Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
27-04-2024 22:14
General
-
Target
Alan Wake 2-arabic.rar
-
Size
4.2MB
-
MD5
1661636cfc2348189e9adb654500db97
-
SHA1
994d1689ab16a6226a13251f9ab0d1e46161fe0e
-
SHA256
cbb7e3f4e7ecc2f776636bea17034a106e9637f522c00ff15fc8e4f6ba030473
-
SHA512
fa6198f327b039596d9f0bff2c9859fb342ea76aa78e6e8c0694d54649b573b38798b043fa83bf0d5b9b0677b8c29bfeaf6222bcba03557fc2ab89bcc720f910
-
SSDEEP
98304:27ReFkKn64vZutlEF7RVzUuVzSmMbrOvvgUhepGfDfIjy2qdR:oYkH4vAlEF7RJPSmMggpGfsmbR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Alan Wake 2-arabic.rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Alan Wake 2-arabic.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Alan Wake 2-arabic.rar"3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.0.203046854\1172025170" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab554a97-31c4-42a2-bdeb-7b3248da06e2} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 1832 211df3aea58 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.1.299413627\974399915" -parentBuildID 20230214051806 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d57f09f8-31a2-4127-82af-60d987dc6754} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 2376 211d2588758 socket4⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.2.1369882932\153172204" -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 2972 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e028cd5-b972-46ca-ba6e-8a20b13fc704} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 2892 211e2153e58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.3.403413501\210616351" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50febe4c-49b0-443c-b735-ca1a0db4f641} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3364 211e48bb258 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.4.707368546\1652536373" -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 1584 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab4953a3-776b-4ed4-98f0-e0361befc201} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 5276 211e2152058 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.5.1643967690\634984369" -childID 4 -isForBrowser -prefsHandle 5344 -prefMapHandle 5384 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba629b78-a25a-4573-bbb8-cee5e01cb7e8} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 5008 211e5d2b858 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.6.2107318083\414605550" -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40111a1-e637-472b-aae0-cc0110f60f5d} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 5672 211e7e5e358 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.7.977026499\593113301" -childID 6 -isForBrowser -prefsHandle 4996 -prefMapHandle 4912 -prefsLen 28079 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55c1529b-039c-4318-a5fc-1387de1467c3} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 4336 211e49d6e58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.8.969014965\2040371755" -childID 7 -isForBrowser -prefsHandle 5864 -prefMapHandle 5876 -prefsLen 28079 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {709ee92f-7279-4491-beaa-e534a267d270} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 5872 211e8854858 tab4⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\Alan Wake 2-arabic.rar"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\winrar-x64-700.exe"C:\Users\Admin\Downloads\winrar-x64-700.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d427d3b0972c4b789d6a0260c2a77e73 /t 4072 /p 38761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\prbn7a8y.default-release\activity-stream.discovery_stream.json.tmpFilesize
29KB
MD5dc99d69d3c50c7ff1f9fee1e7afc837d
SHA1c9ffa20f9c7a61d090d274a9dc8aac8bbcee9a8c
SHA256de614718ce04984baa1a7a8b8a8ecf3b4b21379ec9d62b90af59e6af9bd6aa7b
SHA512da50385df2f04b99c7f1d18b201d9fe69a7a222c53574424f6422464ecf6979fc4f9f3332787f5d035afaaa72603e98a9f2cead7ac277b0854ba9601d085bf2d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\prbn7a8y.default-release\activity-stream.discovery_stream.json.tmpFilesize
29KB
MD57921c6149f7e7d640f2588ff954e9d5c
SHA1d02ac246ee0c30ffa02bbac251c0f56fee3fd88e
SHA256919e1e2633be1cc00885e711e5d1d51f4937a40d28809e77765488020b47fb89
