Analysis
-
max time kernel
56s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 17:22
General
-
Target
godhuntermode.exe
-
Size
203KB
-
MD5
fa27771b02f19cbd8ffca1099538858a
-
SHA1
ae591814aa4b40bc0ecf87a50d0fc1df9d16c7a7
-
SHA256
26fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396
-
SHA512
c985071e77314a5a3687a522fff337c3ee4b08d228b999694a6f5dbeaadd8b03f717b4c5c50526cb45cff319aaf666a7ddae63f402ed023e8246865750d821c8
-
SSDEEP
6144:OLV6Bta6dtJmakIM5GO3JM1fMKQqa7FPp0k4n:OLV6BtpmkWGpC78n
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
godhuntermode.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files\\DDP Service\\ddpsv.exe" godhuntermode.exe -
Processes:
godhuntermode.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godhuntermode.exe -
Drops file in Program Files directory 2 IoCs
Processes:
godhuntermode.exedescription ioc process File opened for modification C:\Program Files\DDP Service\ddpsv.exe godhuntermode.exe File created C:\Program Files\DDP Service\ddpsv.exe godhuntermode.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 848 schtasks.exe 1036 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
godhuntermode.exepid process 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe 1968 godhuntermode.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
godhuntermode.exepid process 1968 godhuntermode.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 648 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
godhuntermode.exefirefox.exedescription pid process Token: SeDebugPrivilege 1968 godhuntermode.exe Token: SeDebugPrivilege 1968 godhuntermode.exe Token: SeDebugPrivilege 836 firefox.exe Token: SeDebugPrivilege 836 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid process 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe 836 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 836 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
godhuntermode.exefirefox.exefirefox.exedescription pid process target process PID 1968 wrote to memory of 848 1968 godhuntermode.exe schtasks.exe PID 1968 wrote to memory of 848 1968 godhuntermode.exe schtasks.exe PID 1968 wrote to memory of 1036 1968 godhuntermode.exe schtasks.exe PID 1968 wrote to memory of 1036 1968 godhuntermode.exe schtasks.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 4292 wrote to memory of 836 4292 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 4768 836 firefox.exe firefox.exe PID 836 wrote to memory of 3376 836 firefox.exe firefox.exe PID 836 wrote to memory of 3376 836 firefox.exe firefox.exe PID 836 wrote to memory of 3376 836 firefox.exe firefox.exe PID 836 wrote to memory of 3376 836 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp"2⤵
- Creates scheduled task(s)
PID:848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp"2⤵
- Creates scheduled task(s)
PID:1036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede40b07-40e0-408d-9f53-144479691608} 836 "\\.\pipe\gecko-crash-server-pipe.836" gpu3⤵PID:4768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {244c8de1-d88f-4cd3-ae5b-c7217648d067} 836 "\\.\pipe\gecko-crash-server-pipe.836" socket3⤵
- Checks processor information in registry
PID:3376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 1604 -prefMapHandle 1532 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12b251f0-4aab-43a4-8f20-34e0c76d8b6e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab3⤵PID:1020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12089586-7a26-47d9-8ff4-f3123a068d11} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab3⤵PID:1316
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4884 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {729173ef-f48c-472b-936d-11cbf733140a} 836 "\\.\pipe\gecko-crash-server-pipe.836" utility3⤵
