Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe
Resource
win10v2004-20240802-en
General
-
Target
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe
-
Size
1.8MB
-
MD5
f04b3373ae5c6188c50c1dc9cbb47d5f
-
SHA1
ffcfbcbb82ad2785140e8c9e15437caae75f5e51
-
SHA256
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
-
SHA512
61e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7
-
SSDEEP
24576:1rvlKtCVXdWSpG3nr7m+989JSDLR1c0x9lL/ligQkQ247o0o7GW4ZnBG1ToYVnHL:1rdXkSUxGvDm9lxjTV0o7io1tTWgYCb
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exedd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exeeb13fa022d.exeb33c5d8cee.exe9706fcd865.exeexplorti.exeexplorti.exepid process 2984 explorti.exe 4340 eb13fa022d.exe 2684 b33c5d8cee.exe 2232 9706fcd865.exe 2292 explorti.exe 4344 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\eb13fa022d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\eb13fa022d.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/112-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/112-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/112-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exepid process 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 2984 explorti.exe 2292 explorti.exe 4344 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
eb13fa022d.exeb33c5d8cee.exedescription pid process target process PID 4340 set thread context of 112 4340 eb13fa022d.exe RegAsm.exe PID 2684 set thread context of 2596 2684 b33c5d8cee.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exedescription ioc process File created C:\Windows\Tasks\explorti.job dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeeb13fa022d.exeRegAsm.exeb33c5d8cee.exeRegAsm.exe9706fcd865.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb13fa022d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b33c5d8cee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9706fcd865.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeexplorti.exeexplorti.exepid process 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe 2984 explorti.exe 2984 explorti.exe 2292 explorti.exe 2292 explorti.exe 4344 explorti.exe 4344 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3412 firefox.exe Token: SeDebugPrivilege 3412 firefox.exe Token: SeDebugPrivilege 3412 firefox.exe Token: SeDebugPrivilege 3412 firefox.exe Token: SeDebugPrivilege 3412 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 3412 firefox.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exepid process 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe 112 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3412 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exeexplorti.exeeb13fa022d.exeb33c5d8cee.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3532 wrote to memory of 2984 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 3532 wrote to memory of 2984 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 3532 wrote to memory of 2984 3532 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe explorti.exe PID 2984 wrote to memory of 4340 2984 explorti.exe eb13fa022d.exe PID 2984 wrote to memory of 4340 2984 explorti.exe eb13fa022d.exe PID 2984 wrote to memory of 4340 2984 explorti.exe eb13fa022d.exe PID 4340 wrote to memory of 1484 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 1484 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 1484 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 3004 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 3004 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 3004 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 4340 wrote to memory of 112 4340 eb13fa022d.exe RegAsm.exe PID 2984 wrote to memory of 2684 2984 explorti.exe b33c5d8cee.exe PID 2984 wrote to memory of 2684 2984 explorti.exe b33c5d8cee.exe PID 2984 wrote to memory of 2684 2984 explorti.exe b33c5d8cee.exe PID 2684 wrote to memory of 5064 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 5064 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 5064 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 788 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 788 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 788 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2976 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2976 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2976 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2684 wrote to memory of 2596 2684 b33c5d8cee.exe RegAsm.exe PID 2984 wrote to memory of 2232 2984 explorti.exe 9706fcd865.exe PID 2984 wrote to memory of 2232 2984 explorti.exe 9706fcd865.exe PID 2984 wrote to memory of 2232 2984 explorti.exe 9706fcd865.exe PID 112 wrote to memory of 5032 112 RegAsm.exe firefox.exe PID 112 wrote to memory of 5032 112 RegAsm.