metasploit | 418541857fdbac27dcafb5f1be266ae9a5c35c3f69ea64e8af14e996c12a53cd

Resubmissions

31-05-2024 11:24

240531-nhs91sgc32 10

30-05-2024 18:03

240530-wm2e7agh32 10

30-05-2024 17:29

240530-v2swxseh6y 10

Analysis

max time kernel
109s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 18:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

418541857fdbac27dcafb5f1be266ae9a5c35c3f69ea64e8af14e996c12a53cd.dll
Size

96KB
MD5

14b6593b7fccd7eb33e3abc23c1f362c
SHA1

750e811324238a582b4b76f929af593101a6d1de
SHA256

418541857fdbac27dcafb5f1be266ae9a5c35c3f69ea64e8af14e996c12a53cd
SHA512

b02fe19367e3b1bea50ddddc01739d5bde4c16503c6ee041d64c3dfb7e5378f2f9a20e463c03c49808746bcbc0704eced39fc064de3f6e1c8c06f7a6eb45cd9f
SSDEEP

1536:FFCLtN2pRudECjdZZ/goqj48n7yEYhUrD3QhpA7HdqZLSwPMUU+v8TJGim:rmtNcu6CBPoM87bMUD3sGu8+v8TJG

Score

10^/10

metasploit backdoor bootkit persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://5.149.253.238:443/jhGC

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

6124 MEMZ.exe
4296 MEMZ.exe
1656 MEMZ.exe
3568 MEMZ.exe
5156 MEMZ.exe
6116 MEMZ.exe
5164 MEMZ.exe

pid	process
6124	MEMZ.exe
4296	MEMZ.exe
1656	MEMZ.exe
3568	MEMZ.exe
5156	MEMZ.exe
6116	MEMZ.exe
5164	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
177	raw.githubusercontent.com
178	raw.githubusercontent.com
179	raw.githubusercontent.com
180	raw.githubusercontent.com
181	raw.githubusercontent.com
182	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2956 reg.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4604 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

pid	process
2956	reg.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exe

pid	process
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe
4296	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4604 vlc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2024 firefox.exe
Token: SeDebugPrivilege 2024 firefox.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

vlc.exefirefox.exe

pid process

4604 vlc.exe
4604 vlc.exe
4604 vlc.exe
4604 vlc.exe
2024 firefox.exe
2024 firefox.exe
2024 firefox.exe
2024 firefox.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

vlc.exefirefox.exe

pid process

4604 vlc.exe
4604 vlc.exe
4604 vlc.exe
2024 firefox.exe
2024 firefox.exe
2024 firefox.exe

description	pid	process
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

vlc.exefirefox.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4604	vlc.exe
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
5156	MEMZ.exe
3568	MEMZ.exe
4296	MEMZ.exe
1656	MEMZ.exe
4296	MEMZ.exe
5156	MEMZ.exe
3568	MEMZ.exe
1656	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4464 wrote to memory of 4524	4464	regsvr32.exe	regsvr32.exe
PID 4464 wrote to memory of 4524	4464	regsvr32.exe	regsvr32.exe
PID 4464 wrote to memory of 4524	4464	regsvr32.exe	regsvr32.exe
PID 4524 wrote to memory of 4004	4524	regsvr32.exe	cmd.exe
PID 4524 wrote to memory of 4004	4524	regsvr32.exe	cmd.exe
PID 4524 wrote to memory of 4004	4524	regsvr32.exe	cmd.exe
PID 4004 wrote to memory of 2956	4004	cmd.exe	reg.exe
PID 4004 wrote to memory of 2956	4004	cmd.exe	reg.exe
PID 4004 wrote to memory of 2956	4004	cmd.exe	reg.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 424 wrote to memory of 2024	424	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 3252	2024	firefox.exe	firefox.exe
PID 2024 wrote to memory of 4028	2024	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\418541857fdbac27dcafb5f1be266ae9a5c35c3f69ea64e8af14e996c12a53cd.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\418541857fdbac27dcafb5f1be266ae9a5c35c3f69ea64e8af14e996c12a53cd.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set XlOLqhCejHbSNW=8300 & reg add HKCU\SOFTWARE\WaMgGneKhtgTTy /v LbmWADsevLywrkP /t REG_DWORD /d 3809 & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\SOFTWARE\WaMgGneKhtgTTy /v LbmWADsevLywrkP /t REG_DWORD /d 3809
4⤵
- Modifies registry key
PID:2956

