Analysis
-
max time kernel
61s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
17-06-2024 05:29
General
-
Target
http://198.23.201.89/warm/Auto%20R.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://198.23.201.89/warm/Auto%20R.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://198.23.201.89/warm/Auto%20R.exe2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.0.947495107\1953070298" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1156 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26cde06f-ed1f-4f17-8690-187cd6617813} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1280 14009158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.1.2096318591\686097743" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2962583-3033-4191-bd7a-450bceb5187d} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1480 f71958 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.2.1549180783\119193673" -childID 1 -isForBrowser -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abc5461e-a259-4f48-ad28-e1e61bb37fbd} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1908 1145fd58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.3.460287172\665935942" -childID 2 -isForBrowser -prefsHandle 2648 -prefMapHandle 660 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {187888b6-08d7-4a46-9e4e-5fcfb514c673} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 2660 1b00fa58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.4.585030880\880304936" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26385 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df237218-5924-4f36-89bd-1affb1d55ce5} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 3836 1eef5858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.5.607667658\1443452544" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26385 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e4a22a-01f3-4e5f-bdaf-a0159c8767f7} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 3932 1eef5b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.6.1851673180\765090760" -childID 5 -isForBrowser -prefsHandle 3836 -prefMapHandle 4108 -prefsLen 26466 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54dae21-4344-48a8-b7f3-1891530bd730} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 4032 1eef6d58 tab3⤵
-
-
C:\Users\Admin\Downloads\Auto R.exe"C:\Users\Admin\Downloads\Auto R.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Downloads\Auto R.exe"C:\Users\Admin\Downloads\Auto R.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD50de4d7b8073ad67d27c7338427739ba8
SHA1235472c2ddb2328e0e27a672fd4de7e2b6127cee
SHA2569222c42a295fd21a6f0fa829726b4d3ef89d4ebb0cc5f69fb89c55c52cefd74e
SHA512045341c98a723ca0d97112d574e279e38976b93f988ff72e572f2025d5e2a5617a679cf842fbfe509d54977af21dfb31adff2c84e686cc434fcfba6d78ed746b
-
Filesize
264KB
MD51306778ea7672dcf0feeaaccefc7834b
SHA1c66a3f38bb0ad064904e0b0d8f4a68974a4156ea
SHA25662f03de61df004c2f9d1ccda1b7daa295bead15f9e4f7d3b04d2492dab0fd399
SHA512357b4e97722418735f322ba37634b911c31246eed9926e30bd9971b5854806625a5c3a48c8c57c691f7684d57612d12a6166330918c81e82e1663ea63bcfa923
-
Filesize
2KB
MD59b8b0f2c9dc2bb91b077c288383e4d28
SHA1d6dd8b253769f83000cd504f8e2d177ace552bfc
SHA25649ef4061d72effb4ff4d8565cef2e683703ee85afe131912fc873140d6990be6
SHA51297f48292cc04d814d83882ee6295aedb382b117d29fbde355aedc775d408a06b21676915183433fd71e24ab476cfc5615245709e48033d9e1ebfaaf7583b921b
-
Filesize
11KB
MD5d0c2bf955d322199450b46f5381442c7
SHA1f6f2040d5c312231e984e2d76ebcedbecb2b1453
SHA256890f392c2a02245a335c72d6337bc464f34d96c3f48f6cdbc5a243974e69510b
SHA512663392193c6f53183b6a2fcfe78f6da05ab8a99deb19bb2c469df9c8eddcb7da2f333986c261f546c76ffc0b57d6582be86e8933288b7a4148b6628722e56e73
-
Filesize
745B
MD540c393c09b3e6cfad63fa9a2eae6d4e5
SHA126d169e1703b8631f6b402e652ced7cbd497ebac
SHA256b1fc9a86bd91a788eed595417884fc3e06f1a0658017a2480cdf7e786f97e448
SHA51245f7070af7badc7c90a6ed3ed63b73aa8c889d771fc8f6cf3ce98a33f52e23ab2f3d002d7487d53c8fc3d24a45313faac78c9da38568d1f5743dd7f19e090307
-
Filesize
937B
MD585e116131ca6cc6c5bd7493c31294bb0
SHA1a68cad862cb35a40db4b4bf916ae14a6298d38dd
SHA25630503bb329cde4a1f25d3949e6f56049d230bc034fe933abacfa7a619d01c01c
SHA5128f54b88db748fda953e7f2cdd9f6fa5484c7af0f6cf005eeca7d29b8a7e9abd5973c696b621b3d46b987443986ff419e056f475893601b47cfe3fa48bbf4c927
-
Filesize
184KB
MD55e408510e49e400798db0c3d8d9d24b9
SHA1bdf1af36f1d03934209eac72ca486cf4c9810b45
SHA25681d5663f7cdc1caed0e23fb10c3798a9791c0bdac67b6ca96d321cdfe71c9532
SHA51220a1f7b4d4eb3117f0fae575a6d91bd37207c81fc831ee1baa54c752a3a1b547284ab198126eee37f0687dde2aae81085a555e0101074f391665317a61903357
-
Filesize
1.1MB
MD5351650a422e427140d74d8c68185fa24
SHA1c20e19d924a55302e8d642ced835643df817b408
SHA256c18e91fedad79cf98044d7a754dd39b673018e28dc6935bc9d63515b8d91a6be
SHA512b2b48979e2e93ddecf931e7b32a8678204fe3227deb3d14a1b0a5e37dc6184250849e1212ccf33f204ae4445cc4d45660463328c2fc0f1944ba66c40440bcd39
-
Filesize
12KB
MD5d8d044bc366722b4de7339d393857397
SHA196210172a40ff8bbf0ea82957eca6ad53d00ff72
SHA256854d55fa16e1fa68a2b403c5d35bf692ae1bebfbb95705e8368e688c9151c5c3
SHA5123aec33087fb822e37eda1b4b175491e95c09892ff06ccf7520d3a5d73ffedcaa84d6875c1cc562c5c8c4da12462d4353533452585fea9bb9c3d826687b0e4270
-
Filesize
16KB