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 5032 wrote to memory of 3412 5032 firefox.exe firefox.exe PID 3412 wrote to memory of 944 3412 firefox.exe firefox.exe PID 3412 wrote to memory of 944 3412 firefox.exe firefox.exe PID 3412 wrote to memory of 944 3412 firefox.exe firefox.exe PID 3412 wrote to memory of 944 3412 firefox.exe firefox.exe PID 3412 wrote to memory of 944 3412 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1484
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3004
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {929f08ee-1245-4cb1-9690-9af83f530423} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" gpu7⤵PID:944
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ded11c-5c70-4ba6-8904-3a7a65b8d1a9} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" socket7⤵PID:5068
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 2848 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c74b63d-0c22-41ac-87ed-4263e333f4e4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:1416
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab64fc25-0d4a-4ee7-904b-fc95c38a5bd8} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:4720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4620 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cefc595-060d-4896-89ce-3b544ae9821a} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" utility7⤵
- Checks processor information in registry
PID:3652 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f99c56-b80b-42dc-8305-1021f980a6fd} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:1528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adb8d153-1bb8-4c4e-8bbe-adf11e39046e} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:2792
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac0ec77-9b86-4fa7-8d28-6e77d93f90a4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:4884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 5356 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2152e614-af34-4ffe-b3a4-a99f5d97a9c8} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab7⤵PID:1776
-
C:\Users\Admin\1000037002\b33c5d8cee.exe"C:\Users\Admin\1000037002\b33c5d8cee.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5064
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:788
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2976
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5493ca2c6a90f04fb410bc18dfd958f53
SHA173482091cc88709902cc09aa8b164c9268b6e9cc
SHA256b7fc4aa9feba9ee8c2307ec6d55b9010b9e8d2a50b2949dcd02cb6f6c3f7eece
SHA51241f4a31c9dcda2816e93b7fc259f3546439bc6eedc5e02aef46eb91b960b6132af6c4bd2f6f5c9fe0b19f2083d45ba9620a15ea72a0abdaeabc527831bbc2b82
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD50b7e3e65337a2ef80e12f03ecf96814d
SHA1eb6709e5a1a851f5e43b5762b4f3716214ba71e9
SHA25642830639538170ecd1ea1960a683b040c9d7f8c3e180cfd53c9ad99938eb316b
SHA512b7b813fe0f2095f48c65316dbc1b660a0c0e7d2cf8dc2569979857f6654c40af73190e02494e201d2918f04676e6339d8bc44f8aa9c0d155c00857cb8bec985d
-
Filesize
1.8MB
MD5f04b3373ae5c6188c50c1dc9cbb47d5f
SHA1ffcfbcbb82ad2785140e8c9e15437caae75f5e51
SHA256dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
SHA51261e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7
-
Filesize
1.2MB
MD50268fe10bef3ec38e53e6a393558b6ce
SHA19ab70efc9284b4a0bb4dd3f816e5070c2c8f6fd0
SHA2564f3605d6a7478c3de5bec04d779793e16c141d0f377f2246d1007f843268c31b
SHA5124357851b65a41c5a3d22ad9b864f163dcaba290bf11d306589dca65cead0ae7d336c732120582bcec1e6b5b9f9f201d5488b75b8966cc9a076bb9d55af1ebbb4
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize16KB
MD55841d65064a6843638cbf1e7b53e13e7
SHA1ea1e7322ce9eff62bf48fdabae83a8967e5b0d7d
SHA2561d4ae6c13f5f35f867b703e9d47b457cf5fb09ade2a4633eabd2a9d2582016d5
SHA512683da6e6b8b06514ffcb475a993593fe2b94c4b19b6bb1bd94d8d2442d86cb92db4531b1ae438646f0ccc0504c95e3e26273263a52d260f1ce767916b8b8f5f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize7KB
