Analysis Overview
SHA256
2da8c55da46f148005b1b6eb5eaf231091b9f05ce4f73085abea04c242d77af4
Threat Level: Shows suspicious behavior
The file Redengine Crack.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 08:31
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 08:31
Reported
2024-06-19 08:34
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 944 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe |
| PID 944 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe |
| PID 944 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"
C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI9442\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 08:31
Reported
2024-06-19 08:34
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 968 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe |
| PID 968 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe | C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"
C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI9682\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\base_library.zip
| MD5 | b8ed4da65fcd99bfa0ebc1e05c117368 |
| SHA1 | 9d822e68363ffd59d4e5b3af6a4f27f5a89d35e5 |
| SHA256 | da7b254387c376f8dd50db6c88b9e5a801aacfc7e577e34197ebac8fb990ce70 |
| SHA512 | d9dcbbf1e4f3e6837deca1030fc0b8b45513230ed11f60c7dfada87842f9c1ded53c6f8678ed8bc47d22c98805cd95fe3c27549a7069d04833ed32977456ba19 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\python3.DLL
| MD5 | 4a776941c0aa723c50223cb1a19e6d02 |
| SHA1 | 08e4cdf06f3b9ee5f9d5c865b49c808d20938583 |
| SHA256 | 5a2f39ed041d35bb48e89c72c1ad16a5a24a3674f8eb34bfbc6310fd75128f16 |
| SHA512 | 0319030bd2b51bf605c8ef4324eacf3a1f2e2315c92bc0cfc8e9eb7df72038f6c377b9537fec16470363499e6e0dbb7ca164169ae43601294310f84e53a06881 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_ctypes.pyd
| MD5 | a1e9b3cc6b942251568e59fd3c342205 |
| SHA1 | 3c5aaa6d011b04250f16986b3422f87a60326834 |
| SHA256 | a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3 |
| SHA512 | 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_socket.pyd
| MD5 | cd56f508e7c305d4bfdeb820ecf3a323 |
| SHA1 | 711c499bcf780611a815afa7374358bbfd22fcc9 |
| SHA256 | 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34 |
| SHA512 | e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\select.pyd
| MD5 | 35bb285678b249770dda3f8a15724593 |
| SHA1 | a91031d56097a4cbf800a6960e229e689ba63099 |
| SHA256 | 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3 |
| SHA512 | 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_bz2.pyd
| MD5 | b024a6f227eafa8d43edfc1a560fe651 |
| SHA1 | 92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e |
| SHA256 | c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d |
| SHA512 | b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_lzma.pyd
| MD5 | 77b78b43d58fe7ce9eb2fbb1420889fa |
| SHA1 | de55ce88854e314697fa54703a2cd6cc970f3111 |
| SHA256 | 6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a |
| SHA512 | 7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\pyexpat.pyd
| MD5 | 3ee5ec36b631c2352cd8bd2e4b58b37f |
| SHA1 | d6ddab5eb14226fea6e5212382b5dd39aa50df97 |
| SHA256 | f32af8a21c016702647a83661eb4460bac7c791754cb1faaf1c4d096a94cd7cb |
| SHA512 | 873f72bc481bf6c55cdd00e97ea0e5946f466790f3319374b1c15772d4abdc7f394defd2cb130323fff2169380b0cda7319bb2b19f87ed5dfa479635f4b21317 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\win32api.pyd
| MD5 | 30d431bdd2419b1c59f22c0ab790ab88 |
