Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
11/06/2024, 18:33
General
-
Target
Debug.rar
-
Size
329KB
-
MD5
47e3ba7ae4fbbb5c882235a9984e8c78
-
SHA1
849ed8c27fab0df9f200f9015c57bb876b5f872b
-
SHA256
77dc32acba6230e31ed6c52c029953508abecaabd7de0b8814fbb67b24a05418
-
SHA512
2fd42c1b4e3dfefffb4c6d3e86ec94a0d34bbf4847ec4529cf728ae4ae21d5a452a7e69692778f548afa37dd796e9e9f3e77c276a8442f3fd88d95f0c2eea26b
-
SSDEEP
6144:exEXTmCe3wMw5dqk5sxSao1moleAnyv4tg+swhq9a7VqdSGnaiQSPKInrG+ZZHLp:2EjLDdqkKSaoAol9nyvmg/9GcfnryIr5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Debug.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Debug.rar3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.0.561274441\2141297731" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64f3b808-b811-42c3-962b-e986c2f54601} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1796 22b9b805858 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.1.1117284184\818149420" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d337858-7537-4d04-8646-c6b5ad7998d9} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2156 22b9a403558 socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.2.224598069\1913778604" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2932 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c286fc4b-2654-4846-bb0b-60aa84879b61} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2744 22b9e3d1f58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.3.1494571545\255999935" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc4cfa4-e541-487a-9c11-160192a4e85a} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3456 22b8812f658 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.4.1951834287\371575373" -childID 3 -isForBrowser -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a9bc6b-1509-4845-b7a4-9a9ebf3848ac} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4864 22ba0e30458 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.5.1093997722\681805887" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49afeb00-afbe-438e-bf86-5ffe9426b42d} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4996 22ba0e30758 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.6.317730938\1648519025" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f519b8c-64be-4cd5-80be-307de0ae8d24} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 5192 22ba0e32858 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.7.1099487398\672841095" -childID 6 -isForBrowser -prefsHandle 1252 -prefMapHandle 3436 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d00a9ba6-e345-4c98-8b6f-b08d5a2328d9} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3116 22ba030cb58 tab4⤵
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Debug.rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Debug.rar2⤵
- Checks processor information in registry
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\1ec204bc87b64d2c8ee56bc941e91da9 /t 2140 /p 42761⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Debug(1).rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Debug(1).rar2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Debug(1).rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Debug(1).rar2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Debug(1)(1).rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Debug(1)(1).rar2⤵