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RemoveConfirm.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.0.743241403\1718702044" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1700 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c174fa09-e146-4658-9c16-90f1131ad5c6} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1868 2389610f058 gpu
3⤵
PID:3252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.1.1402425665\1583181859" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2077713-eb06-4c41-b1cc-4231446e08cb} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2436 23889489358 socket
3⤵
- Checks processor information in registry
PID:4028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.2.282339546\912494797" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a77741a-5f37-497a-83ce-3b73f85ca39a} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2848 23899007258 tab
3⤵
PID:4360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.3.1644522546\1174217165" -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 2764 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bd00b21-bc47-4b4e-8790-ebc89af8257f} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 3968 2389b147858 tab
3⤵
PID:2320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.4.331715533\1316597189" -childID 3 -isForBrowser -prefsHandle 4976 -prefMapHandle 4992 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13962d8b-2bdc-4196-9352-6749145fc0bf} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4944 2389d42bc58 tab
3⤵
PID:4224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.5.1441083636\1924761248" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {365a8dcd-ca81-4335-a29d-ad4796d69410} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5000 2389d42a758 tab
3⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.6.305856695\2091249111" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad42a3ad-fb4c-4bb1-b725-9a0e541cfb2b} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5304 2389d42a158 tab
3⤵
PID:4888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.7.1143093796\1033075901" -childID 6 -isForBrowser -prefsHandle 4328 -prefMapHandle 4332 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cfa4102-1c0f-46a2-b5c5-25da4294342b} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5896 2389c403b58 tab
3⤵
PID:1648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.8.1684040177\891826739" -parentBuildID 20230214051806 -prefsHandle 4476 -prefMapHandle 4484 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fec82fd-4baa-44ca-b4de-49a4219e4abf} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 6080 2389d262258 rdd
3⤵
PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.9.601133440\1848481147" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 1232 -prefMapHandle 3560 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74e01cde-d303-472e-9a06-0a4668d290b6} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4348 2389d261658 utility
3⤵
PID:4972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.10.1402066720\663031653" -childID 7 -isForBrowser -prefsHandle 6176 -prefMapHandle 6140 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2007528-cd39-48f4-a8df-80109548e323} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 6280 2389d260a58 tab
3⤵
PID:4392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.11.1352062605\930922974" -childID 8 -isForBrowser -prefsHandle 5200 -prefMapHandle 4996 -prefsLen 27962 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {225c5008-204a-469d-9670-7b7585242e89} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5284 23896678658 tab
3⤵
PID:5796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6000

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6124

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
PID:6116

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /main
2⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5164

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
311328795d32b1f63e8347495bfa5856

SHA1
3218202e6fbec6ceb89002802faee11fc23d129e

SHA256
503df43050680455b84528dc4d79c541a9fafa58c6f2d1af8a07c3e1f862ffa2

SHA512
00fbfcc12b44f258ee34b461b4de8a4e4f812db96ed5617625373afc3c96ccfea46fbfdfffcf9a0ef732457a12c3743f814b1b0f33151b936dd59053ea60f155

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\cache2\entries\041C4F545D1E509BC208BBABAE51AC5A16C7DC00
Filesize
56KB

MD5
26d95282a699cbb4f611374057e52c77

SHA1
50f3814d58d93709c76eb5a8314eb94d48896a6c

SHA256
8d3f0416c357f2dce3f30b281d9f7aa7cd13127b26436fcf97500432bb554fb1

SHA512
d330bda0fd2c156e88ce7c0284d5ea761603ba5569abb8cca319bffece7463acde26a0ac2fbf50abdff1b860f523cd31faf8c8e054f6ca7aaf1e92171953803a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
bd41ea68c74a623e46a0a067c0ce322d

