Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/05/2024, 17:51

General

  • Target

    Devotion.rar

  • Size

    34.7MB

  • MD5

    da7a2d53576334fd7ad071d11360f7de

  • SHA1

    7bb71d4b7ae9f07febff9145c93dd5304746b1ce

  • SHA256

    64ab805160794a3ce8b818c6b0c438a79623727fc7ec6f38a31655323450ec89

  • SHA512

    77a205b66e8df2f15c14d5694a2a1f5279fae68026ca540e940160d8cbf6609f9a8c81fc1c0b64ddeef7f76b73aa219dff5f3fa67537f645e821ed272ea20395

  • SSDEEP

    786432:Vw0KeiwcMjQ6lePQXuM+IK5EzauWhERopwKwvIQzSP2lLR65HRiyVs:C05zjsOoIo0ZRNKwR7M5oys

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Devotion.rar
    1⤵
    • Modifies registry class
    PID:2116
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2924
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.0.66177261\1806144416" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fbde589-e5c8-4ea2-9f70-d2a5794ab492} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 1812 1c04b8c8658 gpu
        3⤵
          PID:4332
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.1.33083926\522662261" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691d38d2-cbd4-49e0-9540-07c0aee14c78} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 2168 1c040870a58 socket
          3⤵
            PID:5056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.2.1878647752\474308108" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2932 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b34f696-7ecf-4bbe-8941-54243d4394db} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3004 1c04b85e158 tab
            3⤵
              PID:1444
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.3.1393364663\1266820307" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d201b7ac-7526-4ff8-a1aa-baafe755b4e1} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3472 1c040862558 tab
              3⤵
                PID:1520
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.4.1692668076\1722216802" -childID 3 -isForBrowser -prefsHandle 3980 -prefMapHandle 3988 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5551c701-c999-4b09-89a3-02a62edad107} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3992 1c050f7eb58 tab
                3⤵
                  PID:1128
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.5.345770495\531071219" -childID 4 -isForBrowser -prefsHandle 4300 -prefMapHandle 4816 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {755317c0-0751-47c5-bef0-995b98afc29b} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4824 1c051bf2858 tab
                  3⤵
                    PID:704
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.6.893198203\924867005" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a75f433d-3218-466f-be11-4bfb8efd870e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4844 1c05222e858 tab
                    3⤵
                      PID:1328
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.7.268163047\1942665104" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e654c9-3443-418e-84f3-13706fe84717} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 5260 1c05222eb58 tab
                      3⤵
                        PID:5112
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.8.2069492340\7655912" -childID 7 -isForBrowser -prefsHandle 4064 -prefMapHandle 4080 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e771e9-3547-4314-9572-eccd9b69a8fb} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4052 1c050f7d958 tab
                        3⤵
                          PID:2660
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.9.400800236\557827580" -childID 8 -isForBrowser -prefsHandle 4852 -prefMapHandle 4840 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc19fdd1-be1c-4093-a7fa-8eab7f2b01e7} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4920 1c04bb27b58 tab
                          3⤵
                            PID:5076
                          • C:\Users\Admin\Downloads\winrar-x64-700.exe
                            "C:\Users\Admin\Downloads\winrar-x64-700.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:3640
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:2588

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\doomed\25688

                          Filesize

                          9KB

                          MD5

                          bb60ce18df43fc888983e874dbaa0470

                          SHA1

                          15d543667fb7d941783f63772cffb20393a3aedf

                          SHA256

                          df443fc53c42fc1cb1d2b6a82c7031ea9efb4b3cc809f6ec631bf5450b160d2d

                          SHA512

                          b44a246d3783ea7a84b128c8abff8cf0510a14037e31d19b3f3fa265b09739d1a3783723fe1b49490be49597b1df4d282d3cef20926c9c21193de1d53ae39ca6

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

                          Filesize

                          2KB

                          MD5

                          d6ed07a903acb132bfc7b8a491dbea00

                          SHA1

                          e82e1defe92817b467095284fdd801f96f9aaa43

                          SHA256

                          49cbffe165ca0cee3314639f72106dcb6167f6d1d7465f73a1fc183c94afacb8

                          SHA512

                          2d1f31a37682a068a84e89515b4d111efc245033a00aee4c625f3ec7caad1b346a1894bc68741d90af520fa8d4b38eecce301cb7a01fcfed10081554dec29524

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\33dbb9ba-8f7f-4514-a0ea-73e9f06da39a

                          Filesize

                          746B

                          MD5

                          25c4468b1ec4b08e2fbbe7eadcf5bfc7

                          SHA1

                          ca394d7865d2fc67fa81ac5df1586bd607719a20

                          SHA256

                          fe747ceb802435231e57e46ce331dfac3cc58f6f5c2464e99e6ab1cdcacba26a

                          SHA512

                          ff3ee3a9c2ec5f30bebfcc6d96bd65ea34a76a59da79140ceeb2616d93a1e7982b037cd5fb57f45e34116501cacaf69d97c5896f1872e3855ab5496695f538fd

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\c5d78617-9a0a-4dd7-9f35-ba224661efde

                          Filesize

                          10KB

                          MD5

                          5ee79338c946e2d7ddc262f7c4df4d85

                          SHA1

                          459b36af58479041cdc6ac9e3738b77a29d1f0a0

                          SHA256

                          2e2caec7e92d5632daf9f9765cb4ff66ff9a5edcaf568d7e859b7f3384ebb6d1

                          SHA512

                          d343728cc216135e281f02fd290afb8e74fcc8cb9760ab4006d7b2b528181f661b3971a9d33e690e259bc8b44a9150772b88607c69732f7cf03b289479551a5d

