Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe
Resource
win10v2004-20240802-en
General
-
Target
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe
-
Size
1.8MB
-
MD5
5b496c08c6603286a74edf4f17a1f7e5
-
SHA1
343311b9d583bde7ed9039731036fe7fd31cc701
-
SHA256
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
-
SHA512
b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93
-
SSDEEP
49152:Z1/YQEbR60x6+yuS8I5FF/Yb8hsS0VDu7Q0L4XcjOk5Q0EGDYF:ZCz16iyupAFhY4hZ030LtjZN
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.execcc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exed6d5a874e3.exe5946973d7f.exe47a74827d5.exeexplorti.exeexplorti.exepid process 2016 explorti.exe 1200 d6d5a874e3.exe 4788 5946973d7f.exe 2584 47a74827d5.exe 5796 explorti.exe 2104 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d6d5a874e3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d6d5a874e3.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/5052-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/5052-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/5052-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exeexplorti.exeexplorti.exepid process 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2016 explorti.exe 5796 explorti.exe 2104 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d6d5a874e3.exe5946973d7f.exedescription pid process target process PID 1200 set thread context of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 4788 set thread context of 1308 4788 5946973d7f.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exedescription ioc process File created C:\Windows\Tasks\explorti.job ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exed6d5a874e3.exeRegAsm.exe5946973d7f.exeRegAsm.exe47a74827d5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6d5a874e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5946973d7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47a74827d5.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exeexplorti.exeexplorti.exepid process 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe 2016 explorti.exe 2016 explorti.exe 5796 explorti.exe 5796 explorti.exe 2104 explorti.exe 2104 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 3180 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe 5052 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3180 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exeexplorti.exed6d5a874e3.exe5946973d7f.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4396 wrote to memory of 2016 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 4396 wrote to memory of 2016 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 4396 wrote to memory of 2016 4396 ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe explorti.exe PID 2016 wrote to memory of 1200 2016 explorti.exe d6d5a874e3.exe PID 2016 wrote to memory of 1200 2016 explorti.exe d6d5a874e3.exe PID 2016 wrote to memory of 1200 2016 explorti.exe d6d5a874e3.exe PID 1200 wrote to memory of 2928 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 2928 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 2928 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 4764 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 4764 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 4764 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 1200 wrote to memory of 5052 1200 d6d5a874e3.exe RegAsm.exe PID 2016 wrote to memory of 4788 2016 explorti.exe 5946973d7f.exe PID 2016 wrote to memory of 4788 2016 explorti.exe 5946973d7f.exe PID 2016 wrote to memory of 4788 2016 explorti.exe 5946973d7f.exe PID 4788 wrote to memory of 4460 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 4460 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 4460 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 3720 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 3720 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 3720 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 4788 wrote to memory of 1308 4788 5946973d7f.exe RegAsm.exe PID 2016 wrote to memory of 2584 2016 explorti.exe 47a74827d5.exe PID 2016 wrote to memory of 2584 2016 explorti.exe 47a74827d5.exe PID 2016 wrote to memory of 2584 2016 explorti.exe 47a74827d5.exe PID 5052 wrote to memory of 3864 5052 RegAsm.exe firefox.exe PID 5052 wrote to memory of 3864 5052 RegAsm.