fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
Size

3.1MB
MD5

3fee6951de76acc25c775827e927a9ce
SHA1

c6c05e0d69e21627643115a4fc564c9880f8b11a
SHA256

fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2
SHA512

37f98ff191b372b1619da473051ab6e2de202df97bebe5461f562e6cd15372b1226cfd05b8e381883b7243eefbd9fb6b543ee747e360ac8327e6e9efd18d27fb
SSDEEP

49152:K2NehV8UBa9hRfrgP/frPCeIN4eI18yjtV2MlqQ5YIrbm/Z7rehFDfVW6X0ngiuO:CcAjCeIN4eI1ntYx/uvW6kbuO

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4388-335-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-351-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-352-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-443-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-1742-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2518-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2521-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2526-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2527-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2528-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2529-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2530-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2531-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2537-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe
behavioral1/memory/4388-2538-0x0000000000C80000-0x0000000001776000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	firefox.exe
Token: SeDebugPrivilege	4772	firefox.exe
Token: SeDebugPrivilege	4772	firefox.exe
Token: SeDebugPrivilege	4772	firefox.exe
Token: SeDebugPrivilege	4772	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe
4772	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2644	4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe	86
PID 4388 wrote to memory of 2644	4388	fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe	86
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 2644 wrote to memory of 4772	2644	firefox.exe	88
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 2508	4772	firefox.exe	89
PID 4772 wrote to memory of 3584	4772	firefox.exe	90
PID 4772 wrote to memory of 3584	4772	firefox.exe	90
PID 4772 wrote to memory of 3584	4772	firefox.exe	90
PID 4772 wrote to memory of 3584	4772	firefox.exe	90
PID 4772 wrote to memory of 3584	4772	firefox.exe	90
PID 4772 wrote to memory of 3584	4772	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe
"C:\Users\Admin\AppData\Local\Temp\fa2de824beea1f16efb72e4e4dc883665b1196e7c9ede4d6d130ff52a1ec0bc2.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b6a0b54-ce3a-4625-b94e-470e44ed1fad} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" gpu
      4⤵
      PID:2508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d54682ae-cf59-48a6-967d-3dacadbc0f16} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" socket
      4⤵
      PID:3584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3348 -prefMapHandle 3340 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab6b5a07-e54e-40e5-9294-335f151e0cc3} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:1588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 2772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc9dd7e-fb3e-43e9-ba33-8f01e29490f0} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:3988
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5ce7ffe-8422-4685-8147-fd0f354314f0} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" utility
      4⤵
      Checks processor information in registry
      PID:2060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 3 -isForBrowser -prefsHandle 5648 -prefMapHandle 5640 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d427e736-f00a-45ba-a864-7855e2365529} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 4 -isForBrowser -prefsHandle 6080 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cde33a8e-4bd5-4456-9bd0-0887582c932d} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:3972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5836 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea7b2fc-261e-4a01-8ae8-4c046e2669f9} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:1640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6268 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9d0d8af-a1e6-4ae2-927a-86a26fb44aca} 4772 "\\.\pipe\gecko-crash-server-pipe.4772" tab
      4⤵
      PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
2258e95b1bfa6282d316397f1d3daa51

SHA1
fff233422ddc8c0548d5ec8af655e8a42ec900fd

SHA256
c81aa2d1c896d27f24f9e209f3d02d64918cba5b7e0598cdd3b98510b3092073

SHA512
fbc9f7702ec21c908cd0584f9c1c0b0036cdd80ca20778bf2be425b9bfbb0b0b3f2aab668d4d5498d3269b378eacff8dac899d03590d45492cbd7fbe34fbde48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
c116e5da67f8f74b006adecb4973f5b6

SHA1
d7ee957f86c413bbf65885fe077aba00f467cad7

SHA256
8036171f7341e581389f93cd04c6d2598866eb7cae7803ea26c4cb0059f33a64

SHA512
005ef0f573758c67f7173b65b25ce303047a696106d5c80b559cc314749dbe3409ce922205996c9a67c518755130ba1d3fe7bb568e54ff77b37be6bafc5ee691

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
9d64785ee8b88413a7e8052db63a8155

SHA1
f3ea3fa6e795a052d22db8797b6e3edf9ebb66a0

SHA256
36c445d13448172150a534f37b6a6133c0899fcb729c0da1c83303581e3fe416

SHA512
52c937f23accf24ec8b41878069a29702247fe42c301591dae629bcf28864d36ae958acae1841201973f9826a4051ea2e15e1ce05f6456c2d11293c2d85b9198

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
8KB

MD5
69b5e050195ed8e554d8b1fa7c1e5950

SHA1
df0259b91893a05cc6ba9ccaf03ffc1f2b20a5a7

SHA256
5d3eed88d771eb545184b20acefec26ed1835cbe052a8bff54c8765818aa84d8

SHA512
1b8b5621f1ac1471e67f7187e89e04cfbffffb1dbc177dd35ba77b2f835a53633d645772e90eba3fc37cfc7dacef55583bd3b42123c43a15ecdb70b0587f9da3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
43f02b59c3a3025f526c026860270b2b