| SHA1 | fe4c07f5e77806e5f0f5f90762849818eb4d29d1 |
| SHA256 | 0813e92197b04508363d93f3fc2065e962baab44f8a2c18c6297e1fb348cc679 |
| SHA512 | d5c8e362c5be1decffb7960b0169e18641816ada783e0ec5a3c909c163bf1aa8878d6e7d7efb0258a0f1a031ac8e71c084d7220347b85b07412d6717f3b5ff58 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\pywintypes39.dll
| MD5 | f0c9ae2851bdadd218d864430281b576 |
| SHA1 | b7fb397f1c9cd07c81c7ae794b2af794c918746f |
| SHA256 | 15ff353b873b58c7a8af42d94462aa4cb4ea03c10673a87a0d7f2c42b7ec60c0 |
| SHA512 | 915aa0121265b11d6ab58643fb1e4d867e3c49608dd5c8842364d4ed913f4742b4c4d54b21526ea62d7d48598b02c613f1ab39a4a071e403d4cc6fe68f839b7e |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\pythoncom39.dll
| MD5 | f7248c0bf2538a832f06bf5735badd88 |
| SHA1 | 301b9c6803781c9cf63414862d8ed8c64c1d5316 |
| SHA256 | 86be43773e1b863cc2e87c980ae9fd8291eff3d82dd4136491b8f95b2dbf868f |
| SHA512 | abc5ee57598cdbff3091d77f2f00bd7b69235b48810ba8946ffeed039b7aa03a7d49db2e21b01b6d0753b1dcb7ac5a29d56732451d2c739b5c47fe299a99c765 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_sqlite3.pyd
| MD5 | d7dce668e11c61245f91e723db68b134 |
| SHA1 | 0edd1d7783b6be460e9a5c02aaec971bb4aa25af |
| SHA256 | e8cd83af8716df93b761ffaa01949d57e2551804c3bab679d81ac72534490a1d |
| SHA512 | ace805042be4130329bafbe29d44a5c80a3746abdfc1ab63016f8e0dba97f4d02b30dd4dc29cb658f5757215bd132e8acc34a5842f955a0c45c1837b916319e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\sqlite3.dll
| MD5 | 1d234679a3e6e068b741b83eebc3adb2 |
| SHA1 | e63c5b5ee813a73585ecf5e4425cf3fe52e1294c |
| SHA256 | 5a4fc3957bc5f007b6c3a2df66c8286fe65ae74827a233f0df2e9679dc7ad39f |
| SHA512 | a085613067482b4544bddcdceef56f5fb46322ddb4490b1034f2fdacbe2a3dcc3721e645941d89dbb9110cd5630cab0cc4cc1573946e5667d6c6c07ffce341cd |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_hashlib.pyd
| MD5 | 69dc506cf2fa3da9d0caba05fca6a35d |
| SHA1 | 33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6 |
| SHA256 | c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f |
| SHA512 | 0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_ssl.pyd
| MD5 | 70014e88ecf3133b7be097536f77b459 |
| SHA1 | 5d75675bb35ba6fae774937789491e051e62a252 |
| SHA256 | d318795c98c5f3c127c8e47220a92acba0736daf31bab0dc9c7e6c3513bb2aa3 |
| SHA512 | aa59b32c9164afca1b799e389c7087e95eeaa543790b6f590f9e30aa13b7fdb8cc83d0ef6351f0b578a4da636f4ca1e6dfe4558dcf3a813b744a80f7392aa462 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_brotli.cp39-win_amd64.pyd
| MD5 | 2c7528407abfd7c6ef08f7bcf2e88e21 |
| SHA1 | ee855c0cde407f9a26a9720419bf91d7f1f283a7 |
| SHA256 | 093ab305d9780373c3c7d04d19244f5e48c48e71958963ceca6211d5017a4441 |
| SHA512 | 93e7c12a6038778fcda30734d933b869f93e3b041bb6940852404641a599fe9c8ee1168a2e99dcfb624f84c306aff99757d17570febabc259908c8f6cda4dbea |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_queue.pyd
| MD5 | 328e41b501a51b58644c7c6930b03234 |
| SHA1 | bc09f8b62fec750a48bafd9db3494d2f30f7bd54 |
| SHA256 | 2782cf3c04801ede65011be282e99cd34d163b2b2b2333fd3147b33f7d5e72ab |
| SHA512 | c6e6e6bca0e9c4e84f7c07541995a7ee4960da095329f69120ba631c3c3e07c0441cf2612d9dcc3d062c779aec7d4e6a00f71f57cc32e2a980a1e3574b67d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\unicodedata.pyd
| MD5 | 3ba2a20dda6d1b4670767455bbe32870 |
| SHA1 | 7c98221bc6ed763030087b1f33fb83eac2823ea4 |
| SHA256 | 3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868 |
