344\924491303" -childID 5 -isForBrowser -prefsHandle 4564 -prefMapHandle 4540 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {280d6782-93d0-41af-a858-4df0926fdb5c} 4480 "\\.\pipe\gecko-crash-server-pipe.4480" 4696 20a552b0f58 tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
2KB
MD536e59f1fbb08e856bc8c856e0407f200
SHA1eba76cb69369a209a0e25cab50c28a5e43c8f5ee
SHA2566367b0cb384ee96d1fb40946d35b4caede749dccf1e089f42cae1391f41c4bde
SHA512a8a3e8dabd7c5c64714d2ee672be54137a8a67c3305898b5a71f9d96b63f5bb5d8807cd595a70a8b71f0a86f0bd449bf8ad8d7a92db1fb1ba2f08c9d5e082b7c
-
Filesize
746B
MD5eb1e185b8cc8ffa19d767361581ed063
SHA1777178972d841b77426358101497ec6f73418535
SHA256674664a20f7186b9b5b848a3a935f9f90208d55660ff458ba2f2ee8977ace872
SHA512b46928528a4d147d09b8d7b02d5a80a8f96ef3eecbfccf27d9d9a39cbd474fc0efac6c3291185d2931e94420adf566c0eeae18a12d11682d4d986ef57f8a8013
-
Filesize
10KB
MD5f767181840f07fc65d3cf72572faf5b8
SHA1cfaa38b8915e4833b305663227748294aa016c38
SHA256b913f4d71bbae900bd40a899c49a461b8c14b066e281fa7a0e6749aacb330b89
SHA512432c195b6aaf0f1df6d7a57bac8075f64698535c17b30d7d1a0d86d6ed01f27e6983651d3ea1e95ac016e64dcacdff749a8297dbdd1d353b20dbce1a29d77d8e
-
Filesize
6KB
MD54b49182046476110a31efb18c6f602cd
SHA18fbac329399192aac1f78093a979de3f7444b21a
SHA25678d84288c3456339b48b0645a64241cc75aee001cc9e46e8c93e4c398e24dab1
SHA51243aa7e66c54e0eb41e19e8111a01b2bb01a5ed1631bd9a1c84465cf98ef3564eb66ff3c67f832ee4a93bded20f7d147c1dc9b22b2fd1173bddb90db90d2314b0
-
Filesize
6KB
MD5ffc474d18bdade1a36ac4a1bea520d95
SHA14d4c47c4c247d3bf0750f8e80fb7cbabb254158c
SHA2563bd5a4ea0917185bac5efc6cfdc2c428f79e8c77b2cadba0cfa185759ae33873
SHA512a6b38bf98164c55664cb8c7ce8ed0f0e9cee2838541307c7cec417e3e721c98b538fccc48a26d8a4731dad94d79d58d6c76f03927da34e7431ff01050a6a0801
-
Filesize
1KB
MD5c159e01b3190d012fd116c6ffda05f94
SHA18ed8bad25d37ab58e7995fc7e6f8c264087dac89
SHA256ff2971006774f18b6aeab35dc0e6a6c7ed2b85193ea39263cb246c5166e8fc49
SHA512ee33ebfd75eb37b9a352e097c5429b3306e95d300cba83cfb4caca44962f5ef7f8f785719434646ceb107e96a1dab80040c180f3ca414ee9dad96c1646e1b60a
-
Filesize
971B
MD575371e170c0fb922708b427c432c4a71
SHA1cd68e55c9aa754d2b97cab96922d09796c350998
SHA256cdcd72e565613e860f42d44f7d62e40488189cd51d0395ab2d3459584b7b294d
SHA5128f68acdd78dfa8fe1b7abb67f71bc79798a126a0f8158884195a3756abd0fd17d54e200d0ec3eb6b8ad02e1400b692f788f0f2f97a15a250829c8b2d214c00fe