- Checks processor information in registry
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Debug(1)(1).rar1⤵
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5d3a02e6b85ab7a5b5d5312178839af16
SHA18f61039162ea8c457a26f06470c31a76b86861fe
SHA256fda0a717bc00e1f9a304d1d147db471e92f980284194e30249d965c1b9a024e1
SHA512f0a63286fad8a226d76d3b88fde2b885d4e150e11d6e319ef3dcad4982b0477421e3aac8f9fe34b0dfa47c029fc0de9479889bc2f66aba29bc7168df10c40849
-
Filesize
412KB
MD5f5e9537e186adb798688bf382ea485cf
SHA1503502449c9f953182164c72841bf340055fbca0
SHA2569546d19d4bbdc21072d52e6b1e59c817cfcfd20425f13bdc79fc68e6166a7ad3
SHA5123c249183c2fac1c28a6e051a2b762f5aa0f7852fb1b68a54f1b3e5bc90b0816e6f5f2877c90cbb242ffcb31a739da3a77bdd8947af38ec97d74cb274927f37b3
-
Filesize
18KB
MD54ac584e07950b52c786f3c0de7c26b32
SHA105814dce6f86b51df338b491ad4f856a01c705bd
SHA256f280d81f7da17502612075804db21a21ce7985c084efe93daef80b954253a4ad
SHA51275d0a6d25ad748e7c86bd05e1ea21d17290e666b6ef26ae6528749854f009272e1a1ad3897a2f2ebdd727de6e7470c464556b4cafee5bc2a6a9eb87468f738e7
-
Filesize
2KB
MD581de75e1ca11c1a9821612ef00e51842
SHA1aa86bec80ab502461b5bacb8bb4229fbf1a08766
SHA256cca239f3c1e45d77a2c480edd6aa8fe2dc76ba6d0e33bc5b64855da6a99f2607
SHA5129f0da94b1a1df09ad7d8bb07723a5ddbf9528f972345510be9ac5d81f3677dd677386e79ecfa64a36222afad4df61e3c5bc50735aa2d1282a1c60a130319117c
-
Filesize
10KB
MD5d2140dae8bf394c8577633663cb0be53
SHA12b9d5bf33f413633a04d9357d5768e3c3e3b3f7c
SHA25689b2ad4edf731a6d13bc2252a1971c85566738b1435acc9311874ec4f38f5124
SHA512e5e9c7fb1426efa9bcbf9221c57ad774d74fa325ec98ccd9c8d0ec60c48da43c13c0e1b5c65d83157de366b861ee92a465ab0da66f336aba98445eb51cdc7fa8
-
Filesize
746B
MD53635a4c66f3804b36a46988ec55ee6d6
SHA1a39cdc0e826cd5482dd0f705c252f199eaf91e2b
SHA256149df0acb5d0dc671143eebdf00566d8f8e65bbf44fbf32373f82af781066947
SHA5121a78b86de583fcaea36ffc695dbbe5a734e36bb2724802c6e876f8fd9a7de794a804af49dbbaa6ded4702d9e99d4a8b662f8fd616e17ac589d365832c318d2bd
-
Filesize
6KB
MD56e2ce705acf9227c71d95b7402f07087
SHA18e72c0fc5321cc41d5b176583e78f9fde439ed9c
SHA25600d0caacbf40cb79c03d7ca63ed7a6212c1a7b9f1af8fa09b4a70a05c0546527
SHA5124b6e617325dfe748ea15cb02dde005b42a52357eb06a6a10869ad54c0dd25265875bffdf4c4f49998b84b3b14878c4579cfbc2ab8c36f4142db863fcc99c8bd1
-
Filesize
6KB
MD53210334c531e967517ced279eb8cc005
SHA106424235f179bf876633b763b63669d2394e43f1
SHA256634724dece277b41fca52dccb9ce89fc0756a217a189b7f22d939f8b35110f80
SHA512d8629405637eb6b214829257f2710d68a272da4f18916ea67506f1320b8219857a67d6b0f35a1e800ccf9d1614a752e9bc89ec1c734aef04f8f614aa03883572
-
Filesize
6KB
MD581377045cc41d5de2c2381cec4dad298
SHA1fbb1cbcfa3b36e7cc4f28f19ea94bafda1204efb
SHA256cfcd94af6d4289311ab1ec014a486688545f6c6160863c32938ebbbc5a4bb503
SHA512d91d51107f3846efe376249a69e88c6f4a616a4660ed98ba6084deaa701470aafcdda4e1dc42ad4147a025288077b6333e9e52a784393e32ffc3eb443bf70414
-
Filesize
6KB
MD5a9c877d1341042c31aacd1f40c4bdd7a
SHA1461f5869bfac1e85ee4619bc1a1bb89f308d88bc
SHA2565658c071b662e85fc761906e699912f66ecde6a19721b710ca470deac8edafbf
SHA5127fd42edfcace351760d825839ec78a68781041ef1812f80f9e1fabd708c5449286f5c5e311bf973859ca21e9002552039d0db7b4679c6aaec6af6233974709e8