SHA1
8dc619c270654fe3a75c5a4dd8e2776dce9b542d

SHA256
e7f154861e325ee17d979cd4ff8f605f37a313c2cf3e69579848e78f5e9f9ca6

SHA512
e7b57a2b57c6ea84bf0dee45ecd6bb36fd23a74249f7075dffb5543394f4a4edc937f14a8f33332247e82e4da3eef3bbca14ab827078e158e2cc7121028aac87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
83eb44088afd4c097f933fd0ceb9df0d

SHA1
53da6f7720b336b6eb7c5a26ad585219ef6a5d4d

SHA256
70fed44dcad7aa6a85c5379e3867631a4db1abecf541001ff7390c34d371e3c7

SHA512
7b7e407d579fb0c282d9d6696de9bea6c8b7ec4a023d6129415a8af0f6560cd2edc9d89ab003776a0fef1f1862c0ff937171dcb378df51d9d85b3ab878b8d163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\189c5a39-856e-4f73-a0fa-edfab4d3e6d6

Filesize
982B

MD5
e8bf7395ba95105ba1fa45d1d9b5d27d

SHA1
b0a4a134303e694b62b688e45790712371b32a2a

SHA256
5f22dd7f260a0698340a34fe26a14dca57abda7d0e1b003f92b29a64c422068e

SHA512
c090555c04a6f021d4d62d98182bb0b39ad84544ea97c1c65c825dfe53c1b39138e468509589bfbdf32255589784c329a000811f80cecacbc77a54ff76774a96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\43b3a335-058b-4875-bd31-fe31bf531df3

Filesize
659B

MD5
94f190c5d0000d706b04f55e68d129ed

SHA1
36a3e2a05cba3ca50245b3e385229d010a16ab9b

SHA256
3b5933996edd75c1486ff73c64d186e581e16735f9fc4056a3c725bffc917ba4

SHA512
4230576624938da03a3276a75e74e36f8d8b06b055c5c31b217e835bdd255b7574df43b3175731cb865e779925a01b33363245d7ad3fe76838e112f419ad8556

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
13KB

MD5
5b65437ca901f96226abb5e2ba333818

SHA1
1e4852fa59e9db55bf4512fe760b77edad47e427

SHA256
ad1f2dd3d26e4d3018e6906a5dd367b072d4c6c15e87086da9b55dc9974f2a19

SHA512
bd9faaf47d0ae902347dd9163c6c132835f341fa2d66adff0099493542d1525937c4c70623e8b86e3fb5ec45987af624b073c4793f9970685848bc0b1a3773c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
16KB

MD5
5be3841a13c2146436d1d333973545ab

SHA1
7fe438b28a9ea86399ba12f7ff04c7f4bbae17c0

SHA256
92c00c0574ff095496e348b9410c0cdf8cb898cd427b3cf5bc8775bb3fb0aaa0

SHA512
757a6f63d27aab1b6d17528cf7fdd11020594dbe3fb4f879b6c85d67e540387965266f1dcf353ac05a118f2f295732c30a7d1d14da37d1829d392a780fb566ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
633f8dc5ddea1ab0d8965a0d2513bf15

SHA1
bc26b094e684c825932e75d8942361bcec7f5b22

SHA256
41919dd5749b0e16e775ce8afb19a8e7d77511c45bf119dd2e8ac8950b9630f1

SHA512
fe0a142113d169d309592b6eb2c311ddb5c5a790c4b316a09c11e9d279bb3e0ea2852d84213454774f6ad11ad488ac3b486049a04960927f676f4018fcbc28f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
b7373ea6e37f845393ef4a6ab535e94a

SHA1
bd90280281c715c96440cd839a24ae0ffa6f4eed

SHA256
401d335d4cdff34b7b9579ece8a45b2439761230a5ba452f3cada64c78b64639

SHA512
030d65104a6a062c94706b78366460da73869d9208abb7e5e9b782f5a1f99084e8b3012df6e0711b763ded7b1955daf4ac0a62c24f6771499d24c91f7140fd7d

Download Submit
memory/4388-2518-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2521-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-443-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-352-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-335-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-0-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2-0x0000000077C72000-0x0000000077C73000-memory.dmp

Filesize
4KB

Download
memory/4388-1-0x00000000FED80000-0x00000000FF151000-memory.dmp

Filesize
3.8MB

Download
memory/4388-351-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-1742-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-353-0x00000000FED80000-0x00000000FF151000-memory.dmp

Filesize
3.8MB

Download
memory/4388-2526-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2527-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2528-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2529-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2530-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2531-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2537-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download
memory/4388-2538-0x0000000000C80000-0x0000000001776000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads