privateloader | b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Resubmissions

03-05-2024 10:21

240503-md6twaed45 10

03-05-2024 10:18

240503-mb2r5sec74 10

Analysis

max time kernel
88s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

10^/10

privateloader bootkit loader persistence

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
206	raw.githubusercontent.com
207	raw.githubusercontent.com
204	raw.githubusercontent.com
205	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 8 IoCs

pid	Process
5992	MEMZ.exe
6060	MEMZ.exe
6116	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
1852	MEMZ.exe
1884	MEMZ.exe
740	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4312	AnyDesk.exe
4312	AnyDesk.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe
6116	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	taskmgr.exe
Token: SeSystemProfilePrivilege	1060	taskmgr.exe
Token: SeCreateGlobalPrivilege	1060	taskmgr.exe
Token: 33	1060	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1060	taskmgr.exe
Token: SeDebugPrivilege	2216	firefox.exe
Token: SeDebugPrivilege	2216	firefox.exe
Token: SeShutdownPrivilege	6116	MEMZ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4712	AnyDesk.exe
4712	AnyDesk.exe
4712	AnyDesk.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4712	AnyDesk.exe
4712	AnyDesk.exe
4712	AnyDesk.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
1060	taskmgr.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
2216	firefox.exe
1852	MEMZ.exe
6116	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
5152	MEMZ.exe
2012	MEMZ.exe
1852	MEMZ.exe
6116	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
1852	MEMZ.exe
6116	MEMZ.exe
5152	MEMZ.exe
2012	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
1852	MEMZ.exe
6116	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
1852	MEMZ.exe
6116	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
5152	MEMZ.exe
2012	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
5152	MEMZ.exe
2012	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
5152	MEMZ.exe
2012	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe
2012	MEMZ.exe
5152	MEMZ.exe
6116	MEMZ.exe
1852	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4312	5012	AnyDesk.exe	84
PID 5012 wrote to memory of 4312	5012	AnyDesk.exe	84
PID 5012 wrote to memory of 4312	5012	AnyDesk.exe	84
PID 5012 wrote to memory of 4712	5012	AnyDesk.exe	85
PID 5012 wrote to memory of 4712	5012	AnyDesk.exe	85
PID 5012 wrote to memory of 4712	5012	AnyDesk.exe	85
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 4320 wrote to memory of 2216	4320	firefox.exe	99
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 2888	2216	firefox.exe	100
PID 2216 wrote to memory of 3996	2216	firefox.exe	101
PID 2216 wrote to memory of 3996	2216	firefox.exe	101
PID 2216 wrote to memory of 3996	2216	firefox.exe	101
PID 2216 wrote to memory of 3996	2216	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.0.201412397\1012783373" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1560 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02bdef0-a6b3-413f-acb8-d35e19a4eb75} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 1900 1f338b0e958 gpu
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.1.1868100716\859713204" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76deed5b-e4fd-49dc-88d8-7a0dd34be2dd} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 2468 1f32bd89c58 socket
    3⤵
    PID:3996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.2.689185450\1883289523" -childID 1 -isForBrowser -prefsHandle 1564 -prefMapHandle 3036 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aba6ee4f-a39d-4c9f-ae68-ae9ccdbb5084} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 3024 1f337a90558 tab
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.3.1238847794\1775058200" -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93e01aa-b337-4dcd-a93f-4facf6b06c52} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 4152 1f32bd7ae58 tab
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.4.2105743114\84327198" -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5108 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4523db7f-92fd-42f1-9d82-6ac28cf602ad} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 5156 1f33fa8b958 tab
    3⤵
    PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.5.1029004050\901044093" -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5324 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59058be-ef5f-4d99-a9a5-bc2580c8f775} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 5308 1f340206d58 tab
    3⤵
    PID:652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.6.2079607789\536576131" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e38940a2-ed88-44d2-b106-9d95eac62758} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 5480 1f340205e58 tab
    3⤵
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.7.2069919127\2067759390" -childID 6 -isForBrowser -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 27753 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30aa6a8e-0e4a-4ea5-88bd-5e859aad4270} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 4388 1f32bd79f58 tab
    3⤵
    PID:4140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.8.1964072555\1392915099" -parentBuildID 20230214051806 -prefsHandle 4568 -prefMapHandle 1288 -prefsLen 27832 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f429ae4-e7c3-4792-91bf-588d70383046} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 2592 1f3433f9858 rdd
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.9.746466833\1038669039" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 3636 -prefMapHandle 4572 -prefsLen 27832 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17d8ed6e-ad9f-4545-ae2c-7dc1cb3e009d} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 6192 1f3433f9e58 utility
    3⤵
    PID:5380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.10.1174354020\1701087315" -childID 7 -isForBrowser -prefsHandle 6404 -prefMapHandle 6412 -prefsLen 27832 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59be6b55-916c-4a0a-b087-92b379775505} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 6400 1f3435efb58 tab
    3⤵
    PID:5452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.11.486584209\414239439" -childID 8 -isForBrowser -prefsHandle 5776 -prefMapHandle 5792 -prefsLen 27832 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e5a201-bb2d-4a78-a177-baec7ed97675} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 5764 1f343ca2b58 tab
    3⤵
    PID:5644
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Executes dropped EXE
    PID:5992
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6060
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6116
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2012
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5152
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1852
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:1884
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /main
      4⤵
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
d72beedeb38eb860f932f36424251e4d