-
Filesize
1KB
MD5aafaec8e7ff61f1124a9acd7870d1292
SHA12dbd0afd67a30a0b4619c2d526915d151506a80b
SHA2563379e6d59a255c3097a62024555366524fa2d574f25f1d3a50329af25bcf68e4
SHA5126ed06cca4c27c1092b4da6b11d0992909d6217a13b8393cf78df8d9e21993226f74dd4390220ee575f8b7cb010daf3235f52badedd6929e9cbcd05f366647959
-
Filesize
3KB
MD5c2201ae3dea5ba0548484c55eee84430
SHA15a4f99b854097bb6c4370d57edb0c4a916a2c8a9
SHA256e287bf7b9d5e573b2fa6f8574dc6ddd7d52020319a25436af58178b4ccf90eaa
SHA5128c33e75073d719dc292bd517d682f2f8feceb0097e6606c8d62f750b3993359bda4107a4df34bef551b960293f71bc0bb37ec4d6d3012f9894e686af215bbc17
-
Filesize
3KB
MD513c3d2a6a8994307a19b2688e6151e00
SHA15ccbc29cd0cdc36fb176c2930c2ec633abca21e5
SHA256b67486fb98897a4fc90a100d51f1156d566bd2ae9902eef0e5995e0d4ec0010d
SHA51245972d6ea3aa7216a729d425626d8e08f7d3c9f654b30c2c2c9e82b4f96f1a5689f636399db729fc1766977ea806a59a5fbe370aa5110a9e13f8b00cfa86631c
-
Filesize
3KB
MD53499c46b4c8df90f2f5c65a375b0c5d1
SHA1939da1e1897aae86c98c8c2d752226710172abc4
SHA256aaa00a414d49875376ba670982f92fd67f67af5361ba8a2956a04e2db4eaad14
SHA512e40a01e5642c04c6e414652ba565759380b1761386531a4e5df41959d1c7ddbe7a849950d87f2837bb66868df1ecfde912d8fd35203c36a8ebe0a045296d5989
-
Filesize
3KB
MD54c5f0fdbb3e2a433a8ecd6147bd6ba3d
SHA129b2fdf03a880f947ec3228c1cc6ae25e7b22a1c
SHA256029407498f039df79195b7b5a8134a7fcbae0d6e5abc53ec2d8af30dc3fc5d4e
SHA512987b24813cf8b46dbfe5e67b409b20373ab3acb92a83c1b99707ce2a3eeb7e0eb86cbd4e5ac298dfa08648fe0808a2f18eead4aa1be2f87820982cf771f5112b
-
Filesize
3KB
MD5a5afcc18a9763f8aca804d0577a862cb
SHA1086383ba06027ce0163895b2e9534bc5ccf0adf8
SHA256778f6dca809588448c2ab4bd4b61738032d35f841c9183b9b42308b3ae5c7dd8
SHA512072991c617eed12383f0fb8e761a9269c09bbf616baf83ea7268042555a3a0cdf9660a3604b6c0fff813a4139a7b124c88040fd6b40a0b3b64e64ce274fa2d39
-
Filesize
3KB
MD5a18fcfbd2de81bce9af85c53a159312f
SHA11cb7d916b3e4fa55c29dc37b1b4c9d00d1fc5b13
SHA2561f54860d0e6a94ef2c354785218b096a527f788ef531baa4772a7b0838b37a3f
SHA512c85a92c18b87cbf4832abceb596bebdae2f7fbc2075679f9264480f34cde390d5d1d92cc139008dc040b2706f28f4ff7b52b1d0bff25b19a09fcb47af95982be
-
Filesize
3KB
MD53ea4d2f217eec1c9f8991ace4356df4d
SHA195fc307ddb056c3e8160d3af62ce8da9119bcf57
SHA256a45ed1e7f0b21d639247f57a646ee73fbc4ed8a18718fb8c3a4761b31d231d41
SHA512ed3005d5e28933375e73fe76c1ea3bc515ffa297d978de99cfb0bf567816ebd4cadca4abb5ac83930fa1d9fe405439ef0c1196035d2e28fc312e70b99e60ef00
-
Filesize
184KB
MD50ed2663971e8051b2bcb574926400fa8
SHA1467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA2560c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898
-
Filesize
329KB
MD547e3ba7ae4fbbb5c882235a9984e8c78
SHA1849ed8c27fab0df9f200f9015c57bb876b5f872b
SHA25677dc32acba6230e31ed6c52c029953508abecaabd7de0b8814fbb67b24a05418
SHA5122fd42c1b4e3dfefffb4c6d3e86ec94a0d34bbf4847ec4529cf728ae4ae21d5a452a7e69692778f548afa37dd796e9e9f3e77c276a8442f3fd88d95f0c2eea26b
-
Filesize
15KB
MD50768b4e647494f8879e68a78aceec69a
SHA1ee903db50a63f52087d5cbdf10964e63d9ebd4b1
SHA256b6c766647c4117e535b85d668da78bfd39e05350ae8582321090684b3ef00be3
SHA5127f6e0fa7c95f9010566476495c46d6f814c4ec4e9c068ce27ba9244fe833ee001ad507f0ae34a67f6347779033d5ca85698d370d0dc6b7b06f0c74f5c4e380cf
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6