Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 00:38
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://deadvogados.com/wp-content/plugins/share-private-fls/shared
Resource
win10v2004-20240419-en
General
-
Target
https://deadvogados.com/wp-content/plugins/share-private-fls/shared
Malware Config
Extracted
latrodectus
https://jarinamaers.shop/live/
https://startmast.shop/live/
Signatures
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Detect larodectus Loader variant 2 1 IoCs
resource yara_rule behavioral1/memory/5352-398-0x0000024471B00000-0x0000024471B14000-memory.dmp family_latrodectus_v2 -
Blocklisted process makes network request 4 IoCs
flow pid Process 95 1776 WScript.exe 97 1776 WScript.exe 99 1776 WScript.exe 102 956 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 5284 MSI8776.tmp -
Loads dropped DLL 6 IoCs
pid Process 2380 MsiExec.exe 2380 MsiExec.exe 2380 MsiExec.exe 2380 MsiExec.exe 5324 rundll32.exe 5352 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8699.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8717.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8776.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8388.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85FA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8658.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8679.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Document_g23_20u196809-89b27771u5582-0320b4.js:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 956 msiexec.exe 956 msiexec.exe 5284 MSI8776.tmp 5284 MSI8776.tmp 5324 rundll32.exe 5324 rundll32.exe 5324 rundll32.exe 5324 rundll32.exe 5352 rundll32.exe 5352 rundll32.exe 5352 rundll32.exe 5352 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeShutdownPrivilege 1776 WScript.exe Token: SeIncreaseQuotaPrivilege 1776 WScript.exe Token: SeSecurityPrivilege 956 msiexec.exe Token: SeCreateTokenPrivilege 1776 WScript.exe Token: SeAssignPrimaryTokenPrivilege 1776 WScript.exe Token: SeLockMemoryPrivilege 1776 WScript.exe Token: SeIncreaseQuotaPrivilege 1776 WScript.exe Token: SeMachineAccountPrivilege 1776 WScript.exe Token: SeTcbPrivilege 1776 WScript.exe Token: SeSecurityPrivilege 1776 WScript.exe Token: SeTakeOwnershipPrivilege 1776 WScript.exe Token: SeLoadDriverPrivilege 1776 WScript.exe Token: SeSystemProfilePrivilege 1776 WScript.exe Token: SeSystemtimePrivilege 1776 WScript.exe Token: SeProfSingleProcessPrivilege 1776 WScript.exe Token: SeIncBasePriorityPrivilege 1776 WScript.exe Token: SeCreatePagefilePrivilege 1776 WScript.exe Token: SeCreatePermanentPrivilege 1776 WScript.exe Token: SeBackupPrivilege 1776 WScript.exe Token: SeRestorePrivilege 1776 WScript.exe Token: SeShutdownPrivilege 1776 WScript.exe Token: SeDebugPrivilege 1776 WScript.exe Token: SeAuditPrivilege 1776 WScript.exe Token: SeSystemEnvironmentPrivilege 1776 WScript.exe Token: SeChangeNotifyPrivilege 1776 WScript.exe Token: SeRemoteShutdownPrivilege 1776 WScript.exe Token: SeUndockPrivilege 1776 WScript.exe Token: SeSyncAgentPrivilege 1776 WScript.exe Token: SeEnableDelegationPrivilege 1776 WScript.exe Token: SeManageVolumePrivilege 1776 WScript.exe Token: SeImpersonatePrivilege 1776 WScript.exe Token: SeCreateGlobalPrivilege 1776 WScript.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 2532 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 1988 wrote to memory of 2532 1988 firefox.exe 84 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 4340 2532 firefox.exe 85 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 PID 2532 wrote to memory of 1440 2532 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://deadvogados.com/wp-content/plugins/share-private-fls/shared"1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://deadvogados.com/wp-content/plugins/share-private-fls/shared2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa73a24c-ead2-4968-bde7-248a574958f0} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" gpu3⤵PID:4340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea53ab8f-cb0f-45db-a95b-c21059712f26} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" socket3⤵PID:1440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3200 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef1fcaa8-5b7c-425a-9763-250504607918} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab3⤵PID:3152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2828 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2740 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c951950-d794-4255-92c0-cbaa3b64cc3d} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab3⤵PID:4628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4444 -prefMapHandle 4408 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843dd9db-2a19-4c0e-a2c3-418dc4d2c9a3} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" utility3⤵
- Checks processor information in registry