MD5b8639500e0ffdf63dc329c2a478c527f
SHA152e0a47b58c894cfaaea631baf991c7a804c7b48
SHA25610704a8b77a8fc93e099a04626ea925a0ceca168f73eb6b9e8ccdc7a4d6aa8a6
SHA512167855d91de771c8aac798f19b9edf3286b1d5ca6e2834438fc1a381a0669ac475dada1ddc3a9ab18e2254e43fdc11f5581b57ea687c8575836fcc3f939e0de1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5caedd66953a43e4b56fa284d9826b281
SHA15a062f98637f6bc55bf2b1e780e3f44ae09f85b4
SHA256beecc591da60e7f642cea0ad2ab584ace2d10ae8497249f87529370f6345bd24
SHA51293a77c7310d40de1ec9fda0f4313b9626799d1704b0f2f8337ea5bda66120aa373f8272fe28fee821818b9e7c45312b1743757212ac0a8d70241693ce9e3bb6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5845d2fe338e523fddb8270138a9ca1c0
SHA1d414a5e77c098d079b9f3ac529d5e3cf69767c28
SHA2566d93b1141e94e7e4f4c16f8021e05cf5454db3d68346876b2299d258c90adcd7
SHA512d1d68e26984e06ce27f0b342ee32772437c10997d32fc6ee5e5aab16165924ac090207bf5c737527f6003ab6bc739f2a61fbe605b436d5e100c2f82c51770fda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD54c3d423ded2a8e6cbb939f4220a701f9
SHA176e36a59ead842c4243223a89b5833b53d5a6037
SHA25604e138cb36074381dc616d78d0ac67ede4c03c146d03df667f63ca2a15ecc669
SHA5124761e740156749c1be3870339921008ad3d5e038713b82ea3ec20979e75ce0a0a5945bc3e4174398f1c698d46e81e9a9202ee5e6ed0be50422b001bd3869bb5c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\0a20aacd-ff15-4df0-b612-f1e05336245c
Filesize27KB
MD5c06a5fdc8828eb0ed0e7110a7eafd4a5
SHA17bcaf6b8bf7393264331cd3d804b11a5d245f16b
SHA256486f9d46062ff3462b73c6ff414e854a8f4e3fbef9fbc1d9631c0233f4a54704
SHA5129e32da2a9d34644ee85b4c8b4a8ba068275374ba168c5ada4b265d07434ddb47f4bc19d730d19c51f2359bee7948f4b56d3f799d080dd5f797cda6207f6a8ad4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\5d3403fd-2f59-43bf-8e82-131af7f102b9
Filesize671B
MD5f5cf45b559008cf86d45156c25956725
SHA1651ff50173ad1a188491a341c43f40d00875cdab
SHA2564ce3fe1fbb922f4b054a3661a76fa1465bcfdea92b6dcbbb08ff0072d6f2529c
SHA51277c599fe94468ac5138e3cf00f176c3b4eb35fc15771e6c6a7c96bfe860701ccd2bce25cafd019b8bbba8bc3f0b1a9ac00ea7e994b4ef85582e151d6d349eb67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\6fbfdaad-3a2d-46f5-8fec-3d6dbd5e4284
Filesize982B
MD5c35b732f522387febca327e8c2ffbd75
SHA1bef884a7aaf2e72b0dcc34a57f29a6c115a29707
SHA256b33c6e5ec1f39b65c2159ad2f1d65ba2fb774bdecab36dcd1469ee8027415542
SHA512292f86554ea2901f3844c559d80485e30138c14911e2911fcbfa2c8ebe397a246370ca46ab9085bf9b2810580bbd8a7b3693a15c0a43fe5945a627a5321075d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
16KB
MD51d84498ada7ab0b58cc10a13f36e9b5a
SHA11c5f021b39bd5e05f0a95aaee423064f2ce51be3
SHA2562e143718be331b2a2e43317ab6d69e824fa0293e4da51b8d18748afecf1db8ba
SHA51260d4f49ad7cecf7ae21740819faa823643294bb7b7a9f3eabbdf24afccb0f9d5377d82005361be517f75ccd647f218159020280f3e60dd5e9f65f6475cee6d1b
-
Filesize
12KB
MD52dadf97c8b4d3d23fac178d608e072f2
SHA16d0aa4fb561340737f7d1748f1ebb4b51969cab3
SHA2560245abc27c6f39b9fb5d97f3d65ad33baad8632c0694b6ccfeee8e30fe4a1601
SHA512449bb684e25ccf944307201c63b3ddced492e919aa3a90cfc5fa4ee04ad3f0a9e9491dc9a31ad4cf6b838f8946aea312efa143aa466f3919a126d400481af770
-
Filesize
11KB
MD5bfe3fb495b224d54f71b0cd3333a24ba
SHA11a4963eac39bcf40d87d49f695a574c0bc00733e
SHA256fe0ea4214b15b45e64957b3090b4bb52ceaffb78824fb03e98c67ff45f87564e
SHA512ea935570e782fb199e782bb5b5c5e3a9f7421cae38ff8fcd0373bd6f3d3112a6687a7cd9975b6d5f8fd10b98e4cef62f5275ae2de35c61bdb660cdf0407006d0
-
Filesize
10KB
MD58a9758646a228fedce2b286b2b3327c4
SHA1ae53f6029906d4d2d612c7baee94cde443359249
SHA2568626cafd5d0ad4c99fc0eee25c0fcc8ed4c784e84f8a4cd38b047a0597874228
SHA512100b2703b396c2854eb1235e26166e002439a4d3c1eb24881861b76edcfd7ac20b744f331de27db6ecea2e20a3aac690ced8e19527534bb795e40da315a0d707
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5bb8a258374df5e78e43bd3d6165096af
SHA15d5193038a23f3459f037a379b6489407091fe89
SHA2560ce66e0920cfea972f42af6abc1ea974c082cf5878adffdabc35191e2d09459d
SHA5122393b9781ed2c0ca1d4d32402343071eb045d33e3030be40e5a37410bb79d5c478e53fb17cdc25514d913aa6e1ec9bc0c99c4676a23eb4e102b8718633e4419d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD52fd11d8fa84fa82416ffbf245a849a7e
SHA1176a6aa71fce2eaa4415f9ae73bac24367f03d62
SHA2568afb421d76564c2d048853ed489efbd34810acdf638d989731e6904cdfb154b4
SHA512e7fda7d33f72cfe8e72d85dfb6f2c1ddd1c1dead6706de31526dad542d0f4d1eb0b34feb821d0913720506b73837eae30982467112e85feda206789e0f7b08f6