SHA5120fcf745e4c1c5fe6219c5635634c9aa3e536a23dfb5c69286aecbe27d5562837b53dc71107994702cf78c88cf430503942b90e740f4c05fb2042a997e22173f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\prefs-1.jsFilesize
7KB
MD5ede783a53a55a4825ba2e564e8766d50
SHA10add584e71d965fc0c84ed7ed8d429a35cc26d29
SHA256e7409590b129a6fc8d0c9901ed5be60af54f83eef091360dba54a80959501e1b
SHA5124a46c925f43318872291de573c50acec091d34bdb68f3bdf7c8f20dfc6bb7014be11b92fcc0b5fa5830d17e74a6d556bef2eaa5cb0070f64a8d48465b13ee92b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\prefs-1.jsFilesize
7KB
MD5e1bae4b2a71fe43c008a0d559187e4bb
SHA16524a128278487369ac7eaba91fd253d9f69ba30
SHA2565b872318f4fd22409bc2cdb32f565403310e2a3901ac1a4f6ed9d40c79db35e9
SHA51249eee4268ca733e86ae57321f838caecbb7406257f3a416da3f12f8dad073cc8c08487e38aa5b31af7168a7a595679fcc4253b7651a2acd2c261010c61079ae7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\prefs.jsFilesize
6KB
MD5914bcc7dab96a703c1f7f956bf1bf473
SHA12945ed20a54178a2c589bae61b249167ae45a4ef
SHA256111fb8b4fe2280b74e8239e4cf4bf399a8639ba4373d4543ffb54dbb3f525bc7
SHA51250ae3a87042e947cb6aae697edc35644ee82fca25883ba4b1ef3ef95d0de6e0677f48d425b4f2953e350f37eee3d0ce35a9b1d2fd1eea7a33095c734096ccaed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD55ba43d9e6f0babe76e41dd8e6e862019
SHA1500608c441ebfd8dfb40c3cfc56883b0a53ea165
SHA256d811b78b54126772a68a8ad5c105910b36e4aa26d52c35c1e8427047fbdd1d6b
SHA512e04aecd66487411cb4435163a4ea13e8567248e670c146cc79e73441c46cc43c30c34baf685ae21093a8a5507117107e83edbad4544c9dc0494eaddfd0a4be1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5cd1a883c337abe74df8776f2d112356d
SHA1845f9b03c05428d6da1d7da4412f2a4fd06022d1
SHA2565a19f0b038f6c13d37d95591128e1a4465dd3c6b1974cc3753aef606427f14b4
SHA512c588c151337c78060ae3e64971b18a63f8dce0de769c9a7265430058c89f7186e71c3400ef03bfbe906632f8fb1782c1d9c6bdec1d686f831c89fd07de46e044
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD51bad1afb97ee9eece8f16415a12d28c6
SHA118a63accb2a9b57e044a9252cf01e70c48e211bc
SHA25664d4a0f2cea0b78f60882f20b8ca51c922370f54c00dfff1a054eae583f40061
SHA5126229c9d47c6f0dcccb26572fe6627ba2765495951c36a43c4b0a8830028a6bb0c57cbefed1e03873985109d332c1151640763280110e824dd4fdc6d2e9de8f73
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD55a0d8dc9cef952c00cf334d95b6a9923
SHA16483592b160a513e21ce675ea5451a6a302cc6ff
SHA2567ceba69f8fde2539516c3052234d377ff4d0d283a0c0a6fadd1ba098a0f34c76
SHA512a7ee2d5ae3a98552a0a89fc71c8b05fb07adbade698e88763b29c03c1547929a9b1d3f4ff0b7c78ca4cf860b5328cc1f1b9f8f43fa0f2697484b44cf437b325f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\prbn7a8y.default-release\sessionstore.jsonlz4Filesize
4KB
MD54680e2f4c4d5aaa61f524f94fc05ecda
SHA1b16630d908bd72ac726afcd8da8ca3bf5780e0a8
SHA2564c439f05a9951f6c0a8432a246333bd9cbbb8bb8d9ae811ea5136955055d5050
SHA5127ddb4d1c0de3b97317af278b0f15093b24371a9bd0eae293ee32264b635b20261bf428725250509360f2c509a77555cf722b44dfbca63732d45c8e7464522d46
-
C:\Users\Admin\Downloads\kOMrrV7X.rar.partFilesize
4.2MB
MD51661636cfc2348189e9adb654500db97
SHA1994d1689ab16a6226a13251f9ab0d1e46161fe0e
SHA256cbb7e3f4e7ecc2f776636bea17034a106e9637f522c00ff15fc8e4f6ba030473
SHA512fa6198f327b039596d9f0bff2c9859fb342ea76aa78e6e8c0694d54649b573b38798b043fa83bf0d5b9b0677b8c29bfeaf6222bcba03557fc2ab89bcc720f910
-
C:\Users\Admin\Downloads\winrar-x64-700.exeFilesize
3.8MB
MD548deabfacb5c8e88b81c7165ed4e3b0b
SHA1de3dab0e9258f9ff3c93ab6738818c6ec399e6a4
SHA256ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24
SHA512d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af
-
C:\Users\Admin\Downloads\winrar-x64-700.qhNXPp-o.exe.partFilesize
15KB
MD551acae76c5d6c8b6e756a34bccb6ec61
SHA188f546f2b4bfec0afe083de970425bde03dca174
SHA25694ab09c7b7da76c352a4758444104f714c6503b23fb33ee3ee98559b6ccfd0e2
SHA512e18ce452a47290bab74347ea94925fc407eb411f53112489d2b0ba616b572dbe13451f641aa07c4d2bd536021c28445ba830554471d61401399862a27396e769
-
memory/1256-107-0x000001946A140000-0x000001946B1F0000-memory.dmpFilesize
16.7MB
-
memory/1256-106-0x00007FFACC010000-0x00007FFACC2C6000-memory.dmpFilesize
2.7MB
-
memory/1256-104-0x00007FF67F660000-0x00007FF67F758000-memory.dmpFilesize
992KB
-
memory/1256-105-0x00007FFACDFD0000-0x00007FFACE004000-memory.dmpFilesize
208KB