Analysis Overview
SHA256
556f39b521ff9cba0b5c3bf77526b55995f03614a4d2e924d30ac5532bb3758b
Threat Level: Shows suspicious behavior
The file keylogger.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Unsigned PE
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:12
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:12
Reported
2024-06-18 10:15
Platform
win10-20240404-en
Max time kernel
137s
Max time network
135s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keylogger.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "pyinstaller --windowed --onefile --icon=icon.ico log.py"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.1747922941\1085485864" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2456ae8-76de-4050-8213-fc28dc0d4ed8} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1764 1ca51bd5558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.1.1998830917\1917871739" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0397d8d1-69b2-482b-8947-949b4b43ee4a} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2120 1ca5173c858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.2.916374035\427129818" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2800 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ff92258-652e-460e-b2ac-a99316977701} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2788 1ca55c9bb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.3.1002397609\501159318" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b478a34-11c2-4d57-816b-b663af788246} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3460 1ca3f85e258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.4.1566701651\2045156394" -childID 3 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca27adca-086f-43da-a433-33d8b16a6225} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3984 1ca5744f958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.5.1839901958\1367411690" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4800 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6822b11a-bc1a-48b3-a7e5-70d8d97cf6bc} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 4784 1ca564d0258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.6.391913470\1731424671" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f8c6f2-a364-45e3-a554-004aaa39e40c} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5060 1ca58467858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.7.84299796\132435458" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef0da402-b7f4-4873-b2ce-b399442f9449} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5232 1ca58aa2258 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SkipClose.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49889 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 52.42.69.239:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:49896 | tcp | |
| US | 8.8.8.8:53 | 239.69.42.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI28042\ucrtbase.dll
| MD5 | 793eaa5f4b9e9433d63231a3da0cd2ae |
| SHA1 | 71dcba32528af7574a1bf463e1affd6ee25834b8 |
| SHA256 | da23ba5c0a69c2199bd2ba04ea6d2c022eac59829ac489f9286e4df7079ccf91 |
| SHA512 | 7bfe866088037df804fc8979ddca6137aeabf48d59d171bdd0ca81c516f644aa8ad47b14458d73ab24800a829d4309987e1290234aace13e2a42e22127b463cb |
C:\Users\Admin\AppData\Local\Temp\_MEI28042\python38.dll
| MD5 | 15dc83636ae9a81d7655b96c5e35ceb9 |
| SHA1 | d1d24acbde8cbae61a023200a457b152f2f41959 |
| SHA256 | 2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a |
| SHA512 | bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225 |
\Users\Admin\AppData\Local\Temp\_MEI28042\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI28042\base_library.zip
| MD5 | 980803999e3d3bd6bede5686f86fac8a |
| SHA1 | 22dc630261b52c28ba6a96087cea822860b20862 |
