Resubmissions
17-06-2024 10:03
240617-l3qzaawbpb 10Analysis
-
max time kernel
66s -
max time network
77s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 10:03
General
-
Target
database.exe
-
Size
202KB
-
MD5
344e63414eabf4e9a367a35575f3f912
-
SHA1
873c62937ddf8e8e4f1f8de50fd9e5e85891f26f
-
SHA256
b311a4b65d33d41491e14d50598168da43f75894d30776205213a05248646e86
-
SHA512
c1373ecfef42a24b545d863c81af8837ac01b89870106e9312ca84adbbd78d01fbd5ed5c4a514520b88db38c217617e4e4ed70495b83b68c4e2b82d37408f0d6
-
SSDEEP
6144:wLV6Bta6dtJmakIM5YSxxV2Pvj3Y+w5Ay:wLV6Btpmka2PvTc
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
database.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" database.exe -
Processes:
database.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA database.exe -
Drops file in Program Files directory 2 IoCs
Processes:
database.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisvc.exe database.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe database.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
database.exepid process 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe 600 database.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
database.exepid process 600 database.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
database.exefirefox.exedescription pid process Token: SeDebugPrivilege 600 database.exe Token: SeDebugPrivilege 4128 firefox.exe Token: SeDebugPrivilege 4128 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4128 firefox.exe 4128 firefox.exe 4128 firefox.exe 4128 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4128 firefox.exe 4128 firefox.exe 4128 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4128 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 740 wrote to memory of 4128 740 firefox.exe firefox.exe PID 4128 wrote to memory of 4120 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4120 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4960 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4664 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4664 4128 firefox.exe firefox.exe PID 4128 wrote to memory of 4664 4128 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\database.exe"C:\Users\Admin\AppData\Local\Temp\database.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:600
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.0.178302193\1007203189" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {363c19ee-a417-4c83-b189-27e4f486cf6d} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 1780 21e290d6158 gpu3⤵PID:4120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.1.61261066\327258852" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9028b76-cbfe-49bb-bf1d-20fe77b022c3} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 2136 21e28c30858 socket3⤵
- Checks processor information in registry
PID:4960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.2.1137473995\1508361906" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd16d7cc-cde4-451c-bb5f-32ccb5bb3b7b} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3032 21e2d393158 tab3⤵PID:4664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.3.1101551892\1826522309" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7530f0-619e-4f34-8523-0485c753a2ea} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3564 21e16d62258 tab3⤵PID:4868
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.4.1395604087\1774170961" -childID 3 -isForBrowser -prefsHandle 4416 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e663b2-bc31-4f50-9943-f3638876dccd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4428 21e2f2a7858 tab3⤵PID:4300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.5.323068282\1396862862" -childID 4 -isForBrowser -prefsHandle 2524 -prefMapHandle 4824 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99079003-75dc-4463-94dc-af0fe409c5fd} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 3700 21e2d9ded58 tab3⤵PID:1448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.6.665477055\731759365" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5907bdc-f58f-4fd8-a8ca-557bfd9e8a50} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 4956 21e2e1f1058 tab3⤵PID:3576
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.7.1184883601\672168546" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5e4df1-d51f-462a-bb72-af22a588f85f} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5140 21e2f9dad58 tab3⤵PID:2752
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4128.8.1875503242\1724517108" -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c430896-2541-40a6-b394-5817bc619d10} 4128 "\\.\pipe\gecko-crash-server-pipe.4128" 5728 21e31221058 tab3⤵PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD555f5c762557f059faa1ae44c5e7dc087
SHA10df9e5e9be77641102f22806f6a56b626c9e29b3
SHA25695014fcc924bf4e391cd9da567d13bc164cbc2b806a69034d4d6793326ab701b
SHA512f21483f1d0397e73eaf88a847d5f6ea3a7ec5e85f1a0474d62b32719866c020794ea000aaba40968efa0319f324df688b9b3caa6f8fe309159311610cdb49910
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\329cb8c8-d477-4ce5-8dee-c368a91cacf0Filesize
746B
MD5de1bd75bb410cfcbdce73f9e47449ed5
SHA1e88e2b59e2503698c0b1221541adb7b6c4cafe8b
SHA2560d352a99358648889eec1b77ccc2adf7ffaf54829d748dc954cf8397b1472d75
SHA512a2eef1f9b11aa1f6bf3323596e81fe00c0179b448f20e07e00e7c1d9353d9914db24be78b614aaf3744372414d166dec68969b99eacaf65d2b3499678fe2705f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\b10ad12c-d6b8-4d73-98c4-96520166028aFilesize
10KB
MD5a73245a25674c6034d4debd87714ea4b
SHA1e5f3b31b6efe9a28618faa5119c820001268e0c0
SHA256b21e5b2a7c46283b951662336ec1d345c74371675db6c1a8912004eee67dece5
SHA51247bfa708ec5a9f6a972143775b93d0a8d5744a4d74be91e640f2b2ad95096a0c2dba83f8a25c43fd0d07aa937fa286c4e84edc8df7efccc809252125e0d21865
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.jsFilesize
6KB
MD57879563b3ae36fa1fac713f96a0ae10f
SHA150a9b290d8da684b510c9de9ad88511949d8c094
SHA2560cab8d4853993e4a1432fd7831fc2ff59f6ff5de8ffa8a5119026572797dd904
SHA512c88c56427c34d890c74b3c87b3732d359a23ab9c6b19b41230cd023609e499a009846ab28c9cba33df7f5b44025597251cafc8fb6cadddd58e114732fe7a36d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD590400ab0401f05fad835a0af8b96c60c
SHA1227a27b58111ed797236dcbfdff1b86e8f5cdb76
SHA2564b244a654b723f8a0869cf31987276bec1efc40cb26a176b35a46de53fb1b891
SHA512686a831677991803bce1df544392f91c0ed157d492fdca326d46e0f35b760f614c7cfbd518098d0db18eb26cc5b38e44d5ce564b1dd7826f7060408fcb261e5c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4Filesize
4KB
MD5b472d2d300ba493b96db5eb26f1d9a15
SHA16f1b18a0b30f84ef37ce2cc9a48645bfd7e2fc47
SHA2560ed49bde0ca3f9d4be5e885a2ae916e5e0368549daef9380490860eb1549cb9a
SHA512fcadac291b2dcaa97711975fc960a08e79c30a44c917638d72e348e4c566e52e5cdf13b327fdf4fd818ef624a679037b608dd30996e5a599e4fb463cb6ea6392
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD5731c0e733fe1e3123d366af7c8e578ae
SHA19756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA2568f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427
-
memory/600-0-0x0000000073A21000-0x0000000073A22000-memory.dmpFilesize
4KB
-
memory/600-1-0x0000000073A20000-0x0000000073FD0000-memory.dmpFilesize
5.7MB
-
memory/600-2-0x0000000073A20000-0x0000000073FD0000-memory.dmpFilesize
5.7MB
-
memory/600-5-0x0000000073A20000-0x0000000073FD0000-memory.dmpFilesize
5.7MB
-
memory/600-6-0x0000000073A20000-0x0000000073FD0000-memory.dmpFilesize
5.7MB