Overview

overview

9

Static

static

1

ppg alive ...ot.jpg

windows10-1703-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/08/2024, 02:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ppg alive head shot.jpg

  • Size

    136KB

  • MD5

    e3247c06dc1f7e91f0094cb4c32b4925

  • SHA1

    e703b8d316b3bddc4ea1c40262ae88d3de1ffbe0

  • SHA256

    7838cacd5206443575dbe8c1cbc7427db78e48e2d7252212fe15df08f2df36e2

  • SHA512

    e13d9d6ad769c0d259230c1ba999f47bdc4061d01c1c85f8cdf95dcfd90a9a6f6db9cc0582f98ddd600a384e79ecab4a2bf8e95af4722cf2aa8ac1aac753535a

  • SSDEEP

    3072:ZyzApEd2mgyf/UR3ax1WM9T58D9Vhcp4vlpbBh2:MzApg2mpXUR3ax8YT5GhVvl74

Score
9/10
credential_accessdiscoverystealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ppg alive head shot.jpg"
    1⤵
      PID:4888
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.0.580059208\338892186" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2356b4f-e1b5-4570-b6dd-869ea12bf860} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 1796 227e4adc058 gpu
          3⤵
            PID:3772
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.1.705276754\740617112" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05191ff2-c689-450a-89c1-6746a2e9695c} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 2152 227d9871658 socket
            3⤵
              PID:2896
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.2.1899296344\856676943" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7b8224-35c5-4c25-a8b6-a69721ae551c} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 2992 227e88b6d58 tab
              3⤵
                PID:764
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.3.167144562\555682593" -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e3c562a-f479-4971-ae8d-a747f9674535} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 3516 227e70d6058 tab
                3⤵
                  PID:1756
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.4.285651746\406048665" -childID 3 -isForBrowser -prefsHandle 4292 -prefMapHandle 4284 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab724d6-7ea0-4a3f-8cae-f79146ff85ad} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 4304 227eab6e258 tab
                  3⤵
                    PID:5080
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.5.1477647505\1148334624" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8d170b-d0f4-4927-8fb3-963e1c526bb1} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 4876 227d9868758 tab
                    3⤵
                      PID:1300
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.6.854853672\1829660357" -childID 5 -isForBrowser -prefsHandle 4996 -prefMapHandle 5000 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5a3c84-17d2-40d7-a52c-5efb22658ec1} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 5080 227e984a458 tab
                      3⤵
                        PID:3392
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.7.638703044\232303578" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d39f14a-57cb-49c5-a3c7-0a8dd072d9e8} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 5188 227e984b058 tab
                        3⤵
                          PID:3428
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.8.1558309058\394817624" -parentBuildID 20221007134813 -prefsHandle 5516 -prefMapHandle 5232 -prefsLen 26249 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3691c248-6614-4be3-8b7a-74611434f268} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 5224 227ecc8ec58 rdd
                          3⤵
                            PID:4916
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.9.2123273128\725842782" -childID 7 -isForBrowser -prefsHandle 5792 -prefMapHandle 5788 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebcd4b1-d178-47af-95cf-1ea30a3a5166} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 5548 227ecfbe458 tab
                            3⤵
                              PID:972
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3628.10.52623704\1702140726" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6052 -prefMapHandle 6020 -prefsLen 26249 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62c6c5c4-7931-4ecc-a9b5-a3de7e6aceae} 3628 "\\.\pipe\gecko-crash-server-pipe.3628" 5948 227ed37e158 utility
                              3⤵
                                PID:2024
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x404
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5808

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\30582
                                  Filesize

                                  8KB

                                  MD5

                                  d13dd49ebc9f3d3ace205bf5eae15fec

                                  SHA1

                                  a420780e05929cd3f9dd477673cf9fe3f13b98c4

                                  SHA256

                                  921eed54030c6e2af18f8b0323452a340952acf256094ba2a3479ba5e37e92e6

                                  SHA512

                                  a93bf14b2b824162bd6e56ae9c7a0dde502011822ac43843fca51cd864c2fe1849b372ffd568811bdb9a06aef5dc4d76daeaa9aa7dbf1d3c5cd266f9977cdf52

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                                  Filesize

                                  9KB

                                  MD5

                                  fc0f81a23b4ff339075f9f05483f4e14

                                  SHA1

                                  d31d6a6814b658efbb9074538763eaa07bd016b8

                                  SHA256

                                  deebf0c7274a888580c07636ce27e42ec840d71def32a7f95fb33a05a7213575

                                  SHA512

                                  a913278b563ea8d5f5645f69e6a2eae0c26451dbf8ab29719a6ce846977569d16ffdfa41fc5dfb132327e15cda77e954332656ee3675b616da7707917953374f

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\d0471429-459a-4a4d-8b2e-daaf154371e2
                                  Filesize

