Overview

overview

3

Static

static

3

LoaderV6/A...wk.dll

windows10-1703-x64

1

LoaderV6/A...ci.dll

windows10-1703-x64

1

LoaderV6/A...ui.dll

windows10-1703-x64

1

LoaderV6/WMPNSSUI.dll

windows10-1703-x64

1

LoaderV6/loaderV6.exe

windows10-1703-x64

1

LoaderV6/mpvis.dll

windows10-1703-x64

1

LoaderV6/wmpnssci.dll

windows10-1703-x64

1

Analysis

  • max time kernel
    315s
  • max time network
    876s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-07-2024 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LoaderV6/Additions/wmpnetwk.dll

  • Size

    32KB

  • MD5

    8cd455334b6cdd06beeeb898e1e83052

  • SHA1

    e104ab973744bac982efa50f055a5a45daed2aee

  • SHA256

    5270f60d90a15ce9d728c328495fb714daa1267a7363a70225badfa252a38ad0

  • SHA512

    922f329f32d935946490cb7ff409689f2c2610fd09efe7e9e095a6e10aee838dde585aa6cbc4e816c42c7a61aa989daf3633edd553ed4a355d7eed6225091859

  • SSDEEP

    192:400xT+MOj4Edw+bRFCPkzMTYEwdwbFS33eWTqa2ilecbAvyv/PjxNlMopnTXmCly:400xvnyK9EN5VlVECXIWeF

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LoaderV6\Additions\wmpnetwk.dll,#1
    1⤵
      PID:1412
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4532
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.0.1668101061\420649417" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6675427-2dfa-4e83-97f5-c454f3018881} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 1792 215ae2f7e58 gpu
            3⤵
              PID:3024
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.1.1979499816\1200774963" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36414efd-d0eb-452f-b5e2-6fbd75c5294e} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 2148 215a3372b58 socket
              3⤵
              • Checks processor information in registry
              PID:1320
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.2.1535365078\1601856864" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2980 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c502a00-96b1-4bbd-8441-1446cf10eb9c} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 2824 215ae25c158 tab
              3⤵
                PID:4344
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.3.1327372590\2021214509" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d03ce75-de26-42c1-a716-edfedd21f43f} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 3512 215b0a9ed58 tab
                3⤵
                  PID:3512
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.4.1886053104\763978983" -childID 3 -isForBrowser -prefsHandle 3980 -prefMapHandle 3964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7a9914-25e1-430a-bc95-637df995feda} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 4048 215b377b658 tab
                  3⤵
                    PID:1496
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.5.491081142\1416537050" -childID 4 -isForBrowser -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {404b2857-41dc-4ac2-997e-a2388158d1cb} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 4908 215b2818258 tab
                    3⤵
                      PID:2016
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.6.665414004\618584744" -childID 5 -isForBrowser -prefsHandle 4756 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51795fd0-2bc8-42f7-8f70-f30a6d11133c} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 4784 215b49eab58 tab
                      3⤵
                        PID:4696
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5092.7.964455942\619874154" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e419bf99-f502-468e-bdb9-3f7daaa56574} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" 5164 215b4bd3c58 tab
                        3⤵
                          PID:2956

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      32e6971667c158fcf41c4ad67bff5018

                      SHA1

                      07cad1094b3c9fc8547771026d51092bacef3d5a

                      SHA256

                      72d7611b58e3040ed5def788b08436d88415274fe6e3837c4741764c974c641c

                      SHA512

                      059777be93fc70e9b3d32d87c5eba8d7db0e954a2e144316d4d164a790cddfe6142fdbe23294e8a556de950731f5b4a019d5da88413e7f9a7c95aceb1ab48233

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\4d208125-e46a-4190-b595-a8f91e00247e
                      Filesize

                      746B

                      MD5

                      3b656732d57819be3dc0ba0f1444eb3c

                      SHA1

                      0d68de3df2003bb3d4793830e59f89dd3dd6aa4c

                      SHA256

                      2157fa25f0f09501cc504f76cb8e48bb176dfe660f91bdba37b630e0a3b7ab65

                      SHA512

                      e2154df1beda1e7d537377705eac8f876b9e2950df9f0e5e6bf57082c0a3db6db92b39132e6e54ea53ca524e9d70efe41a6de24f7e1ed613a37b45848b0afaa9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\566c86dc-6acd-460c-8354-e5a185af2770
                      Filesize

                      11KB

                      MD5

                      74b7358efec1a61d12282e120163aea2

                      SHA1

                      31e1ac6806a57788c978b32550c57cd3a69fca8e

                      SHA256

                      b6f869fbc3ad8533b8d0fe58a218423f1652e60270885458d50ee38b1ba5b2e6

                      SHA512

                      ace7e5b94191ceb862990bf42a4a14b4e93e57dc4e62d519ba21385512e6f581f0444faaf5b648f99799562fe8bc57b8bc57a73a18e90248b60a2667aadac832

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      cf102f478288ba387bad6eb3b74a8946

                      SHA1

                      2dd8ce2e9adbd7d3708287635757e79b3166f38b

                      SHA256

                      2c60fa00e58ccacde83a3ef689b13e34fc1f93e932153ff9a467d672a0f900d9

                      SHA512

                      c1909c06fcb96b586acb781a8a9d06766450e092ffaaebfc808205aa8b00b60539851be79a23bc865477be3499500b84c39a7f55d162fb48b37bd0ac33a08a25

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
                      Filesize

                      883B

                      MD5

                      e07dd6d655451e28ad07c51fb44bca03

                      SHA1

                      d0324cb1a0b0697cc867ced7f66d504828ab86f3

                      SHA256

                      c09601a1485d95558f2cb95f109be2ddbcd077b38105e66999014ff351e34c3e

                      SHA512

                      43c469ae41baed02381f00a0acf49e18071a2ffc59c1d738ef5f24ef38cb6235307fa58e0cab2c1625667deff16d8006d6f2656ab3dd7a695671dd9f3918544e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      69cc4ce68ce55e681c368d219f32a10d

                      SHA1

                      28afdfa7d331fbb72dd993ecefea313f2799b446

                      SHA256

                      d4e13af44e4664821cf15715fbb0038aa5d3f03e3b7a15a7efd4745d77a4b8d2

                      SHA512

                      4b1a2f353f0d8e1efbd9f1deafc551fdde86bed7d32662d025640b67c3a9e71e0c635a3fdab10196eb32ef5870fb58a6973c8920c7f42adbbd537ffb18c399df

                      Download Submit