PID:4064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5124 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64666d4f-bc29-47cf-aa17-e81b830e3a10} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab3⤵PID:840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec6de9-e0c6-4c98-9206-9f075449811a} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab3⤵PID:2096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81c10fd-ce76-46c3-b44c-48549c5c6aae} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" tab3⤵PID:5056
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2472
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Document_g23_20u196809-89b27771u5582-0320b4.js"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0558FE52BEBEC0201FE38C95AED910522⤵
- Loads dropped DLL
PID:2380
-
-
C:\Windows\Installer\MSI8776.tmp"C:\Windows\Installer\MSI8776.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5284
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5324 -
C:\Windows\System32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_39016c1b.dll", homq2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5116958c989e0b867e5fdd112d92699c6
SHA1e2677e5385ce61775e44eccdf45ac9e95a42ce6b
SHA25668c781e9669f230f6416ee0bf01ede2631c71fb54b4accf7934dec1335020510
SHA51281b936c266846a6c2bfb36e8e49a239b852680d1cf35d949754859ce17598607094e5e3edffce9f6ac10c221c1d6d28f2f7bf2cd26f53478b87afde5971f055d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
364KB
MD5a1c84c14a82f2cbb7e9a5f253d721159
SHA13aa5e70111c290c45daac06984281dfb5439115b
SHA25653e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
SHA512f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\AlternateServices.bin
Filesize8KB
MD55d0eb1c5fe8a09507cbda40acb2b8ef4
SHA1093f2d5e1739832c7770d96a0494c717b585519a
SHA256704c1f8524535f9828a71a7dc50cff8db3d1c88e1f18fdaca5e35c8d18271656
SHA51247b7dce530b5610d42d296f579a5c8e1fbc63527851f1d45694ec2aacafbf67f8cfe9c07b48f4758439f0d7ceb26b78cc9a27ebbc85c71d436fdc5c3fb7a9435
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD55ca1df05e7756f7a3b3f2793e996145d
SHA151ede5efebb4d3b678b4359f0d359fa57f802b2a
SHA256d2e7ee6e860794ea49c7f7ae82dc7c74575ba2dbaaedf7ede66c5088795edcc3
SHA512eb33a9e9a31588a77e339bfcb6de3a30828343eeef473ca38b629d6aa881b60c680fb8df4c7d9697cfea2bc89ca8d55055151b021a01a1b81f4922da4aba12fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD52bccb89e0f46c8a44e69a9f045d852b3
SHA1fba13fa197f831315e5e53ea60d6933341ac3b04
SHA256ba1d81e1734ce72b54ee5752f9adca0e05248197ed07bfe653eb401b61113090
SHA512587ebc75a6302ae665d5a68c5d3b85d6f7bf4f79acd053bab3a26250eb0f2c5b370c1170f21ef52e551ac0d99096c94484351d53a2eec2a484337db20fa0a13b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5d3c0d9bb43ce492ac499d85c87dcfd26
SHA1b998ae5710ef8194d1b1a8087b3b83b8771b7c7d
SHA2561d8e08b937c05709231afd93cd492d9bcce939b09911890e2810852e1f5e7122
SHA5124aa86cd43e4ab739d849142516d259db12f40cbdef14b91cf2cb304d2608ee72c6c935a51e332909cac346ee105300e741c9518fe6805b325d42573b623d3805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\0e5c6554-5e39-45b1-841a-b2f0c5b427b0
Filesize659B
MD5531066bcbc7597278f3761e45fecebdd
SHA1325f35a89aedac4319a8413a7f83d52db70e9434
SHA2566f110985c134b368688a191d393e8ab5cd30327baca20851ef5a9be282e3a75e
SHA512fb83c27d40305ce6e30c615c338c28a3c19db4526d88b91886ab5571e4b965c5084621a8e9ffc532c7e7bc6a89a5391d2cc8ef0e9e53e1f5672936d8433c1211
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\8b8bff00-c90f-4fea-a503-546e1dc8aa25
Filesize982B
MD50a62618c5b533b35cfe086443d8f5f90
SHA13ae1668d4c9b98a1c42a11df3e03b4b679c71aba
SHA2562f69ebebe62d83f323c19221900404907b317cd62a74d3376fc15f545b49fc0e
SHA512b979a054829765e94f6fe55a3a95ad0b84b4110ab74b67ff029e29a704cc5cba8e6d4cb827cc4a2e173a39a1405e46bae9d60b6a152dda9b23ea1d7d45ec8c60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD514e912c3316b3be14d3e2bf9dec16e7f
SHA1858a35d4d54bc322af7e26b42b16166cab1d7fcf
SHA256a29ec0df706513eae5759a30eb84e4289983d5c5897e961aa0ea91cd7c876377
SHA5120a56738a316acc1c2ee5d89b61069851582b2ae772f0e1be01755c16fbbd50848777c20d02171e105bfc7104fc7f328b2eb4f6ccb5b771425cc9c931a84822a8
-
Filesize
8KB
MD58f7f59c79614fa11e35630381dcd923b
SHA148e5a7e06b09b446c0c35a2f137dcb4b5c44ab98
SHA256962964b280d50ecc79f712c033e523b431f4df5a0003c52129ed4ea870cf6954
SHA51247206d6e33f56288697e75f0a50837e95b023cea1539cf6d1d02d338846e5314eead308ecf46ef1a1ec681fb10f1c2cff5a5729f0eab4729f43d7e8205fc3c16
-
Filesize
8KB
MD53d1089a97f2fd2c322e501be1663efd7
SHA1c329f10b7b04079831aae4f48e43d1a69fd298c7
SHA2566cee73b4ae8d5b71fae24beaf88d77209e858188ca883fb8dde4be00e7dbcaa2
SHA5120f41794b50ce57cce4e9f4cd253a8a646ebff63aea195ad4317f2ae67b8ac312b97014bdc66105e2436629cc67624c36df07b5a3e5425b75e4a1dd64bb78da8e
-
Filesize
533KB
MD54e825c9f306560e7ebef828b06eddcd2
SHA10be9284707a59ebf84bde7375beb1a0d00037b3e
SHA2568720c588cc94e880ce004b31858a70d54edd06b7bd7e6ab68c9c35ae3253e3a6
SHA512ebb17b59d00beec8fac26d2cb8320018f7d7e0df6fcede27f45f15d98d906f5c9afc2b7f8d0ced18023cd90fc5f2fae6bdf46683479fe7ca8db8c19c9c2ca585
-
Filesize
1.3MB
MD5f83ed040b4e52088817df73ef51fe0d3
SHA13d011c54ae9a66ef2a865afd694712b338feed5d
SHA256a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417
SHA512c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04