SHA1
8a26d14a819400dcd96bcfc0983a00a2d88b963a

SHA256
1a79566de19e5099ecdbe7121146bba9b9a5372aff213aec92a32506c3ae9f44

SHA512
8e24f4e9deefe9b88891f807afa7bf7b0b5e60d7057379e5a0d3402f64be309777592903a40ebc5fd8ea8001aadb20283af3a9253b56151be4170d86ed541df6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
92388b136ad05de89fef71965dbbfe15

SHA1
7283e2e67395fef1f896f17dfea43f38b2e999cd

SHA256
ed59bd3c9ebf79fd267e6a677ffb0b6cdb4fe71f0ae299d4e7f00eef03743286

SHA512
24c4aa07118d0bc054a2f34a4efaac21cd3475d64f8638232df748895e377946c0bca80c732aa0bccac1f72d50f26588bce8581440a1380af85ae888f665dc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
28c62f618e219166f3816551e227ee80

SHA1
f44d0a7cc04ac4841e26948400fccf6f0afb5baf

SHA256
558c872b335ff2063c9475a4b57601953250bf1cd8af8ab09bd8d0490941a072

SHA512
2e4d9f57185397a8fbcbbac9a2b0e346642927bfcd68e8206501b18cd315d21ee10b8503aa2ae9c1672c19ca5aaa80c2f87e4370681caa62be1b77395c37883c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8d4d27c80cd30b13f1f49fa3a990f478

SHA1
d511bf8e540a83ece4cf572761a05b8a88b86d2e

SHA256
9b7bead39a55ea97b57aa3146bfe5c96cd43f79e230f850afcbe6aa21c15def6

SHA512
b2e2c10cf50d1d58de4a86cab88923ed6c54eea9b6751e8e6f1a5054abe8c8ac2dcb18c1579291597fda63d66f09117c19dbd21bed32fb8c89ca9b5536c9a304

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
67fa2d9f9c6ca5a265b49944d98f26ad

SHA1
4984459e13e91abef8fffce5cece0ce8c84c0bd0

SHA256
17ef6ad8453f010eac2c69feab54ad90e5cb941dbfe9a24248cbcdf54a41f271

SHA512
9341e31cf47cb4c52ef0f7f253081a9b54de28194ba34239fcbdb4f4ebd3f43bb10b6b074d0566f01b88360fc3c3f4199b10ea249756cb245a20eb3558426ef0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
0e119586a715681a31ae4a145d62991f

SHA1
8d625201b054c2f81251fb44ea9429ec199fd705

SHA256
2312c4cc9a893957ead239f4e5f910e21066fcea8a90b278d646445b079e80db

SHA512
10a18ef73bf2835d166bb4c35eb5a9ffd8c8738f5189ac65ae2f8a9cf6fd8278f1daeb8629a6783e531842c77224e9507db95428c09aab50ae4c7066a70b493f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
6ce2c537dc472fa7e58a3ad0a84cfe8d

SHA1
e8a55bed9f940d38d5cb7cbe0eff134d718502aa

SHA256
0d92b57d7b72da511b732f4b8c74268f2326ed2f02379567dd1c8df1b39037b8

SHA512
778db9870fbac1b7e4fdda5fca76ba8dcc25cf2582864601b20d285664c08d7f9dc890fbda5bee22699d59771ba2c8319ad19008092ee63d690a605afaf334cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
47571354e57cc426b407d6de5196dcde