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3864 wrote to memory of 3180 3864 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3824 3180 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"C:\Users\Admin\AppData\Local\Temp\ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\d6d5a874e3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2928
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4764
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7471ebbe-527f-4be4-88e5-3bf7f3901705} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" gpu7⤵PID:3824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b51832b4-673e-4edf-9bd9-856695fb8fdd} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" socket7⤵PID:4040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2620 -prefMapHandle 2864 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79959629-80e3-47dc-949a-256e1c08f8f8} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=928 -childID 2 -isForBrowser -prefsHandle 1240 -prefMapHandle 2996 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694203e3-dba7-4b7d-8a80-ef63d4dc34d8} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:2236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d505cc90-ed8c-4836-89ce-1f438a95ff6d} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" utility7⤵
- Checks processor information in registry
PID:5364 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5196 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4b94a50-d6f4-47bc-a3e1-00e09d762951} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:5916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c87c6e7-4fbd-4ef9-8156-ffcc1b12b446} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:5928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac6607f-b55f-483e-92da-152cba030d53} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:5940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6324 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfecfa22-a4ba-4661-9e32-491b8190b2a7} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab7⤵PID:1232
-
C:\Users\Admin\1000037002\5946973d7f.exe"C:\Users\Admin\1000037002\5946973d7f.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4460
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3720
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\47a74827d5.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5796
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2104
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5c05fd08043fd1dc414300a92bc73e1fc
SHA19d3c8c2a2bd2881606dc2a826aad65f63a332853
SHA256531cbb2c4dbaaea781ad6798ce36c7ce254c8f88a892dc42ee0aaed205e1a73d
SHA51243f00dbf42c84002b4ab46b907953c1236407cdb55001d01ac193a87e3fab9ecacdf4bbac7d2a02297a41f4e62a2a37b93c2e8b559e791c5484791f2faa1d065
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD506df424d5f737566867544a07bd0e400
SHA156d523a7c6bf3988dddb55b6177c7b2baba0726b
SHA25633ec0b3e9258318c3e2df991f7ce10c82d67fbd2f6ba7f266e92ef7c194d96fc
SHA512c94455aef79aa6a8d27ed4b136c9a60e93b18d865910454d77cf742b18239773263768c0891f9868603049912d09c40c78e59b2c6773053159374bcda7c63c69
-
Filesize
1.8MB
MD55b496c08c6603286a74edf4f17a1f7e5
SHA1343311b9d583bde7ed9039731036fe7fd31cc701
SHA256ccc2a60072b214515b1ba5af3838f7c41d5c15531a2047f812588429f8264ee5
SHA512b2f80db9884dafc865f351bcbba774a342e10127ff3d720691d4f347a73ed1edab6e76d76f10e0b99e0d2a667675f5a2f5cb756b8d4240f21c75ed9ba1aa9c93
-
Filesize
1.2MB
MD5f5f1e8f743ec3d40dbe97e0e67e14861
SHA114b889a8602eb0d8c05f4bd415977c99fce99b90