| SHA512 | 0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0d0450292a5cf48171411cc8bfbbf0f7 |
| SHA1 | 5de70c8bab7003bbd4fdcadb5c0736b9e6d0014c |
| SHA256 | cb3ce4f65c9e18be6cbb504d79b594b51f38916e390dad73de4177fe88ce9c37 |
| SHA512 | ba6bbcc394e07fe09bb3a25e4aae9c4286516317d0b71d090b91aaec87fc10f61a4701aa45bc74cb216fff1e4ad881f62eb94d4ee2a3a9c8f04a954221b81d3a |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 96789921c688108cac213fadb4ff2930 |
| SHA1 | d017053a25549ebff35ec548e76fc79f778d0b09 |
| SHA256 | 7e4b78275516aa6bdea350940df89c0c94fd0ee70ab3f6a9bac6550783a96cad |
| SHA512 | 61a037b5f7787bb2507f1d2d78a31cf26a9472501fb959585608d8652af6f665922b827d45979711861803102a07d4a2148e9be70ab7033ece9e0484fe110fdf |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Util\_strxor.pyd
| MD5 | 8070eb2be9841525034a508cf16a6fd6 |
| SHA1 | 84df6bceba52751f22841b1169d7cd090a4bb0c6 |
| SHA256 | ee59933eba41bca29b66af9421ba53ffc90223ac88ccd35056503af52a2813fe |
| SHA512 | 33c5f4623a2e5afe404056b92556fdbaf2419d7b7728416d3368d760ddfde44a2739f551de26fa443d59294b8726a05a77733fee66abc3547073d85f2d4ebeee |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 8f385dbacd6c787926ab370c59d8bba2 |
| SHA1 | 953bad3e9121577fab4187311cb473d237f6cba3 |
| SHA256 | ddf0b165c1c4eff98c4ac11e08c7beadcdd8cc76f495980a21df85ba4368762a |
| SHA512 | 973b80559f238f6b0a83cd00a2870e909a0d34b3df1e6bb4d47d09395c4503ea8112fb25115232c7658e5de360b258b6612373a96e6a23cde098b60fe5579c1c |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ofb.pyd
| MD5 | b894480d74efb92a7820f0ec1fc70557 |
| SHA1 | 07eaf9f40f4fce9babe04f537ff9a4287ec69176 |
| SHA256 | cdff737d7239fe4f39d76683d931c970a8550c27c3f7162574f2573aee755952 |
| SHA512 | 498d31f040599fe3e4cfd9f586fc2fee7a056635e9c8fd995b418d6263d21f1708f891c60be09c08ccf01f7915e276aafb7abb84554280d11b25da4bdf3f3a75 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 0f4d8993f0d2bd829fea19a1074e9ce7 |
| SHA1 | 4dfe8107d09e4d725bb887dc146b612b19818abf |
| SHA256 | 6ca8711c8095bbc475d84f81fc8dfff7cd722ffe98e0c5430631ae067913a11f |
| SHA512 | 1e6f4bc9c682654bd18e1fc4bd26b1e3757c9f89dc5d0764b2e6c45db079af184875d7d3039161ea93d375e67f33e4fb48dcb63eae0c4ee3f98f1d2f7002b103 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ecb.pyd
| MD5 | ade53f8427f55435a110f3b5379bdde1 |
| SHA1 | 90bdafccfab8b47450f8226b675e6a85c5b4fcce |
| SHA256 | 55cf117455aa2059367d89e508f5e2ad459545f38d01e8e7b7b0484897408980 |
| SHA512 | 2856d4c1bbdd8d37c419c5df917a9cc158c79d7f2ee68782c23fb615d719d8fe61aaa1b5f5207f80c31dc381cd6d8c9dabd450dbc0c774ff8e0a95337fda18bd |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\_cffi_backend.cp39-win_amd64.pyd
| MD5 | 3d48e9bc9a3b68e816e1d0be284f2d3f |
| SHA1 | 410921af4383bdc898df691ea39e3e9f558c3d85 |
| SHA256 | 88451f322707b22c43b36796c3711bace64f50ef7b22c94fbf29a04a2838e533 |
| SHA512 | 829c0e0458f927ffd8e60194c5ef75c9e4f9da86d3fa7d7184715a869a2765b5e3a0d4263ab9acbbdb752f451acc87eb5a7b1d63712c67e21fcef8c228da3db3 |
C:\Users\Admin\AppData\Local\Temp\_MEI9682\MSVCP140.dll
| MD5 | 0929e46b1020b372956f204f85e48ed6 |
| SHA1 | 9dc01cf3892406727c8dc7d12ad8855871c9ef09 |
| SHA256 | cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8 |
| SHA512 | dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 08:31
Reported
2024-06-19 08:34
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2132 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 08:31
Reported
2024-06-19 08:34
Platform
win10v2004-20240508-en
Max time kernel