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          9b56f2c51e0a89c31f4586abc113885e

                          SHA1

                          5661101255d1dadb26fa62af8b096afb1c0475be

                          SHA256

                          820a26cba6cadd9ad3d328314c3d6a59bdd55953ab4607c39ad0ed198b182bd8

                          SHA512

                          19667857e820a82f35af1e96aab027b25b71478aa0856c0e5d650906e8d1268f88f719a1f6939de9c182cb7ad00519b2eda7e5dde6d0563b151fcb6b171aad95

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          201abafee173fcbe6d7c647e8767d0fe

                          SHA1

                          ea49d4ff3a90513c9d4f202d9990e691b3e0fc1f

                          SHA256

                          9a4ca55078658373d45f9b691c7cbf4c823a0f35c2bd7ecb0b24f8a1a6ae21ce

                          SHA512

                          34b89b6dd03ff8f4b2c8149feffac78466d75a35ab8d24f0ac142c3e04f2b7ea23f557b1e60e9778a910417b27cf30d82da29db0d79b181fe22af4856d2a0a01

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

                          Filesize

                          6KB

                          MD5

                          8b4b1caf72de265e649f6e146ce532e8

                          SHA1

                          95038ded000926ea273e7d30cb5262a73c94107e

                          SHA256

                          8ec099ef20aa46be461e93c0999b0c67983c28219ed7ec7f062ecbcc3ae9d03b

                          SHA512

                          af542de4956782d01f6e85a26d397d721242ceb7a92aed208ccd3c87fc7cf8f2b074e2d5c2ef89f0938cc05dec0152fe524baf741e0ad3069a603b1fa469f7aa

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          5KB

                          MD5

                          bf5e7a33f3aba1b770d58291f3826149

                          SHA1

                          4eb2da05e2bdb1000b0af9fcc6c18a29245936e3

                          SHA256

                          d7e7b56b8728c5dec43bd8df4feafe7eb1c08dd4bffe2d261ba7042eb4afd71f

                          SHA512

                          4eeea129925c57fb4bac0420038b4c89d75b76616ceba465d486e932116b9e191d915683098234ccff8801847c3b3666bf53cf045b67671ba6d06554c916399a

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          3KB

                          MD5

                          f6fe0ae5a1de7f528d5db597be79c957

                          SHA1

                          5057b666a93e9c0f6657f5ac9cbd6b35e0ecf254

                          SHA256

                          d54cc7c63499a26a74cf6ec0b2e9b83e27ff7d574663008b889d2497a755d177

                          SHA512

                          e802e9227f6d73bbde3cd5b8ca1343299af4df511bb5c16a87f7bd821c9b238bc30e88421536ac5464a8a82eeb545afbc49c731c348f3f8c2eff91eafc0860c6

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          4KB

                          MD5

                          2ded1a369d2d55af268e045dc21ff6a6

                          SHA1

                          6852fe8f82f124cdcd8eb66c70857743d2656cdb

                          SHA256

                          7bc16e4fce21a502a99cfbaa59d72d6c15c62393935234df48c439aab7bf49cd

                          SHA512

                          82aa6b6f7dbbe19b6a30367a684ea8a1339631b242b10b9c30401d0daf2456c3f982b3742c5c435e4a14fe24a4bbea6da108567ea28d2157eee98c1e0ec44749

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          5KB

                          MD5

                          2fce92508cada6eca36d89a29ec71050

                          SHA1

                          d0d04930fef53c9064fbf3ab202cf7eebbddf154

                          SHA256

                          4d76075a688a69cd1f346f35aa991d6b62107df8ecda0e15a28fd3e3711d20f0

                          SHA512

                          6c1cafe49de44a701d644239eb548392f8480c94de941366f8dd413754dd4dce1e16e115972d4c0c01a37f24442c084759615e98c322dadd677f0d0fda0466b3

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          4KB

                          MD5

                          7c7c9212c9d0ec48e7eda8cc676d06e5

                          SHA1

                          0b3f263d8be13683eb82f43da414cb78dd45d920

                          SHA256

                          52072aa6af51da5dac46d15718dcf0bb4b3b2f019753b36132896c22ad8d70a3

                          SHA512

                          ced27d57ea431828187fad58c813ee586821367392447359f88d52a3e84bb7c6cf79d95b3bc53111ae4249e179fee3013a756fb80175c9a40e3bc839ac403c94

                        • C:\Users\Admin\Downloads\winrar-x64-700.Am6mo5jA.exe.part

                          Filesize

                          31KB

                          MD5

                          4a302706bfa1985c87a909c649b0bfc6

                          SHA1

                          ad99667ba6049b70303f6944e9c747d3316aa7b9

                          SHA256

                          1c11b5676172e451d7879ee30936772a951a1eaee659fddc2c6232fec135de11

                          SHA512

                          17b56264a85d467e3c7f52ec4c7cf2f2203a276f5ebef056606072781964887dd0dcf34dc7bfd025454fe9a7ef44753aa8d98dce2d0f6eb692aa6e21397f951d

                        • C:\Users\Admin\Downloads\winrar-x64-700.exe

                          Filesize

                          3.8MB

                          MD5

                          48deabfacb5c8e88b81c7165ed4e3b0b

                          SHA1

                          de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

                          SHA256

                          ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

                          SHA512

                          d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af