| SHA256 | ae8d5a7ffdf6e0b75b930e2253fae4a241e198625cf8579c1dc3113ea8280dea |
| SHA512 | 7d586948f7c06bf5bb12cb45d8ab1535a8a3e955419d5b1349870259b3b4ae6b29a1bc546631f384dc6e8f98d01d32d71f9f57f61b18c8b0b6ac004592b4d092 |
C:\Users\Admin\AppData\Local\Temp\_MEI28042\_ctypes.pyd
| MD5 | 6264e928d931bd665febeda1d1b15117 |
| SHA1 | f656513a17237543de115a5864a49e71e7a6049a |
| SHA256 | a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262 |
| SHA512 | b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d |
C:\Users\Admin\AppData\Local\Temp\_MEI28042\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
\Users\Admin\AppData\Local\Temp\_MEI28042\_bz2.pyd
| MD5 | afc7802468dca43cff7bf902feace6a0 |
| SHA1 | cd028e3178ed5cff9e2d2b5752c3651124b66614 |
| SHA256 | 8efbc8f4dd21267a6b9a72276a48aff5944f0982b577172675db2bda457cceb1 |
| SHA512 | b445a61b8e1e56273169a2f55b88a3ccd3351bc03e99b3edf8ba1792483e7bb33eaedfe5561a2f6070c41c9c41a878a2367bcd4662da22532d905af7638a8155 |
C:\Users\Admin\AppData\Local\Temp\_MEI28042\_lzma.pyd
| MD5 | fcbceb644f1d31ef3ee573bca0a11601 |
| SHA1 | fabdda171a58b2d07e4fafa1a15629e1f5039b4f |
| SHA256 | 1b597eeb44fe2986e85c9c501670b88c267b8cddbb453fcc5832f609080f13fc |
| SHA512 | 21fa8ab08a5e4a4d02fe6678e89c3f2be8576a5c15bcef38b88504889794e23d8de223052f963c42075b5548a6a9364ac8f100171f47b6fe1d917d7b2684a7b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\97d1f4f1-2f4b-4754-98d6-334cec49a4cc
| MD5 | e388c9cbe6e728161570f830dbc907dc |
| SHA1 | ae4e5d60cd7039c1fed9ef499fd3a3c5091cee3d |
| SHA256 | 24252465a507ed359b32b2f578a555ea86cbdbc286e7431a2f6dd51ef3ddbe13 |
| SHA512 | 70bb8adfc0921d10074eccd8e05ad1cbfe7c76540dec2a9a02168069991d4e49ae8c421075d09016c2ee81305aa6c05d136b64b742189c8b2172cee0bf152432 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0d9a783d-2ed5-40a9-9a1c-9e9788088154
| MD5 | c45089f7f9ab8c63a98fc5dbe65c85ca |
| SHA1 | 75a9e9599488eb20d888f98041dba6c26197c7a3 |
| SHA256 | 5af1280d82fc6787284a700566da608c956f1bbc4ad5afcc3126395c15b3c9d0 |
| SHA512 | 0f93f07007e8142ec20ef3286ce103bfe5d8287931b2bc77ee814e64687d849dbeda9afd3fcd760cc21bfe4b880d68d421f154b7848f9ee1585ea7e997b3edf1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 819b0eaaa5c59d6cca520c12944e21e7 |
| SHA1 | 09345feef9cbd05792718722fbbac1abc78789b7 |
| SHA256 | ea1e3b7b445a0a3e3113dce65c97b32378cc2442ea3660310f1f5dd0c8db72c3 |
| SHA512 | 0d290aea3c3609cace936d44a0eed3491eb73623bf337cfde250fc0e3e257634a059e26d746a9de3c707add7bafac5571f87013aec607c1489d38eb0991ab37c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7f868e557b098795d645df9ea302427f |
| SHA1 | 001f3306144559b4049a8ab139b4139f51e59c0e |
| SHA256 | b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5 |
| SHA512 | 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 78b5839989e3eda0f6bb64248e449b1b |
| SHA1 | 2404abd486aa2424b7431c7a6b508b01ef0094c6 |
| SHA256 | a651fc8451becd651af4cbd079755407d01fab62c7a4c59f74ab0b81d3ef4eff |
| SHA512 | 9ab9fbf7a5df0ffdaa3cc6852d99e49ce50d506359a278f999cf4be60be43515e25afd644e31c665e4a3fc2c72219929e40c9d5a41a058b4b76ac79a39f76151 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 3a12051962ec1996058983f025d71d9d |
| SHA1 | eaf813935ba22473f204241ad9ae71d752d96adf |
| SHA256 | fed6b12b8b0199184effba9f16988327d7b201b95ff567cbde4eb8fd0e424457 |
| SHA512 | 534bc8ee1ae095fae88d0bf6321dd554e4b0c31ffece0d9a448698436b7087a4ce2fb32d563da4519cecbf9b6384d24bbc15a5f8bd9a90cb09b57c5b7bfaae60 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
| MD5 | 16a5720932aa4a79b4b7d6533b1b0b25 |
| SHA1 | 17a566f004a30e1d8271b0ef1ae7e8c11093cc38 |
| SHA256 | 7a678c3ae3289d4c4dd2a88efbea08b5d6dabfb3e4135ef7df33369f85f7c55a |
| SHA512 | ee00758aab1d7eaf430b511b14280f8f9c57eb78dfb45daa7c33d83b4c42b40a1294122560e1104185779d64c4ca3dffc4a6cfa90134a379db4aaa10701b9d55 |