                                  734B

                                  MD5

                                  d15014944ca557425b179b744a92247f

                                  SHA1

                                  fab46a989561909c555a1762e915cd594eabeca7

                                  SHA256

                                  8d54e701e8bcffa5305f650b725fffdda4fd52e9f9dcde45ed6e2d5a8f38392f

                                  SHA512

                                  724db640df9303479bcac66530659426cdde9decdd5dbc82fb5f91a1976dc3d0b8a479df0aa05634424e239164b6d6a9fe69e30316ba324723548ef724162a32

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                  Filesize

                                  6KB

                                  MD5

                                  f4aefa2062aff996c114f6fb63cd4789

                                  SHA1

                                  d7f0a20dc77e69381201dd409cbc1f27e801e6d2

                                  SHA256

                                  52cc2108465172474cc14f3ef2bdbfd560c8f26a3141532b4caf56995c586f85

                                  SHA512

                                  43ea2fa1f650c7164bddfaeed72177be770a422089633b86aeae265fe01e885aa264f36e1173a2da0b35b390c1d2fd0902a14f28e950a96ba61728aec592a41b

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                  Filesize

                                  6KB

                                  MD5

                                  5231311bb20b37bed0ff4c3c49675f98

                                  SHA1

                                  e0f11bc1f82812fb56d5c6bc575383d594765b7c

                                  SHA256

                                  ef0e77a11379bacd5be21a4cc76055a2a1b22a3975fa303b3ab065a5dc3a37ab

                                  SHA512

                                  4ede601ab23500fdd4a98e1cf00c81ba5a549471b83baa223c28024abb08d15ddd4ce1049e2aba513195ab7e852e4578737d360526b22a7b13f0078115797536

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                                  Filesize

                                  6KB

                                  MD5

                                  df87ca8c360560dea40aadc05ff47ac3

                                  SHA1

                                  2e4b7756b1e7d59aa27bf3c4db8e58ba3e327e6c

                                  SHA256

                                  87cf782ddb0e87eefaaf22a95b12e7ecac0b06188bfb8c2200e90fed866091de

                                  SHA512

                                  8d0cd3edfefcc2f86f80036b2a2bb599879b4f76039ec949a975e616148b741bf90e5e0d71d3ffdacfb7b74bd19f3a9bc62de6ccef96ca2f61d0f34ac645e01f

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  1KB

                                  MD5

                                  66722c72d3f051a784ea612dc44b7cd4

                                  SHA1

                                  ff55df896faf25aa4fb68bb4602ce73d2556669e

                                  SHA256

                                  c04fb124af81e67eb5b56482b8fc4fbc60e6cbc40087c7ff173b1b9ab6ec98d4

                                  SHA512

                                  0d5797b1b5933c36da1a3d450e9d7d2f1ae6c767feb7b4e20096764b2e3dabb2bbbd5aac8a4c039ed8c837c33641e0e1ef13e60198d8ed2d1ecad64c23f551a3

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  26KB

                                  MD5

                                  072fd323eb708b9685608f73c63bf4ca

                                  SHA1

                                  be775ad9478923be81ea6066e8f17beb5844d831

                                  SHA256

                                  ceedd3aa52c813ea754cd8dd51b08f343f5e69f07f86c802043c4ffbbb6d567d

                                  SHA512

                                  eccde9a240ed50d41298e97fc0aff4bf16cd4d8a9f36e797c2edd5a755b6737ef4d0ff6176e7a55b2d4e30245ba2f638a33046021dd71a5e4105936f6609f78d

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  22KB

                                  MD5

                                  78064eb2ccd6f7197b4dd456eb19da5e

                                  SHA1

                                  3b45701d24e52b14d8687fdf696c147e9730594d

                                  SHA256

                                  f22770e92f79a53ce49e92ab738b46f171b363135eb53503a3e33bbcc132ec53

                                  SHA512

                                  96321ed59f1089a4bfd1e56b249e8e328012ff550c49141ca7ff1fe096c95e54ac7f2563912776f794a23ea0517c8d0d2d8b56a941a38a9e5ea83cddb9dbea50

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                  Filesize

                                  184KB

                                  MD5

                                  e7d901ad03d22078f4c42ecc83c3bd45

                                  SHA1

                                  13ffe2ced2026e6b99c39a96d006c7832a72ba17

                                  SHA256

                                  fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

                                  SHA512

                                  8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

                                  Download Submit

                                • C:\Users\Admin\Desktop\Recycle Bin - Shortcut.lnk
                                  Filesize

                                  359B

                                  MD5

                                  e91e2e19d333d2869ecd4e84dadce0b1

                                  SHA1

                                  4cc8f4571869f83e2c0ebfac3dd17f0c51654bd6

                                  SHA256

                                  1bae20e282456a5df55249f23d3c89430ed079c5e0f25d16976128f303db9e61

                                  SHA512

                                  b540108474cd92140d824e7aedc50b24fc30bcd9d5a87ac9c5f6af11b1079d518006c1942a156da093f3e27481cb5182d60118c4e984f099a38cff68fbb59867

                                  Download Submit