SHA1
71042b36123f95a1e71002a889bea53caeb2a7c1

SHA256
6802b9bfb6bcfcea11a60b685be52e8ffada89bf446276217e087c2e78c32e48

SHA512
e0c321df13edb985c09b433bbd9a08ea64d946695e4b97b199b4e778819233d015ba6b50de0acd366c8f8a037a7ef5c7bde9204f06789e876e63959b7efd2ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
43fb3f83a82a8aec8b6c268f5075353f

SHA1
1dac210c0d5c9daac4c595d732e80fceb2a8b708

SHA256
5e7b44cb436f98c4d0d4a1ac3da839934031ffa825a87ccd3740e569d7d9cadc

SHA512
24d36b0dacee028061e70b06b202d3002802a89f7fbdec9b2ab0e6fb64bf0b1e17a18bd9dd05af781ff370128791aea62eafb4e82b7438b879c2111440e4914d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
59cd9a3dad32de59ee4e1fb673c8c145

SHA1
93b1f343a0dbe2896bbb42cba85889feb6379020

SHA256
6c7cfb06ac6e42fb5577632abac8cbf9e8ba8cf0ce59ed6f3c6fc909c11ce100

SHA512
bc2d99fb287e028997a7f745de4a05a9a09dd66fdcd65dad9df2203972b6c7cc5ff466bf37ec26e5d36dd2949f263bcf48be3dde52efe1fb8b6f7af665e875ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
23a1a83b51b91ecd440322e093c25e35

SHA1
6a4d63b834df0e05eb454d951ec677d1579907a9

SHA256
76122442b4c064bf3b99e7b49ae25489b4a40222804fb143cec26f17882d956c

SHA512
59a30e235988456c4b46491c00cda8961841524c48cc96070d638679f4da9416ecfae2ec7ebeb7661d8611b5fa887e63557bfd98eb96f779479f4b5b8f6da354

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
e29f59c30d67deb71d4d720aedc392ac

SHA1
43d7a29d2b48130f5a9c7fed2740ab8dd9cd217f

SHA256
69ef7b4602fece5d1ef5dab247bc33df6f0635d49feda30adff41bee12f0867a

SHA512
aef87c12a1185e49f9da35c262321da196849f241341386ae2f0a3813507546b023e2552cc93f01b6a5bf7af49c4d57538e6e0d4b16d33957956ac8f571b6a0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
190e45a089d9d08b704ec889a9274167

SHA1
2d62896a3f058994f50d26846ca1c7247daa1ee4

SHA256
cb569de61557e75e3f84eac53c51110311e6d44c908b63922190559762f30cbc

SHA512
0d5c84ccf2304fc7da7450fd3c814e5e99dbbb6a01909266bad6aea8aa1a4f9f1ff236efb3bdef98b8f51351288851f5034b7f2ec94c1ba1a4a0d1e166fc2c49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
3a086a1577498a6779d75954abcb1cb2

SHA1
53d4a8fb4a435059c63da56bb4af6401c8db8cf1

SHA256
5896ee2eee49c8072aa705250a9c926d5c4062394dfd8b99a32b8121364e6615

SHA512
72d6ef44a91877be895ca8166bbb4d8bb4d01f87b4843080954661e040aa78d4c5cedebe21a3c547d6beeb78c83e0bd923a2a09f53e12651d52bb4d251018ab4

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/4524-49-0x000000006BAC0000-0x000000006BADF000-memory.dmp

Filesize
124KB

Download
memory/4524-0-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4524-1-0x000000006BAC0000-0x000000006BADF000-memory.dmp

Filesize
124KB

Download
memory/4604-12-0x00007FF9F6050000-0x00007FF9F7100000-memory.dmp

Filesize
16.7MB

Download
memory/4604-11-0x00007FF9F7B50000-0x00007FF9F7E06000-memory.dmp

Filesize
2.7MB

Download
memory/4604-9-0x00007FF7ED8B0000-0x00007FF7ED9A8000-memory.dmp

Filesize
992KB

Download
memory/4604-10-0x00007FFA07BF0000-0x00007FFA07C24000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads