b913899afa3741ed46315f6c1491e5777a3c1cf46a1d05a433af0d74ecb66cba

Analysis

max time kernel
144s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
06-07-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Apex-CV-YOLO-v8-Aim-Assist-Bot-main/SPLIT/split.py
Size

856B
MD5

32e731e6c9bbea9904c607849cc5883f
SHA1

6a61447150982288f7fb298f2f5ed5f0301e54d1
SHA256

d9618627c498bdfcc1c5fdef43b2dd6a9b5a3d8e2a0e67eef465250687ef3de1
SHA512

5fd2839b2b38fde6c7b812d3511bb1cdb66a9c7fd9f97e3ea1a3c372b95fc6befa34cd7ad58f81c5eda00fdebafa1d717543732af5139db5d3590ffb30404a7b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\ג盭Ā耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\ג盭Ā耀\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\py_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\py_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\py_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\.py	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
2512	OpenWith.exe
1344	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2840	2512	OpenWith.exe	79
PID 2512 wrote to memory of 2840	2512	OpenWith.exe	79
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 2840 wrote to memory of 1344	2840	firefox.exe	82
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 540	1344	firefox.exe	83
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85
PID 1344 wrote to memory of 2308	1344	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Apex-CV-YOLO-v8-Aim-Assist-Bot-main\SPLIT\split.py
1⤵
- Modifies registry class
PID:772

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Apex-CV-YOLO-v8-Aim-Assist-Bot-main\SPLIT\split.py"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Apex-CV-YOLO-v8-Aim-Assist-Bot-main\SPLIT\split.py
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.0.1822617703\1456763051" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1f6a104-053f-4cfd-a7c7-d54c50d85eb8} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 1856 279ed40e558 gpu
      4⤵
      PID:540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.1.2139887251\1941894528" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3489845-f6a4-4f85-a249-2dc10264e053} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 2408 279d8f8a258 socket
      4⤵
      PID:2308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.2.1904128059\55488883" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2916 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cc76eb6-2e34-4910-a3db-1a1c61218b79} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 3080 279eff43b58 tab
      4⤵
      PID:3356
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.3.15950527\558106" -childID 2 -isForBrowser -prefsHandle 2964 -prefMapHandle 3644 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de0f97d-66ef-4855-a707-dddc65097dfb} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 3472 279f1689258 tab
      4⤵
      PID:444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.4.408939337\1641791264" -childID 3 -isForBrowser -prefsHandle 4824 -prefMapHandle 4608 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce52f33e-e674-4fd0-abdc-c557c78d9f68} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 4832 279f38e3358 tab
      4⤵
      PID:4880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.5.1682617622\339450875" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb283d8-183d-41d7-acc5-d50a3c8cd583} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5092 279f38e3958 tab
      4⤵
      PID:3416
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.6.105418957\75377158" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88a0c1f8-2794-4d55-b8dc-a69f3de28819} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5292 279f38e2d58 tab
      4⤵
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
ec7f12f05f8c1344cdb344c32e48cfa4

SHA1
da37a1da62feb108410401b3de644f8f40fd75aa

SHA256
9e23c348b605e8e9ca46906bf9df5103bb165f2240f70c4a9230a98ff6cd1530

SHA512
1e3474a97570c3001e3c3751378a50121d31b2f2d1d48b305ba6ca22c1271f915ea56b2e64a99bf3fcf4d1ffe2321cf44d5fd867a1accf75be7edf8b81ef721d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

Filesize
7KB

MD5
d5ae9a9c670b9dc9e476f20399a4825a

SHA1
21ba8cb20b2d3c1c5e6a1a9f9af2a2c45b2c34f4

SHA256
2d36c9f0d68b6e046fc13d28f51cc2050168eafc034a788ae6918a82bfb03c2c

SHA512
523980ca917e3656e794d33b3e7d151b5bb4c8230a31d5d44ceb8c9193b8587605eb0cc8506a45c7e004f2f267713a01a9c805f53769763b667a6103043b66c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4a3f3b4f544ddb25db767e287f21d3a4

SHA1
e13e0002e3acfa1b14f073af58d7f4dd6e640620

SHA256
4fa2fd7c52a4089ef9f147cb2970d869fe1c072eec4c2413b0a9ad8caf841c75

SHA512
e338b9a8fbb470578112dd076c6e6e845871d29309bf896715f2dccfddef74a8eb3f9437ce9c02928e55377010705168ce109d1c191c377e1d0e9b7aa3f327f5

Download Submit