37007796bbcd4370c8e562d2d80f99706c5e0910d866cea567b5c5da71f3fc2c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FirefoxReportLogs.exe
Size

1.8MB
MD5

ceef4762b36067f1d32a0db621ee967e
SHA1

d23da38df6b0fca8c524b641c59c700a2338648e
SHA256

efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb
SHA512

6301871a95e48f2873b60c706757af38d956c895112f14c28eac4c4a83456a1acdf15d0a5b1cd35f267a4149dc78b2469c427bde6a1bf5aa99de51d5e824d1b3
SSDEEP

24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\FirefoxReportLogs.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FirefoxReportLogs.exe"	FirefoxReportLogs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FirefoxReportLogs.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FirefoxReportLogs.exe"	FirefoxReportLogs.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	FirefoxReportLogs.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FirefoxReportLogs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FirefoxReportLogs.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\http:\15.228.77.178\ytr\serv.php	FirefoxReportLogs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	FirefoxReportLogs.exe
1512	FirefoxReportLogs.exe

C:\Users\Admin\AppData\Local\Temp\FirefoxReportLogs.exe
"C:\Users\Admin\AppData\Local\Temp\FirefoxReportLogs.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-0-0x00000000007E0000-0x00000000017E0000-memory.dmp

Filesize
16.0MB

Download
memory/1512-13-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/1512-14-0x00000000007E0000-0x00000000017E0000-memory.dmp

Filesize
16.0MB

Download
memory/1512-20-0x00000000007E0000-0x00000000017E0000-memory.dmp

Filesize
16.0MB

Download
memory/1512-28-0x00000000007E0000-0x00000000017E0000-memory.dmp

Filesize
16.0MB

Download