SHA256a3c814c3833951d016c68679e2f8902cc1ba30d8acbb14a64aa3a58e3f23d51d
SHA512cc23bf8b3588fc68e2641c813c2ce1eaa7aa8d123071def3f88fc679abaaffed0d22fdb7e36e3d782170b69e62f0e4585a30f591d328d5c83039b997d8a30732
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
Filesize10KB
MD56bc89396eb7758e9c022ad30bb9efdd5
SHA100ee03a4b6899dab8f1467dcba94bbd93802a6f2
SHA256fc7e09a2e31b1912f21b8ad28fb42959b2b1486dc6b5c9f2b4c4944696df24f2
SHA51208ea95cbb5d31c71791a6f39b72ed8e71d89a122a2f267ed849892d153251511de1a853ec116472e859337eb847e9bbc92c1126746a75ade3785604809a76608
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e9e3e5c83035064a492e080394fb6993
SHA1613678055ec776d38c8e2b9a1e73683b1de61fba
SHA256672d7ded46c952c1c894542a3a646e92901540d93d9a74d2d91b15dc39e1a1d1
SHA512d9d19385586a08da523fda04d32492f0ad8b58fa58388efb89d6a55070617568fa06edd82c94672c409c885a900e99199915ded422b94fa4506a1644a5d36a02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD59cd059eef6e97092e1360212847f3b2d
SHA12105531f18c36aadaa94160739d080694715435e
SHA25603005282266a9e38b7696d865af2d65384fdc603b906037095134731ec5fee0e
SHA512366d27f8dd2e98520996afad74469b4d5273f517ec7934f84e1f4ac32906683d835d8a6ce41f1f6f6779b04ff6467a1569c6beed0bcff34519419875b7e3073e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\1634055f-7cb0-47eb-a35a-955a82fb28b4
Filesize27KB
MD5f9b5f5ff4917f0d6789300c897c57277
SHA12a5265acc663317ef8a411914ee82a43378532e2
SHA2569cb87acee519466923c60f59264881ab3ef50bfdc605d6cdbc62dda699fe372e
SHA5129363e962c1fc0525fa59cb5eda6938433fc398b83e19e788e0e05587ee911a8f866ca88aba8d9cf1b2e202ecdde5186fe2a5e51d4b6d1eae2c68553050994eb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\2692edbc-a5e1-4cfc-a0b1-7c72b4e6849d
Filesize671B
MD58215473a00a983e0b7fc3ba6f61073d5
SHA1b7b739de238b1e5d87a805e0fd55ac0462452733
SHA2567139c24946a19bd1d9b5b459b1e2d09acb0518f4966727b2c99b8ea58bbaabd4
SHA512d45ecc49f3e793d0a7537fc6c1b4435295f26f03f58524297b40d3c09c3ede498a0b51a591c2ad855a7fbd6af773a643d73a9fc14a5c300509d55e2b4514a50b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\89d7a29b-8ae0-4f60-babf-f46c70aa269f
Filesize982B
MD54b0f91b97fb5f645d5d227c441ca09de
SHA15796c1acf3a9b8e4a043150903e160147ca8d811
SHA256956ad19ca53645dc78abfcc83dbb97b6f9b8866a4d64a21cad46b8aeea9f0958
SHA512d6d701250f82eb827c42e9f0e3012eed61b5f8a0047954256e4720dd6de421f59fa21608cf8383b2a1c9649b1db4da2137d20a843df1c4dc4c21a0c4705599fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55f3c229f7f2b3288d86ae8c97f29206b
SHA1dc2ada874b8b5af6ccd11c5cd5bac50d851244d2
SHA256e493c1b745ade3a477cf05468ab77d804d4b83dc2058f92ebb9ea1e10b5e820a
SHA51255dd0bb00cbf466c963b93668c78b1691bc144a172f9a3b078387f3847c8fe8cb32e53b6cf0b624f4e94ef603c822d3c0abfb5136c3424be0ca1b5c805b7e938
-
Filesize
16KB
MD5d5c548998174330a180bd4aece0a7043
SHA1513658f0bf2cd80f109ad73a8b9c59edc8b19880
SHA256c10464197ad66262e743a466983fe7d628970646abd57464df5166ed73f32807
SHA512ed53a07cc5fd318f2aed94e23a1e0ab6c0cf5b0b6b31d074d6ae98651f5073aa7a07e40abc569d45a2c1a51bd166867567a1fe7c4692cbdd9c7b686ad5e82e73
-
Filesize
11KB
MD552e3b5d3fb81be8f289ac40f64133534
SHA10aaf8661af9f96d0dc2dcf08b4c857a3efb0c7aa
SHA256053732947cd2c7fd1b4fae3b6e648f1637a9901aa233d3174469e0938afeb13b
SHA512d474cc5fb946683d439673d76e62460938baad46f125e385f3614c1ee43739a4fa913da15ff7dcbbf8bbd376f237db2e2e06dd6658bbbef8c2ebec9af51822a4
-
Filesize
11KB
MD50687bb6e9873cf66677dbfeb2d2d5206
SHA1a0250aaa2e1753e3ba803b2b0be0f1cb80865d1d
SHA2569196fc947c176b13717c60672a8ed4aed7b92781f1daad52c2888bfb5933093a
SHA5128bbcf6660255f5062ae6f4a99647b68943e65a643d720e2883c9a421de555aa9fa8f6c1d5745ae58b430f98a8b66e0ec06f0a52de2473316a91a7c205cdff9d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD5b6b5118182810be01de8ffb49d702d41
SHA1be819c265f746e5b58b977c3596c9701d9b2474c
SHA25699e9ceba29c95eb39697252be82c86ef51ea873363909a1b13fc015aaafd2110
SHA5126004934d791bb0ccb328f23ba5539190690cca416e65aaf75837175c4d0f2d30174c160069307121b0da36705ac65010c07c0d4b35cd72a2415983952139dc90