SHA1
9dd39b1e1df0a98ad560e7de0ffab884da24cef3

SHA256
35b413e25fe6a26ca178fcc21a88cab0f1343dee8a57617d7dcecddb1d5fad45

SHA512
82f9ea1656a252095f653c2fc2ac097f5e8230df47870a419a33b9d899f84576c27ada32f82482ae6c36dfa6ddd7da44b00eab622756369d0ca668a1d8be5aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
7KB

MD5
28cfc2bd93eef3627a0aae306cc5aa77

SHA1
0ac29d89af63010959b9179d2c3338d2afafc72c

SHA256
c0590f510982d58bbed73d4adea2f12e101fe93fb18a75dae676f8c7301f62a1

SHA512
2ec7556ac9ab8361fbe22cbf4322418041d0f627114ed50923757acaa0dc34fac6088305a87891a568c4a71cc45fde7615d7d74c8ce06e58351cd8e356391860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
7KB

MD5
3c63b7f7944bd455b09335625115f833

SHA1
cce9aa1f4ef82f3a59a484534ec7f6e22e8d4c10

SHA256
38ec8010bd7ae31b3282f5cdbe0ddbbcef0e2980fb2b691f12e2de5270a1447d

SHA512
9f3fc7fa17a8528485c0c5a89a72581830276b480ef3736e827d27b747906840c1eb45e32fb5198b3d78da1207a14dde42d32d93b32d13b341c3c100408fce50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js

Filesize
6KB

MD5
8d439dc8cd964c0806446e1b5eed06e9

SHA1
9c182c336d918c9d591e00690b22ca282181631e

SHA256
fab26aabe721185a72dd37f5cc64e0b9e1198dc06ecad8d15b7933e059d4750b

SHA512
dfbe0f236125712457bd32414e9d12cdb0f410abd5a1495aa2a5820c4c11cd9626a95ebf1ca65e6c58317978cdcc8c1538f10e235820751fac4e731acec722e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
776ed0a6dd7c918607559469f598db4e

SHA1
e7bf6bb2490b47b5105e6e1c179287f084d2b7e4

SHA256
2d48e7099c55497cf63baec8f0b61d4267c0d9e587d258401171389c06379d01

SHA512
ddcfd5be089f2e4aa66519150ed36ab3fb376d60af77a7c256f5c827c6add166ac28f5cb2b6aff0b0a49e13c81df395d1e34a79b3b7d0ed17bfdede6d48cd511

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1013B

MD5
593aa9e14b24c9d621bc652c42601edc

SHA1
fa514cd5f925acd1769645ea9b5df6826c0ab6df

SHA256
59bf10b4fed47d747e38192922798d622eaedb61b44e2e80a2d7e5d7ae614567

SHA512
322de4243ab0ebe75829e24bfe87d8698cab4c3d285585823364938b24525571b6a6c0bcc3c35f04926ea5e743fb522dec0c97dce0fb137264b2de47f8da11c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
06bd8f9a9e24b308b222d7cae1a10e87

SHA1
0b8202f0d651fde52bb27d626fe2fdab48f07147

SHA256
571d515d906f527d2e15f823672c29120f862b210a69858f5bd58ce96d4d1575

SHA512
626e9e1c0a9e34434e42b6d578d251bf95c9f4d925a63e5234ca8ee81cd73a654c4bf303135516a7b01cf7b4bd13460a0b26118a8fa0bb9788f59f2218eb539a

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Windows\System32\t4pfwd.exe

Filesize
7.2MB

MD5
f6d8913637f1d5d2dc846de70ce02dc5

SHA1
5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

SHA256
4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

SHA512
21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

Download Submit
memory/1060-68-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-66-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-61-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-71-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-70-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-69-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-60-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-67-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-59-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/1060-65-0x00000176CB7C0000-0x00000176CB7C1000-memory.dmp

Filesize
4KB

Download
memory/4312-20-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4312-73-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4312-81-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4312-41-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4312-84-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4712-74-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4712-40-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/4712-21-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-0-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-75-0x0000000000B34000-0x0000000001443000-memory.dmp

Filesize
9.1MB

Download
memory/5012-72-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-18-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-17-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-13-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-4-0x0000000000B30000-0x0000000001742000-memory.dmp

Filesize
12.1MB

Download
memory/5012-2-0x0000000000B34000-0x0000000001443000-memory.dmp

Filesize
9.1MB

Download