Overview

overview

8

Static

static

7

all.rar

windows7-x64

3

all.rar

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    all.rar

  • Size

    33.7MB

  • MD5

    3ec17e3f9a4712bf7475b23a4b40702f

  • SHA1

    cca281771dfa61f9e296c8ea15488db84afa90b7

  • SHA256

    799b0843607e187aa605a47938c37ee86014e294c43a72e2ac54de59200963c7

  • SHA512

    66616768e249b5c6c6c513e6196f070e6df1957ff6ce3ca6f9be3a955773af9a890a72b09ecece26ea845cfdcf69aedb0a334934830bd3b52362641ad33707b1

  • SSDEEP

    786432:PtJGSayTfhFdQZRl1VAliV2YJ+cQWfBW1x/dWxE0gzl94jxZazG:V8SaNZnApYJhkx/dWxmomzG

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\all.rar
    1⤵
    • Modifies registry class
    PID:1136
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:628
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.0.1563263500\412643321" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa0d058c-2856-4214-a4fc-7f7b5b275206} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 1836 258e27f2858 gpu
        3⤵
          PID:1808
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.1.1042168659\781810367" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5214319d-7886-444b-aa07-6a29503c0371} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 2404 258d6a8a258 socket
          3⤵
          • Checks processor information in registry
          PID:3472
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.2.1184490558\1540633568" -childID 1 -isForBrowser -prefsHandle 2836 -prefMapHandle 2892 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {368fcd1e-4c95-47ae-89e9-797734ae231c} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 2876 258e650ac58 tab
          3⤵
            PID:3224
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.3.766777954\1299172670" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bfcb375-37dd-47ef-90af-f6e25a5d2b71} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 3672 258e876cf58 tab
            3⤵
              PID:4208
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.4.1348575179\774084554" -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7072f7a-fe17-4b5b-8b07-7a51e5013ab4} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 5496 258eadfb258 tab
              3⤵
                PID:844
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.5.1947983257\600649633" -childID 4 -isForBrowser -prefsHandle 5380 -prefMapHandle 5384 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdeee81-e750-49b0-ad9f-93939fce0cf0} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 5396 258eadfe558 tab
                3⤵
                  PID:516
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.6.113417120\759477852" -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8705603b-3f41-41b8-a744-b5c15fe25ee3} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 5620 258eadfc158 tab
                  3⤵
                    PID:4068
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.7.1483923800\717338725" -childID 6 -isForBrowser -prefsHandle 5744 -prefMapHandle 5760 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f48c90-d88e-47e9-aca3-97090536b301} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 5692 258ecc30258 tab
                    3⤵
                      PID:4676
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4576.8.393310437\110428632" -childID 7 -isForBrowser -prefsHandle 5820 -prefMapHandle 6036 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1703e14a-f508-4f95-ad1e-ad0a1cdbbf83} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" 5816 258ec554858 tab
                      3⤵
                        PID:1620
                      • C:\Users\Admin\Downloads\winrar-x64-701.exe
                        "C:\Users\Admin\Downloads\winrar-x64-701.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:844
                      • C:\Users\Admin\Downloads\winrar-x64-701.exe
                        "C:\Users\Admin\Downloads\winrar-x64-701.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:5080
                  • C:\Windows\system32\werfault.exe
                    werfault.exe /h /shared Global\d6d9bb059db74dc8a99de7eac5b1274c /t 4544 /p 844
                    1⤵
                      PID:1436

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      23KB

                      MD5

                      8878c695d8469ee8f153e07afa77a6da

                      SHA1

                      93a2bce591ec99162fc733e2121dcba0c7c44742

                      SHA256

                      f837e2b4fba76cc7301632c524d69268688bf053783993a033e55121de8c3b79

                      SHA512

                      7bc047369e961be567f027928b6dea7b0976818b096a1600e3cd71b96b3daaf040fa48d7678a41830ee2307f4748af5a66893b29a527387b219c18e880e385ef

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\doomed\22715
                      Filesize

                      10KB

                      MD5

                      b2e046adbc0f7c945733cb847ad61fdc

                      SHA1

                      19448b6bc59f51b9461433e5177d74d2ca895f85

                      SHA256

                      1064b54e842ebf71dac1cdd4249a6b20ce2375c8ec948a8afe5a996e10ca775d

                      SHA512

                      d4589356097a91246ff72ecc552893b27b025ffa029e2baeea142ec8fcdecca8d1c4d9e4e4bbd630867be8b59a88231d65ec8c4260aac3f7b5f7656ecfbabc62

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      3e7c2761fb7dabade6d4a3a03e69ae29

