Analysis
-
max time kernel
39s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 08:31
Behavioral task
behavioral1
Sample
Redengine Crack.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Redengine Crack.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240508-en
General
-
Target
main.pyc
-
Size
22KB
-
MD5
e6238cb9a3b60dd096638f4f2d5ba762
-
SHA1
73cce38064ec658e98a15493da495a7ac0af1449
-
SHA256
7ed0bc63c96f84a177873bf9f772d175481dbb0e8cf30a62384ee0a707e2b005
-
SHA512
a46309d6353904cb31d8aad90d8ab7950cc38b566abd99e0f28939f776d4cbe7cebba19e55b3507b02820de73687e588e34cc16108c844413d86cfcef62d85bd
-
SSDEEP
384:gT8E5sFcJcpMIWfG68Xph6E0y4c3Tz3zMz6HYBcqB3RMxCCWViCWLrgSy28ichmO:gTl5sFcdIWrYph6E0pc3TDIBGqBGtQ2+
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 4 IoCs
Processes:
cmd.exeOpenWith.exefirefox.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1120 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 5080 firefox.exe Token: SeDebugPrivilege 5080 firefox.exe Token: SeDebugPrivilege 5080 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe 1120 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exefirefox.exefirefox.exedescription pid process target process PID 1120 wrote to memory of 3000 1120 OpenWith.exe firefox.exe PID 1120 wrote to memory of 3000 1120 OpenWith.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 3000 wrote to memory of 5080 3000 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 4700 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 888 5080 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Modifies registry class
PID:4440
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\main.pyc"2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\main.pyc3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.0.175930248\606289859" -parentBuildID 20230214051806 -prefsHandle 1516 -prefMapHandle 1628 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81601c06-9ea8-4213-9012-5cc498ccae7d} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 1868 1918fb1b458 gpu4⤵PID:4700
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.1.591623885\1787329886" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1bda24-7574-4d14-8e6f-94ca819fd2a7} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 2460 19182e89f58 socket4⤵
- Checks processor information in registry
PID:888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.2.1525332128\196471007" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64779985-5749-4abf-a50f-162ead5973b1} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3028 19192b3bd58 tab4⤵PID:4256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.3.832410238\1064702155" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {815434d8-d69f-474c-a0f1-40ff707247c4} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3628 191940b7d58 tab4⤵PID:1420
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.4.933535042\1532473098" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5256 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c70236a6-67c6-446e-ab11-90760968900b} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5248 191965f9858 tab4⤵PID:4464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.5.2022296737\1315378059" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40016975-cf90-4d69-b4ce-5fa587f9cd64} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5400 191965f7a58 tab4⤵PID:4704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.6.1398723293\1030077222" -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49b2d88a-8e0c-4103-862e-e955f658f037} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5580 191965f8058 tab4⤵PID:5032
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:1488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD590d898b4f4b2dc1229f31bcf4a572e96
SHA132809ba0c5a29e001893eddaa13f00fc5652d631
SHA256a2291c7ca3db217880d0c0843744db7a0e0390e531b5b1262d0c08bbb086be51
SHA512f94f436f204cd241bed58ed0dd077097937e82ed429b50f45a1ad66afdaa3c4b6fca64e328a11ca53c41ca2a19c388a844ab94c2552b7b6b4f8cba5d3a872347
-
Filesize
7KB
MD5c0d3337c597423c3286d4b9431a8cca1
SHA1af7fcc6412a027b15d272cd6d973767dd1bc3029
SHA25636338b4324e905b45fb28396ebab899adabd4fb288249291c490a2e69012c645
SHA51262fbe24ab4692182c201a0aae7dfab428225ae258bca05e9b6c540634d12526d5d413c1daebdf33760abd2ea36a4f63fc946d4d7dd3a362742fc9eb188f51b0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
Filesize630B
MD5b62cdc62f2741e88dee8af2e4fc19c36
SHA188694206fa7e8a196e7044baa9c948e7f9367961
SHA2561cbec10bf19a39c9f07cfc642d1a869f0652de433ceb63cb54a1bb7ab3c25bb8
SHA512029c0e2a2ae7dca5d5ca2ef3d51570803fa0d4f4952f3e81dda2df7fd07a4960213896b6cc8b6e2364e4aed604bc967addf76a1a2ec954e92c96bcc9554a3aa2
-
Filesize
22KB
MD5e6238cb9a3b60dd096638f4f2d5ba762
SHA173cce38064ec658e98a15493da495a7ac0af1449
SHA2567ed0bc63c96f84a177873bf9f772d175481dbb0e8cf30a62384ee0a707e2b005
SHA512a46309d6353904cb31d8aad90d8ab7950cc38b566abd99e0f28939f776d4cbe7cebba19e55b3507b02820de73687e588e34cc16108c844413d86cfcef62d85bd