Malware Analysis Report

2024-10-10 12:14

Sample ID 240529-cv1dbaeg8y
Target fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf
SHA256 fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2
Tags
echobot mirai
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2

Threat Level: Known bad

The file fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf was found to be: Known bad.

Malicious Activity Summary

echobot mirai

Detected Echobot

Echobot family

Mirai family

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

Modifies Internet Explorer Phishing Filter

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 02:24

Signatures

Detected Echobot

Description Indicator Process Target
N/A N/A N/A N/A

Echobot family

echobot

Mirai family

mirai

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 02:24

Reported

2024-05-29 02:27

Platform

win7-20240508-en

Max time kernel

147s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0f966756fb1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423111389" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2D33F61-1D62-11EF-81DB-4E87F544447C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell\open C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell\open\CommandId = "IE.File" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.elf C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.elf\ = "elf_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\elf_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2180 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2180 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2040 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2040 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2040 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2040 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 1516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1052 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 2448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 2448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 2448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 1644 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fd8ff9de932932bf7264ba598c7ae899b9cea81f998e3eb5e9d9f18dc2b428b2.elf

C:\Program Files\Windows Defender\MSASCui.exe

"C:\Program Files\Windows Defender\MSASCui.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.0.828422852\346010254" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f82045a3-1c47-4313-9d84-0ac57f58096c} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1304 124ed458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.1.182133973\2052057115" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7c50f8-c471-4bd9-9dc3-65bb567d224e} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1508 e6fe58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.2.1909537169\882911129" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2132 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5477649a-2ada-446e-87d0-49a69a62a0bb} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2108 1ae73258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.3.1992905397\534034091" -childID 2 -isForBrowser -prefsHandle 1776 -prefMapHandle 1136 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e771ea9-c561-4bdb-95ba-dc6355a7763a} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 824 124ee058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.4.1529525462\2027917673" -childID 3 -isForBrowser -prefsHandle 1136 -prefMapHandle 2716 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80f40f06-53e6-4cac-8ef7-a02d483d15e6} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2980 1aee1858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.5.1277970215\1491640689" -childID 4 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ac9d63-21b8-4fd8-a5fe-708593b358dc} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3752 1e99d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.6.853912707\1089144345" -childID 5 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09bad9ec-216d-41f4-ad45-e400ea7b1744} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3848 1e99e158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.7.63896041\2056745440" -childID 6 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6a09b4d-ee75-4d76-ac55-996648010e59} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 4012 1e9dcc58 tab

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 127.0.0.1:49703 tcp
N/A 127.0.0.1:49709 tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 44.230.111.112:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabAB6C.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\CabABFC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAC11.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1460d54b32dccc2238babba1ea672623
SHA1 98a053a31fe3a5a51d223ad24d9bfa32649d2ced
SHA256 d9c69d648e5f5682b2fcaa2f3043cc62d7716444d6b248d924e2d6a68229c205
SHA512 b5a998f9a624c0551f258c2b8f99c4ede79b9a35afab6011022ccc49ebf3a517614f44af5fe042a82d30035fb116facc1e69f8e076864d37a5ee635541dc384f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1f79307ae40cc2d5b50c568f417cfaf
SHA1 b8aeafe9e3de8da7ab34f5cf9da2d289098948fd
SHA256 5b66b9070f3de5545a45124b525891655a9a7525801007111edb8da23b68d207
SHA512 0cffa16eb1cd03053445e0bdc58b38dc40266cf33854fd3562c64d149d24756fee9a6a49ecde11887ffefbcc2324080f2133035991b51813476ba4d7ce718948

