a33d16ea4894ec01686e53d01c6a2b8f816f4abdaead7ece41262e03ffa9c13f

General

Target

Crowbar.exe
Size

4.3MB
MD5

3ec3b40887c5cf7962773e60dfb201bc
SHA1

d9e8c971af104fe9e095d3917683ad63a6a03c28
SHA256

b723a406a7f99a5565c10dd6e8c8de02e8988f6162e7fe44bd0e9ca9d58ebad9
SHA512

01ee89e1f4c0a963b4f2b139bae118479565f38bd556244fae976b103b13c657aa2610bbf18952d0d5cb86faeff8997d7f574f64f075f556204c309c742dba8c
SSDEEP

49152:bmEVdZRzpCm9wROW5TUBJ55rfAocpl1LVC8aoLCE4c4OTernGmcFxs/0JhxCU5:zwDNA5Kb1LYvc4Ovfs/6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Crowbar.exe

description pid process

Token: SeDebugPrivilege 4616 Crowbar.exe

description	pid	process
Token: SeDebugPrivilege	4616	Crowbar.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

firefox.exe

description	pid	process	target process
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3044	548	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\Crowbar.exe
"C:\Users\Admin\AppData\Local\Temp\Crowbar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:3044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.0.1598785764\502723683" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f583376c-7255-4c07-92c0-d8ccda74ee6b} 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 1964 20f7eeda858 gpu
    3⤵
    PID:4204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.1.246724739\834774757" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c234b0a0-0ac7-45ca-99af-42b18d01a3ed} 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 2364 20f6dc71358 socket
    3⤵
    PID:4092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.2.619150296\946834371" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f733d23-6abb-4952-908a-4035d15f500d} 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 3192 20f7ee5ea58 tab
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.3.1017962668\2028362971" -childID 2 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb137004-08e2-49e9-b1f0-0700f8310753} 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 3812 20f6dc70758 tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.4.85558292\743020475" -childID 3 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e760c77-49c8-493f-ac5c-906b29baf7d6} 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 3984 20f06ad8e58 tab
    3⤵
    PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9e2f4bc9ada4142195f618ab181bb25d

SHA1
93f3a29d7a25d325a98d415948f503fa14ce3ee1

SHA256
897bb8e22dbb1709a72cb806385d31b79b21faeeac9fa2cfccdbd16f12ab17ec

SHA512
f4f86da9d80d76d9c60bfb72b8934e0c56a9bea9e401152e57c2418155bb6a2107762182b758298a2b2e56a98b31c806cfb2ad500884934a691d8e7b5cec640e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\da114745-fc76-43c4-a0bd-6f40d5987aa9

Filesize
11KB

MD5
1775cf9f4f40774a47fde948b5ffd797

SHA1
41cc4cc13dd6298d775a39c62475193f69220ae0

SHA256
fc4bbd4604bfef1b8aa9a1cb68e52db3ba8beb47a7957877ec006227088ac07b

SHA512
5a8215fb26b16943cec4695a9be7c7b9e1c9e14d587021341e72efc0e29fe1c3cb8e96f24a141f4b0f94cf827f53b8d63b7026512dbda7b244ade0d7a19ef9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\f2fb6a83-d05b-488e-a1c2-621eee1bdd97

Filesize
746B

MD5
77a8faf1caa7437b5214bf02348c28cb

SHA1
6d41ab3fe90d389ea06f1b32536bcfc8a5f81d34

SHA256
865ae9faaf3d0ebbcc2d29ac13250dd0a2af0c0c940ce613a680133a274ef634

SHA512
5a63979b0940598fa46d6e34cba4e1daf894845ab1cd6a0f98301868b3947aa183082a6ba4a865a0db4da09cbe6fb4b5ad592fb7b7d228f39e0607f2a4aeaad2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
d454153f97157f030cf474030339dedc

SHA1
8ef9dbd48c192f60ad2269e2acbd414bbc358b3d

SHA256
fc63256e4b001e5f4cbb92743d28b440da945840bbbe999be03539a2ecc589cb

SHA512
8b9999ecc60449b687bdd264f183ed18843f6d14f33fa192c3b15abee36544b3e81154e0762032559aca60811209ca8329ca5e305140e9e7d52d5064916551af

Download Submit
memory/4616-18-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-19-0x0000000009260000-0x0000000009422000-memory.dmp

Filesize
1.8MB

Download
memory/4616-13-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/4616-15-0x0000000005EE0000-0x0000000005EEA000-memory.dmp

Filesize
40KB

Download
memory/4616-16-0x0000000005FC0000-0x0000000006022000-memory.dmp

Filesize
392KB

Download
memory/4616-17-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/4616-11-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-20-0x000000000A000000-0x000000000A52C000-memory.dmp

Filesize
5.2MB

Download
memory/4616-21-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-22-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-23-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4616-4-0x0000000005100000-0x000000000519C000-memory.dmp

Filesize
624KB

Download
memory/4616-3-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/4616-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4616-1-0x00000000001E0000-0x000000000062A000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing