hxxps://yodgxd060624l18[.]xyz/233d788293f695acc5b1665af5fbd41f4c800440_1718387358/file-dln_666c829edcecf/?source=12&grp=17&file=&q=Bandicam-7-1-1-2158-with-Crack--RePack---Portable-

Resubmissions

14/06/2024, 17:58

240614-wkb3hs1blg 10

14/06/2024, 17:57

240614-wjt7psvbpl 1

14/06/2024, 17:56

240614-wh8cyavbmq 1

14/06/2024, 17:55

240614-whgvzs1aqf 1

Analysis

max time kernel
45s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://yodgxd060624l18.xyz/233d788293f695acc5b1665af5fbd41f4c800440_1718387358/file-dln_666c829edcecf/?source=12&grp=17&file=&q=Bandicam-7-1-1-2158-with-Crack--RePack---Portable-

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	firefox.exe
Token: SeDebugPrivilege	220	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
220	firefox.exe
220	firefox.exe
220	firefox.exe
220	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
220	firefox.exe
220	firefox.exe
220	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 1944 wrote to memory of 220	1944	firefox.exe	82
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 1152	220	firefox.exe	83
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84
PID 220 wrote to memory of 408	220	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://yodgxd060624l18.xyz/233d788293f695acc5b1665af5fbd41f4c800440_1718387358/file-dln_666c829edcecf/?source=12&grp=17&file=&q=Bandicam-7-1-1-2158-with-Crack--RePack---Portable-"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://yodgxd060624l18.xyz/233d788293f695acc5b1665af5fbd41f4c800440_1718387358/file-dln_666c829edcecf/?source=12&grp=17&file=&q=Bandicam-7-1-1-2158-with-Crack--RePack---Portable-
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.0.278966381\45886014" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3be22695-53d4-40c9-9070-c5cd42c6bb5a} 220 "\\.\pipe\gecko-crash-server-pipe.220" 1880 21870e0df58 gpu
    3⤵
    PID:1152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.1.1312630393\1274761563" -parentBuildID 20230214051806 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7b07fab-a0b1-4a79-b4a8-eb94a07d4b92} 220 "\\.\pipe\gecko-crash-server-pipe.220" 2480 2185cc89558 socket
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.2.1334789199\495730917" -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2924 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0774f99-4550-4c94-9ca6-df45f421e3f9} 220 "\\.\pipe\gecko-crash-server-pipe.220" 3052 21873634b58 tab
    3⤵
    PID:2068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.3.1488017146\80567724" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3384 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb876074-4656-49a2-8c99-49d1a3f358e1} 220 "\\.\pipe\gecko-crash-server-pipe.220" 3700 2185cc7a258 tab
    3⤵
    PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.4.321873313\1757494606" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8a3ccff-375f-4efd-8411-b4a0979084e6} 220 "\\.\pipe\gecko-crash-server-pipe.220" 5024 218770bee58 tab
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.5.1982916501\514988822" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e19127-f8f1-41da-bb5b-73a8d8a00b00} 220 "\\.\pipe\gecko-crash-server-pipe.220" 5168 218769ee358 tab
    3⤵
    PID:4256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="220.6.7792148\1202938782" -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb26ca4-3a92-4e86-b9fe-cc83b88cfb73} 220 "\\.\pipe\gecko-crash-server-pipe.220" 5360 218769efe58 tab
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3364
- C:\Windows\system32\PING.EXE
  ping google.com
  2⤵
  - Runs ping.exe
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
ee4d760d4db38e71a7ea1ecfe5d109d6

SHA1
7c25e3df1e6a87fb13042c46ce3ea973d579ddff

SHA256
99c556f5d9b1788dc4485ca3de3ef22c5cce91bd592451fcc2582be0993a8d46

SHA512
2b896b8bb45cc82d5cbe9b4603303187bacbe26ef361b56a1c5baf8000b5ef557d85714bcb2a7537c0df8268033095d941e8e0351bde0ee62b4ac27cc1bf658b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
85493ccd62383a70ff7afc429e788d03

SHA1
87a083a87293956efe9d52363a415c04d91ebf73

SHA256
8e795dc73724a25767ce8cd5b373ab034b862cf8a64c925a8c3e9f83b66fb0e6

SHA512
9f464ea7ec832b89b26ebc83dbc32f9734c1ab2489e8a7412878ebd115766130727f9d7219c05b6542f7e0408e41915e906047548fd497f80fc17a9c48e36b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1009B

MD5
3fa8f4faa8d47e409cba10a8e5ffbe95

SHA1
697f7fdc8c6dcf9114041b1327207809722a2370

SHA256
9bb98c2230554368b88ee2e1da36e8c446f7ff73be459802ddd337e780abc936

SHA512
7b5b771c8188bedf502e6473ca197271ec90f7d543e8466191b7ae3218112cd9bd522724e2eddf3d296b83c4c8a77995e6e49a9b4efa8b7f305f74f59e1834ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2e4c461fbc6147e7faadbb9666ce2ee1

SHA1
94d57e8b7ab7366b13c590ec54fd1c0491cdcd8a

SHA256
f2656cd13f38ca89dffa112fae6590ca2838670ca375f36df6a4ad09a31c77d4

SHA512
e2b05da8c323589453d335c96f6a6b87876e2e627be49ff4f24dcf7428550ccd15cad6db87512938a0acd17b2adfc756078b31a5eebd05f6e85ff3566e40251b

Download Submit