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 786c20c7be2e899c53a0e95afd2c428f
SHA1 a2985ff1175f5bf35d050c28196f1f716e82e26a
SHA256 0e116d95e021bf0c429dc0675d37242e35d5f1be26029c0c6b97ce0c52188a80
SHA512 a3106182dd891903a8479b0ec7b334a45f4ec7ec58fb0272618593af2374a68e787384c5b318bda8cd0b28ddaa2f899cdd23aa489e993ea42138fa446436719d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b659c9d25dbb617704d18ad888510f3
SHA1 30199aa1c2f46b476ec16713df356e67c70e0a43
SHA256 80cfee38bf398a58f0505945a842b67132413918fababfa55d1ded971788c3a5
SHA512 a19daeab5e8cbe5afeb9743a6fe11c9454e2868888b617f05cb6898e0dc51785a254923393235722b1fb0f06ff42002c6c5190443866b72cfe6d92dde64a6c80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 110c210e4633b01fadb55bb84171a385
SHA1 62397de504c4e36e61a1514628fba0627f6244ca
SHA256 32a1ceefd52f4a46c4f3e57b36c70ac5f7dd62676c66165558df665f834d97ac
SHA512 c08497f3c7950ebb7f2e008899fd789159f22c49652d40fd3827d1440c52fb8d6972a0e02c7b65d4ae95bbae57ebb32a4329f6112b986c3dc6942f55ed411229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5abee495bcd207e9dec61001f797aa56
SHA1 196931d3701741800f8f596ad037505497c50234
SHA256 0c30b8e32895ff836959fb9ef8d8c3fce7b4fee388290152d4f5a9c8545f5ff6
SHA512 6a2016ece50a5d35b725df35ca3ed0b6d3c29ca68d338e93854190dbbaa6cafa3e837062df04ad5629d38e0d18bdc89deb86543c1157de83429e6647c17ced3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72aa8ddb96e589153dfd03c18c2e3260
SHA1 f4b7f66927b57505af4412956ee37da79fce2df8
SHA256 45498106bbe6d224c5f3d4b38848d89f640feb5ead9e862f23bcb9c4510d26aa
SHA512 a1fd66cf672d3ed4db1a9e599e992c9fa95eeab3649f29f8bfa88f7f47e88eb6ac8954c89c3de9e17a1af982c5b2eb7a4efc88f9131ddb54ea4787fea9ef8b7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaecebd2a2c29bce8f194290b5314eda
SHA1 8d0e2575735c4b55c7c1ce33c7f0ed6909b39f25
SHA256 61b5135967fece7fe506a4ec649906733b15e0c754b2a345042f3783ad861a9c
SHA512 b90a583a2dc8024ace52d6f7ade1cbd47f321fa65ed666e326d3d0d340d6a16b973c03ab0302a9b572df97a4dde4cef111cbc77994996e6e4212907cb0241857

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dfbe063e5c768ed173b4e21225140a2
SHA1 bb6350ad5fdcebe2c742495173a08a2872909d24
SHA256 6c64ffc3ec6eb62e38786c9dcb93abbbfcecef390638f83703957730c3733196
SHA512 2cfd14a6690b0742e603c73170e2c0914ab04c1ff5ced56f90fa7c8a295961c8ed9c972bc8855ec50c7f9c20eaf94307f5b15e39d20842f84f038920a24dcf5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f40c44015aa58b194533138884d8f7c
SHA1 8888a13495b17002bf07397a76afc8296263ce79
SHA256 3b4475eca2cdadb3b23c9084e6d1213eb7dbcb31f54c9e42e0edf0e9624df5d1
SHA512 7f4b396ad7c72f4307573b0eb9cddf231ef5523478d384812c9933a1c23e1f5b895b65bfa08f9b4599a9070aa49a30341399fed597495f62e8ec109787fd3cf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cf16a06acc8dd8c2f533f870e89f57d
SHA1 e746853a56d2290fd8692d8637d03250c02a4afa
SHA256 819653cf6ce0369eb2ff68d2927a9328711e86a397d3a6b839b99b8337a1138a
SHA512 f07a1ffb1888c7c41c77525d432168e54ec4fa62af163f366af5698a24f50e890deb1ed0dc5b5f9da4a5308e393f019c1ee468804f33bd49acc88b5bcaee412f

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\db\data.safe.bin

MD5 0daaf12dd611c76ebaa4ab37269084bc
SHA1 07e151b4347d6b6cd139b604e9a666dcef7afc2e
SHA256 e9523a57f6528d9d7f615b04ba8918afe7578eb337e0d1eaf480e806e770b454
SHA512 632e9ed6dfb78402e4541b29e19d4dc4cd77b846dce10f827886970c97246beb951b060c337d800f6ceb9cf34568496c9abd3c1183efcdb034a90be90062c2f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\f9468f1f-52b8-4a37-8df9-70e7fa754fcf

MD5 9244c64b6e452fa2ef3cf63099a9031a
SHA1 0213c33f241e517fab5e17f9655c85b886a2a25d
SHA256 950dc4c69ea4f04ef7b20094585e906e907a4314e0604fd24e392032d02e62a9
SHA512 e465c85171afe5918776ed815054f1f94df81c650183dde07729690f7360dbbe7d2dfc3f1a0bc4ce2621ae5a038c86da30dadb533ecf9de1577b48eabbb9a02f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\activity-stream.discovery_stream.json.tmp

MD5 93e0b14d70a15a6770c8c386ea967e1c
SHA1 ff25c2d8c6566aac35769a00c19f09dace34207b
SHA256 d5a9c4c2afc80fd9a9b33d7edd8631748cd8b898798f05c0a37b9333d8a06fdd
SHA512 16ce7dfe9e3a59dc5131186b0898c8f6001a7524d03bf900835c0f431a246267b0064622626468583dd5be126ccedf1b7df1bc60c067ae23dbaed9f93fdd2ca6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c4d3318e679a92c4b4f96fbef2c3c9f3
SHA1 5fe024a7584930bfc4a44667c14f35f16bbd8903
SHA256 1d2721628837735a2a6d85feea10ab187bec27724f4ca66602b3a6c67e27d2c8
SHA512 730ad431f27c73235aaf576cc257459e0f8120dda7ccf2a68e9b617260247fadd7ca4669e0fadd31fc29ced568ae22a9519e6da3ef0921aac84760e5de533202