Resubmissions
17-06-2024 12:37
240617-ptfcza1ckb 7Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 12:37
General
-
Target
pppwn_GUI_1.7.1.zip
-
Size
14.6MB
-
MD5
e375abbaadf6208d58eb46b91ec7f6ab
-
SHA1
466555f025b4a2a06e82b7979e5ec9ad089a2911
-
SHA256
276e29045208e8f5814cd2da88812b48ce30eb1f106a59756e2c4d26aaa6b489
-
SHA512
b93122f6dfbec0c11bb468d438112763d8a1d5d4c983e47649bd77e222f524fc541c5e43a4549bc8fe95f068261be5f330ebcb3951aadab0b72a91aa67235adf
-
SSDEEP
393216:WEm3wINArb97YYP21Mdd2SmASLRWk9d+oRdXs:WEowICvaX1MdEO2RxXQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\pppwn_GUI_1.7.1.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.1090951997\1832256640" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f08c959-39b3-44a1-9ea8-ca4ea8117b59} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1836 17f2dc04158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.1.819201126\610762640" -parentBuildID 20230214051806 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea47629d-fcd7-4e44-b107-c3ac6b4a6020} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2404 17f20e89358 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.2.387913140\625930976" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 3192 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74e89009-5a74-4965-ab39-db9b2fc4c86d} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3112 17f305f7b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.3.900417115\1028712845" -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5c87e2-fccb-4829-b7ac-5e3db1d98626} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3888 17f31ff8658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.4.1319376169\497176240" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4724 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {538c7255-fb8b-4e28-8a2a-865949aded1d} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4928 17f3494f258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.5.206575392\534564080" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5eebbed-ef56-44b0-ae17-960f7ba891cd} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5060 17f34950758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.2005629110\912509815" -childID 5 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fec36b02-00ca-46c3-9614-315e42a04e2f} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5360 17f34952e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.7.1459184011\1885769278" -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5836 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {125dd270-a5fc-48cd-9c7f-d7a8cd8af1dc} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5860 17f3490ae58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.8.993079274\1238350710" -childID 7 -isForBrowser -prefsHandle 4828 -prefMapHandle 5496 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b46cad1-f080-42f6-8a7f-23147f3d8b84} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4460 17f32dd9558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.9.73269955\853108890" -childID 8 -isForBrowser -prefsHandle 5528 -prefMapHandle 4476 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa7de008-3258-464d-b70d-3647bb2a7912} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5704 17f32ade958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.10.1171761148\846887603" -childID 9 -isForBrowser -prefsHandle 10292 -prefMapHandle 10128 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63b6998-4821-4e42-b0d9-d0a342257ee1} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4964 17f37329358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.11.1975999012\711125975" -childID 10 -isForBrowser -prefsHandle 10144 -prefMapHandle 10164 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2792edfe-a47c-4e3a-aec4-9810a11285ca} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 9940 17f37449858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.12.304810773\1892857070" -childID 11 -isForBrowser -prefsHandle 9912 -prefMapHandle 9924 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9f9cbf-7f81-46cd-b460-975754be24de} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 9744 17f3744ce58 tab3⤵
-
-
-
C:\Users\Admin\Downloads\pppwn_GUI_1.7.1\pppwn GUI\PPPwn GUI 1.7.1.exe"C:\Users\Admin\Downloads\pppwn_GUI_1.7.1\pppwn GUI\PPPwn GUI 1.7.1.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /IM pppwn_.exe /f2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pppwn_.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /IM pppwn_.exe /f2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pppwn_.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe"C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\pppwn_.exe" --interface "\Device\NPF_{9829536A-0D9A-48E8-9D93-5BB970A69AC2}" --fw 1100 --stage1 "C:\Users\Admin\AppData\Roaming\pppwn_mw\exploit\stage1\stage1_1100.bin" --stage2 "C:\Users\Admin\Downloads\pppwn_GUI_1.7.1\pppwn GUI\Unpacked Version\pppwn\exploit\stage2\stage2_751.bin"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /IM pppwn_.exe /f2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM pppwn_.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD557cc35a149e623f8fd1ff0dec87067e5