39s
Max time network
49s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\main.pyc"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.0.175930248\606289859" -parentBuildID 20230214051806 -prefsHandle 1516 -prefMapHandle 1628 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81601c06-9ea8-4213-9012-5cc498ccae7d} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 1868 1918fb1b458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.1.591623885\1787329886" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1bda24-7574-4d14-8e6f-94ca819fd2a7} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 2460 19182e89f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.2.1525332128\196471007" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64779985-5749-4abf-a50f-162ead5973b1} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3028 19192b3bd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.3.832410238\1064702155" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {815434d8-d69f-474c-a0f1-40ff707247c4} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3628 191940b7d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.4.933535042\1532473098" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5256 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c70236a6-67c6-446e-ab11-90760968900b} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5248 191965f9858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.5.2022296737\1315378059" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40016975-cf90-4d69-b4ce-5fa587f9cd64} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5400 191965f7a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.6.1398723293\1030077222" -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49b2d88a-8e0c-4103-862e-e955f658f037} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5580 191965f8058 tab
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:53058 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 127.0.0.1:53066 | tcp |
Files
C:\Users\Admin\Downloads\0zYpGHMf.pyc.part
| MD5 | e6238cb9a3b60dd096638f4f2d5ba762 |
| SHA1 | 73cce38064ec658e98a15493da495a7ac0af1449 |
| SHA256 | 7ed0bc63c96f84a177873bf9f772d175481dbb0e8cf30a62384ee0a707e2b005 |
| SHA512 | a46309d6353904cb31d8aad90d8ab7950cc38b566abd99e0f28939f776d4cbe7cebba19e55b3507b02820de73687e588e34cc16108c844413d86cfcef62d85bd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
| MD5 | c0d3337c597423c3286d4b9431a8cca1 |
| SHA1 | af7fcc6412a027b15d272cd6d973767dd1bc3029 |
| SHA256 | 36338b4324e905b45fb28396ebab899adabd4fb288249291c490a2e69012c645 |
| SHA512 | 62fbe24ab4692182c201a0aae7dfab428225ae258bca05e9b6c540634d12526d5d413c1daebdf33760abd2ea36a4f63fc946d4d7dd3a362742fc9eb188f51b0a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
| MD5 | b62cdc62f2741e88dee8af2e4fc19c36 |
| SHA1 | 88694206fa7e8a196e7044baa9c948e7f9367961 |
| SHA256 | 1cbec10bf19a39c9f07cfc642d1a869f0652de433ceb63cb54a1bb7ab3c25bb8 |
| SHA512 | 029c0e2a2ae7dca5d5ca2ef3d51570803fa0d4f4952f3e81dda2df7fd07a4960213896b6cc8b6e2364e4aed604bc967addf76a1a2ec954e92c96bcc9554a3aa2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 90d898b4f4b2dc1229f31bcf4a572e96 |
| SHA1 | 32809ba0c5a29e001893eddaa13f00fc5652d631 |
| SHA256 | a2291c7ca3db217880d0c0843744db7a0e0390e531b5b1262d0c08bbb086be51 |
| SHA512 | f94f436f204cd241bed58ed0dd077097937e82ed429b50f45a1ad66afdaa3c4b6fca64e328a11ca53c41ca2a19c388a844ab94c2552b7b6b4f8cba5d3a872347 |