Overview

overview

7

Static

static

7

Bhop Goreb...ox.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    106s
  • max time network
    102s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/05/2024, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bhop Gorebox/Bhop Gorebox.exe

  • Size

    202KB

  • MD5

    8ef84c8eb851c48eeed13d5eecf284d0

  • SHA1

    141752a2c62e45a77647be3b431bf93f3b2a07ce

  • SHA256

    6f9aee428c1b3f312e5030e4957e4851bc79bdd98d40c76b12dec3435b92f354

  • SHA512

    88985b6bf09b11af0688950458d7a473693c4c83ef118a7ea31aff7f8d7ee1db536c23a8da29542e996a6bd49dfa367766586ede56b46b61c98a2bdeb7a47ac4

  • SSDEEP

    6144:xZC4d3lbxc6wU/UP+XhdMRFD3LAwektHoSAY:G4dMRU/UP4heFjLDFtHoSd

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bhop Gorebox\Bhop Gorebox.exe
    "C:\Users\Admin\AppData\Local\Temp\Bhop Gorebox\Bhop Gorebox.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4256
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2516
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.0.2002564773\1938337648" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1311ef22-7404-48f8-aa01-b4fe8c8bf475} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 1784 25d7f0d8e58 gpu
          3⤵
            PID:3056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.1.1880865095\1656462353" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f75cac3d-30d2-476b-9c8b-65ed882bf29e} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 2136 25d7d772e58 socket
            3⤵
              PID:3984
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.2.1701498541\756606270" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2732 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da0385b-c50d-4ced-a1ef-036f50994a0c} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 3020 25d0c99fc58 tab
              3⤵
                PID:4460
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.3.1013600714\627604189" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ae41940-70d3-451a-a3ab-bd969a6548dc} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 3636 25d0b0ba958 tab
                3⤵
                  PID:3948
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.4.517141962\337366066" -childID 3 -isForBrowser -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfde2ddd-e7e4-4e1b-90ec-cc3df3dc30a7} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 4140 25d7ec32958 tab
                  3⤵
                    PID:492
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.5.1363165547\1239652039" -childID 4 -isForBrowser -prefsHandle 4920 -prefMapHandle 4964 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c5432bc-4969-4e89-9aa0-053646eb6ec1} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 4948 25d0cfaa758 tab
                    3⤵
                      PID:656
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.6.162492894\243937526" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a0d8480-27df-4829-9467-b44b4c20b3c0} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 4900 25d0f2b8558 tab
                      3⤵
                        PID:2244
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4600.7.650019850\1016365027" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {350019c4-bf81-4104-981e-b691116ddda9} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" 5244 25d0f2b8e58 tab
                        3⤵
                          PID:3176

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      7KB

                      MD5

                      c460716b62456449360b23cf5663f275

                      SHA1

                      06573a83d88286153066bae7062cc9300e567d92

                      SHA256

                      0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                      SHA512

                      476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      9KB

                      MD5

                      aa37be374092236d4388326bac310dab

                      SHA1

                      a291478b4f5a1f4732754e59d300cff0aedbc328

                      SHA256

                      050953c50230def1a1aa2b1a6b1613b931d37b4517e8c8801920988d61a7946d

                      SHA512

                      facaa1ce7029142d2932fd931c020412b7c1ba1cf709253442d566f279b69906ceea4b71e283769881fe30c36337410df26d6dfbf7bd762ce64a4b64ca4275c7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\312f6644-e349-4dff-a286-3d31bdbafa1e
                      Filesize

                      734B

                      MD5

                      604956004442b565ed345b8234096ff5

                      SHA1

                      8b71ff9bcacb3dbfa264d5c40b1c302160107871

                      SHA256

                      fe77db6ea7c2908ddd8b5698de7f17dff9008e4ee50f45cfd73ffc5427ffeb78

                      SHA512

                      6e0a61e2355d39d47e2cf9dc1a58b654910f7217f58b24df4c4c55dff1fb8462a0450d7a1a5ea814d30616ce15e970d0928e191ba2a64b607cae517f100e3d59

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      47a3018d6f2cf92def15cac5d4657c1b

                      SHA1

                      58bf49fc564085971366e25a9db5e26ca1c9727d

                      SHA256

                      0ba954aacb299e9f7493fac179fc8f2be362b0f9929c3a9119a369aef173cca8

                      SHA512

                      2eddbe4ddf9fb76642f77e5a45a59ac7a195ff42a1716ffb2cc1bd3c172fa427f8ddc4650a3716964cf473c5a1e089de2dbdecce62c1cc3867e16dd8e43b5c56

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      637e42544bf4e4e5c858d87fceb302a2

                      SHA1

                      1d747ea0d89437cd39d02c76ed70df3b7c505ee1

                      SHA256

                      5a519846989ec4eed303d9fe8b5554410b502177bb6b4199c6cf25290a4913c2

                      SHA512

                      bde691d8015773707c4445155ba1ad419033c335bb11ca325b9c249e8aed83fefd096bab28806213ad368508e2a5be362c4a5a8038dae40246a8bf0a246cb8cb

                      Download Submit

                    • memory/4256-0-0x0000000000400000-0x0000000000474000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/4256-1-0x0000000000400000-0x0000000000474000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/4256-3-0x0000000000400000-0x0000000000474000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/4256-101-0x0000000000400000-0x0000000000474000-memory.dmp

                      Filesize

                      464KB

                      Download