- Checks processor information in registry
PID:5604 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5212 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b93b1b-1b82-40c8-8996-28694003f09e} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab3⤵PID:5924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250cd809-fba5-4995-b7c1-fabf896e7d2b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab3⤵PID:5936
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5168 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7210ec9a-46d4-4169-b486-72d3e6cb3f0b} 836 "\\.\pipe\gecko-crash-server-pipe.836" tab3⤵PID:5948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.json
Filesize20KB
MD5f4e69877176badff102f6f14849c202f
SHA11eceddee27d2321e57ea412475746bf2b491d6d1
SHA2562b682d5c1608fb24939d169a48138829366a549cdd89b4e0f226cc0f82747e76
SHA51203f042f40c212cbb101466ce4ae0ba471f4ec823f5009f6be0d18b6a50d5ada5672837ba784f1972b2376c0a47efd1cd7149ab33cb3efe79dd280146a7fd2374
-
Filesize
1KB
MD5f5d30efce4b1aee5eae396d83a3ba12b
SHA1c710a5815e1431398a03edf703dce91328e06b56
SHA2563c7dd02a58748453a8f136ba495fbbfebd4d00ff283c0ebf9bc4db32e1d9a948
SHA512d04000a54938a075c4228ac2c50b4c2389546b953b806cbc6425072ab1cbd79f3ce13b27def1fe15e9fd2e81d06d1d650a3aedd2e0286ad4a445e25a6308bb7b
-
Filesize
1KB
MD515d749210e6e1cb4115160780901c4a3
SHA16a0d047973a484874fa07f24ab0a793744c69700
SHA2567a8e4ca799b470aad149653472d9442aa5815204c04cbbf0fba0d3052b6bd09c
SHA512369ea9b77c8e847411677caa0a37caef637832468d868d75a0c6d10e9f13442fd7c70b56e38b444034b9dc98ee7e75c361c7561128a8e3280e22b724a088315c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5660069b3cbf98420ec15d4c08f605bc7
SHA1562c81da7e83adbc6cbf61a7ff48f69bee1254b8
SHA256d136816baf03b54e7a8d8d572bb5ab1c367a161d1d9967d1180be2c723709256
SHA5121896c22299407b0b41fc60f3e388d14929d2f8ac00e4ffec6a57c960d0724f94f7399705d491bb4ef5fb173b1939b48406bb757d3c01ff0f23d4ca97d49c23d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\13323c2a-7e6a-446f-b9b8-022a1bfeffda
Filesize25KB
MD53c2ddb6b9d2b0665393a62a0a7161358
SHA143d0ee932a4e76d7312ae189ef873785d10d9260
SHA256f23b7386715d4ba281075bc962bc8cda5336e26535da85208f0b986f2f640cd9
SHA512d34bb357b749992a2cea3cc8a0190830829cb971c3e5015afa9bace26c95209c2205974882f8f337cfd707a0082b6bde6660b9afb624e0fb9af531ec93f2bb4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\63695cda-15f3-469a-9e75-2493516382d5
Filesize671B
MD59636fb2b19e673eec108645e59974df8
SHA1a763a9e680edb76bedf43c266d997e5f185809a3
SHA256a2b740217fa12185f29dc10ef30ade544b5925b1e065211eecac4a77274f02fb
SHA512ee7dc7b6f9b2e48d87a13c0cfac6a2ae6a4de08357776dd231be0029a8e4f405e6be0962ded1e21a3fb87cd2bb3143f147c699c07d8f105282726a980f4061ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\6907fa81-3b4a-41f7-aad6-635691930474
Filesize982B
MD54be524104903616e4594d0d56ae229bd
SHA1b8b2f0a19c670995b2460b3ca9d2b55f9e56c3f4
SHA256de6731b0f7b54cc472dd3967515fbcefca9d0b3f4fcc72b89ac9e278197433a6
SHA51202523cedfc7ddc7e70de8432f31bfdd2ca618d4c8b841ed3e1c4e93148fc3c347484a5e6fc4efe10609682a8475bc37c4bbb0edae0561c7b29b22c247cc408b3
-
Filesize
8KB
MD53b006a36ed2f6bd9068f5008b0686aaa
SHA142a0d19ab17617780edd76c3800e40068ba5f1ba
SHA256d4e808fa37bfb40c2bcfae85f8abbe492668a08a31e908345d358d78aa049f43
SHA512356bed376ae0af6e560db3823d4709fb2fd3606f688c5c69ec7d4ca25bf664ad7136905fa97b981ba76033c39e55b5cda312d1e2487aeb7a85ac672b2db92db4
-
Filesize
8KB
MD556fd3bbedceb453571f11454e4628e83
SHA1b5ce2b85202caa7a06ee800deaccc800143a8e38
SHA256e265bd2152fc9659caba7580f3c8d937f64ffdea185e04c13925da915df99975
SHA512aa76a4c5de311c01b278bde1aa7159155d8c0632d1e0581f90d6cadd240a68fba57f955dae9442faa44e735829cb1cdb99fd7954f723fee59575979af61a5755