                      SHA1

                      37638c42f0ec12dbc5aa4c5e2ca9325a87e69dd4

                      SHA256

                      3ef5273a2788aec6e8fca90b8ac84e47c0831ec82f976b945570872da75d2a64

                      SHA512

                      3442d075b7bc72ffd43d4974d32f71c65a72ddaa58d1c5a2962600c98bb81f7fa75d870e31619b1a4220478065d348eb7b0aa3d65dae168a4f9fe9d985b7cbf5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      249fccf03c3ffcb44ae01df530bfe483

                      SHA1

                      acfbb1acdaf007ac89ad6187f55c9754d4c27d40

                      SHA256

                      4297f9970de47064acf024bddf9a0d05b916076b2712da9f250826b967af6a7b

                      SHA512

                      7dcaa048a2c807ec9bde3fe7d8ec23a6a74df64cf57a08a44af2b720e0d8c64433cbbf22c1a9a92408b65669591459acae0aed0c484f4a0143182909a90d9d8a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js
                      Filesize

                      7KB

                      MD5

                      9fa5595cded679aab594ca7cac37c754

                      SHA1

                      f761c51748f9cb80863be10e135527227e0bbd34

                      SHA256

                      f8fdf712d08a2033be6f44bc4da07315dcb804e6e3f900c841007b31fecad747

                      SHA512

                      92d116c46143e946bd13063c9ba2de1da884339b1cd2409cec547c97803938f46dbe9d6609b5a3f0afe65825d150525a66db833b1bb0873d031781d627c74821

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      5KB

                      MD5

                      83dff38de78e9721faff19a567d6f8e4

                      SHA1

                      6a4ce77a57d0d89bc35016fba68933657d8e1912

                      SHA256

                      ae4d5472d7e690c80383c9c6d9a523d3ce8cb5796575e57086d0f1d99390bb98

                      SHA512

                      34ffa9c6ee8dc585ac63d66740930e02d02b667a5c960dd622e38cbbbaab5fcb08bedcf2df3a120f4c24f9579f15d559eeffcc773dfc48e82c6e272a52e03a1a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      8137a1c97114de9b6eee0265d8728cfa

                      SHA1

                      e4f62d9e91a9aafdde7b5d356882b916eff3e958

                      SHA256

                      3acc9b0d8f5ce99f8d64095a9e478002e1c772d91b20b3f206c2b846efc12343

                      SHA512

                      7bc7f1876dc23e4d0316f1da854d1421737522b0ecbfc2133994b71ce718b04a509f5709f69a545151c28adbfcda414bf5e62c37549e817d070df7c4f497ffb3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      64d53e02c5abb47c559df101caac292f

                      SHA1

                      e9ac4fc77cc64dd5257e5ea3160400bd616a25b5

                      SHA256

                      9f3eae9f11cc3aa094a292c65856ea714080ed18fd9c886e8fbc698556d018e4

                      SHA512

                      5cacab203e5f33ed48ddb2772cff1198615b5077eec2fdba941c2fc302a09da4baed32624cbf8e8c2166c3b0f45a295c73cca011a055e26adc3b9f467d1171fb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore.jsonlz4
                      Filesize

                      5KB

                      MD5

                      62864ee0cae034af24cbdf37bcd8bcf4

                      SHA1

                      7438c05e13c00a2c381e2260a0ff2a0e643b1b7a

                      SHA256

                      9bd384933190f4afbca9cf75176081d1fdf3b3db9f0581036114176df6fd9fe9

                      SHA512

                      5dc50fa0122d440c7936aac144b8afd8e23159f3fba40c2e6b5daa0680b46005a60b141a030adfc55ab64d628d0ea58eb95dea80118e2c37049aaafcc5feac66

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      192KB

                      MD5

                      e9e8b2f90fac85310fa5ce5262aa319a

                      SHA1

                      1ab8a444598f99d324d26fc89512c04826e6a513

                      SHA256

                      effc2094d24313affa46301516329323327dd97cb7b481034eab3d2010ac37c8

                      SHA512

                      e41491b6c3a2241d4c601618f3495d4b37a05d965f5479041eb9c4a12bdae6ba1d2f34ecb9babd12882a62b5522ae5b330763d9672618474cfc68df3631cd9bd

                      Download Submit

                    • C:\Users\Admin\Downloads\winrar-x64-701.exe
                      Filesize

                      3.8MB

                      MD5

                      46c17c999744470b689331f41eab7df1

                      SHA1

                      b8a63127df6a87d333061c622220d6d70ed80f7c

                      SHA256

                      c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

                      SHA512

                      4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

                      Download Submit