Overview

overview

9

Static

static

7

modest-men...]_.zip

windows7-x64

1

modest-men...]_.zip

windows10-2004-x64

1

config.json

windows7-x64

3

config.json

windows10-2004-x64

3

modest-menu.exe

windows7-x64

9

modest-menu.exe

windows10-2004-x64

9

scripts/Readme.api

windows7-x64

3

scripts/Readme.api

windows10-2004-x64

3

scripts/Ul...79.lua

windows7-x64

3

scripts/Ul...79.lua

windows10-2004-x64

3

scripts/demo.lua

windows7-x64

3

scripts/demo.lua

windows10-2004-x64

3

scripts/menu.lua

windows7-x64

3

scripts/menu.lua

windows10-2004-x64

3

scripts/si...xample

windows7-x64

3

scripts/si...xample

windows10-2004-x64

3

scripts/ucrequire.lua

windows7-x64

3

scripts/ucrequire.lua

windows10-2004-x64

3

scripts/vehicle.lua

windows7-x64

3

scripts/vehicle.lua

windows10-2004-x64

3

scripts/weapon.lua

windows7-x64

3

scripts/weapon.lua

windows10-2004-x64

3

themes.json

windows7-x64

3

themes.json

windows10-2004-x64

3

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scripts/sirius.lua.example

  • Size

    468B

  • MD5

    1fdd7bce4f24c51ec8267d7fe65b265e

  • SHA1

    4f247776830fb30cf816f227f13d3645b8d3aa6d

  • SHA256

    d331a1344d7354019fdeb564a21f95f85f26458f91aa93d7af58affa9728cb1d

  • SHA512

    4bf9c85600dcab2ff532ef5f459c270d3197ea5a9d46677b4f7f1e0d2e3b3454bc5ba1f64bcb732448cbe37a71a2112511f46166ec4ba0f3db1ca14d4f685bb4

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example
    1⤵
    • Modifies registry class
    PID:2664
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.0.658310063\1706537535" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e1fab5-5669-4619-a49c-9c43ff548073} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1852 25ee7027c58 gpu
          4⤵
            PID:4500
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.1.777708119\594012407" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7530d0-d314-4de0-b9e7-029f66586c78} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2440 25eda28a258 socket
            4⤵
            • Checks processor information in registry
            PID:1908
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.2.1080487793\466350738" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2644 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3e74c57-218a-4d04-a43a-e4059f6a8952} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2836 25eea047058 tab
            4⤵
              PID:2728
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.3.1331839758\1801177023" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f26ac393-c6f5-476b-9029-0ab3ebf1ace1} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3596 25eda241558 tab
              4⤵
                PID:440
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.4.1643078490\1574679882" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5124 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ab6765-3cd7-4e5f-bceb-671c3678948d} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 5136 25eed23f458 tab
                4⤵
                  PID:520
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.5.1301872949\1296993189" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde57213-248b-4505-8485-2c1ca8e9629a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 5360 25eeddf8558 tab
                  4⤵
                    PID:4552
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.6.1331632437\2086211800" -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5548 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {845bfe67-7a31-4499-9719-995e8f18f9e8} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 5568 25eeddfbe58 tab
                    4⤵
                      PID:2956

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                23KB

                MD5

                9bb779d06b4d03a36a05c9aff5867a99

                SHA1

                757ff3674fa8c5a2783a3c61eed0937f40bf70f9

                SHA256

                2ed4e1efba36a0d9f9fb45eb0be4ea15b9acc6468dd4e6afe922022b7c781a5f

                SHA512

                2b6628529117b6cd22ee682ec4f5c8ee1e3795d5ea732ae38138cee1e2d066bb15fe5123c5b8c37263406c16baa7c6987164a5e415cd3a5f43e732f1d9ff1420

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                765c206b8bd9e39fc23944ee5f5a11e6

                SHA1

                9cdefe68bf0a973c54deb564c4ddab5e071a8fd7

                SHA256

                dc38cf4c8af7734eda119043a4e901798a19af5574d621296cd6ba011a162196

                SHA512

                f0f816a81b75ccb42230cbded90473ff32500e596925d3453b4bef63903e8c61bb59719894376bdf8f16813f2b42c07640f6d483176d90fb38db06e892d9a473

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore.jsonlz4
                Filesize

                929B

                MD5

                f5fe6ff19dc9e7bb5f0189f031778208

                SHA1

                451e360e992749975a53595b38ad6469c968b52f

                SHA256

                f78a8290a2d121435525d6141854044adeb6d90e8f6ae06d67cee64440b087f3

                SHA512

                20c033d9eb0856e88d3df809e3ad599b97d968ae7ecebc518bc2a315f02eef01743e093d6d725741f960351904c086079b00b032ef2df4490387d1e4889ac200

                Download Submit