SHA175bbc5c2cf0f23a403fe9316599f768a59961343
SHA2568f74ef74f7a495dcfe9df39c0c1f0f5b1884d3ba4a26075a5de1c1339655d755
SHA5127bf6dae351821c1715cf54347d9812a09c5c05a6ebb1672905192240dfa02457d38d3c6453e1a810fd5052a5ff7e23fd7e2a6f28f43f4951847c42e07f6628de
-
Filesize
30KB
MD57edda92813666ce59ef22ee4c671fcd7
SHA1262318045ea73860524ef7f33fbd40d6cc218755
SHA256d0f8b51f822b6ac9fd02ec1938a042bcef920248e9ff08dd36f726d46f8de4e4
SHA512cbced159eca16948b03f96d7b5b4874aa88542ef7c7c1f6c70bb23aa95a19e51630515a7c72866a85be56cc02dc717323ee354103d5b685fc69d154447559b32
-
Filesize
135KB
MD577b906bf588ba66ef2ac6f9711e7cb9e
SHA1de76007974ffbef669a581ed7958b878f5e8ef90
SHA2565486926badcbdf37fd25b6d22c893ed6f0fb255126a02bf24838917171295730
SHA51288fb9e99b5acbbc7b92d82945c7e54d0e7986f010cfadb90df05e3634767c8bb93a6cb34f4fa4a90546b3abbcf5f9a0f1d486caccba47be05b596840939211b2
-
Filesize
7KB
MD5635e6ca07fd897ad77ccd933e756d8d5
SHA13fc4a3b05823b9a24e82ec6d58b7e138b682bf55
SHA25639f04ee4f30275a3cf52f46e0cd19a0c478fcb34f14d861c1ad1579b6f7003cf
SHA5124da0fbfd2f9e0430672d9af251745d57b3de67748c4ca31292d63768cbbc4247b7fb86d08c6b005bbc4a54f419e46dea834c0362073ffb1b9335742d2fc9bb3e
-
Filesize
7KB
MD544c15413839774a883a8c156bb4f6cf2
SHA17154971a3c8a4c080f237dd4decf4b9619f03b31
SHA2569e1f417bceb08cb6536e5eb7f8f3a55571b975de24da81c5cff0e73ae4077c75
SHA5129a4969fc3097de07da2e1a0080e513d6b95619df6272cdd359cba1c8d1f743da6a4ea3ced2801bebe45d756c7cf7bf9fd394d19d20eb73c63416c51988ff26e0
-
Filesize
7KB
MD5d0c2b9c2a5b199592740fab5e7e096e4
SHA17ddad11c51d2444d38f0cabc63dca915e0340f70
SHA2569a3dd84b12f3d6707b6144fd3d823e9eba327dfb823eeaafd093f59b5a29cafa
SHA512fd9340004c270398d2729c438bc8436fd7743ca1711b817798c456e2957f638b8acddba90e55846e5fadcf25516d52c053da153d7608f601483fe753b0124ae9
-
Filesize
6KB
MD51e9e923c143703bd2112295022709e11
SHA153283cfddd1082b55460d68e0cab818ea43f7da6
SHA256b0bbe8dbcd554b1e126931204fa3786ab846cdf7d83491f1674a6d7444b4060a
SHA5120fce407b88e71f537cf7fe4dd926296b76ac70159b47a905cf989ba52833d854de16a72d8aad9ce7d4baf716754c4a9131154a1d2f258d0ba41b9541f82002e6
-
Filesize
3KB
MD50d4b8282100d8c9c0c989a56f0f80445
SHA1546eec6d650e531d13f325b8f51899bad713fc7d
SHA2568a88cd8e30e7746ef47b90173353899da6d6d0f158b9269b1f5d5b998069bda0
SHA5128a7e698f3a637a3cfea70781f958beaacb83bd800cb993745b0bf58f1f50ab48e28388f4db115fb8d87dfc0e342d9fa9b8f1f8d256228433f3234a289d7447d4
-
Filesize
5KB
MD529f61fb037e77ddf041d3d8ee1e9c0cf
SHA1cdb5a6129946cdcea24835968087e72283aef559
SHA2566bc75a39763b6860fbd6ec660524281119e20ce263b1911a363c5ddccb333662
SHA51222226f72e9ce3ef97676f8e751c01e836ad2277f234989652de5dac6496772d4bd53f521ced1da0972083902d65e11fad7d7304e6341f57dbdbcc5f6319ef96d
-
Filesize
4KB
MD5e27d56340a1c5e45941bcb3adef1a22e
SHA17e3608898c0d36478440a2c4f7c8c62084cb2ddd
SHA25626f2b1d6e8045fef516972ff1b930c425990fafa4e1e5174a52f29235bfdf616
SHA5121938027ad0a3fd550e00bd40536dd7ec59d0d3abeb6f0346be23800bd49434e14deac117cec295eb173946ab23925777769538628d0ee00eea3610dd1789aea1
-
Filesize
6KB
MD513ab1fd43afedb36fa0d3ea89b7aa935
SHA10420e61e42e78a036ae5e26639debee9ff394656
SHA2561ac29d57b5d2fe294f27af82e2db56acebe7174ca176ba1b7a4650ad9a7d76fc
SHA512019c028fbbc4b0273c2cbbedc944fd966f8dcf6c3d3a156815d280bfbfaaaff4a5514556cd4b8333e94ca8367d1205ed29b80cf1aa935d15b211c44fee8ea48a
-
Filesize
441KB
MD52bb211e65b7298c30b34a34a486d709d
SHA13e6518c19a254ef40138050f5ef1ebe919821f23
SHA256c9fc61ce562985b1fea4f221272a4abbf5123024415b81243d8fc21fdc0fc1d9
SHA51226a9eb1b02cf87352b6c2e0ac1033db4815a571f5ef7e16ecd45cb69e24b4819719d5dc79a59052d1d546d7b888ee1753e387eb79c24c95b7c0cfa460bbfdf6c
-
Filesize
7KB
MD58d7593858261e481d4c46ca91beba903
SHA11a7696921786147d97baece0c0b1c7cb4499bd97
SHA256b07b1b5694fdbc6a087bf42e02f2dab85c80af4da3d2064e4140cc48f057959b
SHA51284d0d9dc17eb54e21617c87d3df2067a0c36c68b219c6d8831a6a85686b102b9804f0c4206c42d2ebb3e9688ac28718482ed4d6d5a0b8bf84f18bb92a5470198
-
Filesize
215B
MD5ed1f3ff18cfd4b45bb4060c3ce14c9fe
SHA111d01a7c9ac99e129f0e84e6c914d5a694ed4f38
SHA256281c1e9fba58c8231a004f373aecde49af17eb9f645639b8ce27fbca0296d6ee
SHA51268972a591d422b40b16a84b6279277cfc0e5095b5e68da6fb8dcac0cbada8fb2e549040002c63853a5356d6e631ffa2ed9523da8e074f9120a5a239d5f27fc1e
-
Filesize
1.6MB
-
Filesize
7.7MB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
10.4MB
-
Filesize
7.7MB