4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

General

Target

CapCut_7376221114583760912_installer.exe
Size

2.2MB
MD5

c91e097550ea6ccedf592d8b83414e0d
SHA1

021f3f26d86f98af28dc987baad8714f64867207
SHA256

4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6
SHA512

916898c9850ddfcd2c11da7421eeffc4d48406d9ad4787a4dc572ec17a81a39edd30733aa8cccde8b31450ff8031e3da68be019a8a0eff50c0a17ed4fa0aa3c9
SSDEEP

49152:uGVKq6wrr98ArcTTuVMZCC8GYCNbFLg3dlXI5x8oaigMv3Dh:uGVLprJ8ArnVMZCUPFcNlXID8en1

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

CapCut_7376221114583760912_installer.exe

pid	process
1556	CapCut_7376221114583760912_installer.exe
1556	CapCut_7376221114583760912_installer.exe
1556	CapCut_7376221114583760912_installer.exe
1556	CapCut_7376221114583760912_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CapCut_7376221114583760912_installer.exe

pid process

1556 CapCut_7376221114583760912_installer.exe
1556 CapCut_7376221114583760912_installer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

CapCut_7376221114583760912_installer.exe

pid process

1556 CapCut_7376221114583760912_installer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

firefox.exe

description	pid	process	target process
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe
PID 2028 wrote to memory of 4424	2028	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\CapCut_7376221114583760912_installer.exe
"C:\Users\Admin\AppData\Local\Temp\CapCut_7376221114583760912_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.1068957766\340038878" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dd9c0f-5b83-4c39-9246-407e721bc949} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1884 1e02e70da58 gpu
3⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.348422523\2020892610" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c7b831-addf-4942-948b-bad2379f201b} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2456 1e021a86258 socket
3⤵
PID:1876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.1160548297\35620842" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2756 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e4d823-e124-4f5c-bf65-0976445e084e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2808 1e0310ed958 tab
3⤵
PID:3216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.1761826044\1663464683" -childID 2 -isForBrowser -prefsHandle 1204 -prefMapHandle 844 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65caaeed-a238-41a5-9aaa-30800261a353} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3324 1e021a76b58 tab
3⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.370135519\1790772368" -childID 3 -isForBrowser -prefsHandle 2996 -prefMapHandle 5192 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4f070ab-09d3-449c-a67e-695a5ece0cba} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5072 1e036220e58 tab
3⤵
PID:1092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.5.1897725248\936118189" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 2992 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {578f021c-176d-498a-a733-d181956de286} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5088 1e036223258 tab
3⤵
PID:4292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.6.193991920\353291907" -childID 5 -isForBrowser -prefsHandle 5212 -prefMapHandle 5136 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9826fbc4-35aa-4f28-8e5e-f4c59a1eb3ee} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5520 1e036222f58 tab
3⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
fc8c87dc5a55652a5ec1b97a0600a531

SHA1
fb4e805f6bb5dd2447f2cb4aec860f45bcc5d509

SHA256
9d80d523e7dc908abf56de6ad10b96a04fa96e15efc0ad7990e615e16a1d1a43

SHA512
61f116770a0ee4c5089296aa5490c35cc313015c6607ce8428f4fb36a23037c4413c03d265326bd58504d6229b03695c0f2f11d30ff6b93eb49112bf0ce2a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E33.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E33.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E33.tmp\downloader_nsis_plugin.dll

Filesize
1.2MB

MD5
f181413906a465fd0dd68cc4a3d98803

SHA1
5aa28be48047dd0b672ab98d5e7cbd8260486b4b

SHA256
e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda

SHA512
8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E33.tmp\shell_downloader.dll

Filesize
2.3MB

MD5
c052c0a2ed833d924b7799625413ac1c

SHA1
bdd08a29f4de283ba0eb3cda4abc26f6e85d4d5e

SHA256
098972cf9ddc9d574130e025a252a99b278de9cc0ae700acfb8c935c24eb1172

SHA512
89e67c29d5d8a401a70a5b572844f24bfde82d5d4259ecc5e6f12be0ddb434995a2e985914fc421973998e3fdc48b133e269e8bb1da513ec66199f01060162f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
6KB

MD5
5e3b12eae18abff3a084d1c3960aa8ea

SHA1
11fb117c1a40b4cbf50c6d40eff10b6190f18d26

SHA256
817821d7b06914088fc35904ab1d4089abe9d9c88b5ea7f8d719c4933e9500b0

SHA512
449bc253d3ac1318b0e5caea050a330e10eafd5967c32cb5717b5e390677086dd767f0a1a4a6af5f8cd5f3ac59b05072918d136b87643e2d93f4e01e98a6b182

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads