Overview

overview

3

Static

static

1

arsenal gfx.psd

windows10-1703-x64

3

Analysis

  • max time kernel
    27s
  • max time network
    26s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-08-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arsenal gfx.psd

  • Size

    47.6MB

  • MD5

    6c68cef564ded9b1f5eb37835489b722

  • SHA1

    c587106cf06a50596735f5b845fea561931dfa0b

  • SHA256

    3d88135ffe2234c684ba5f72d90cb77793cb22f57c602191726811de15bca8b4

  • SHA512

    8c614c5a18133b7baadec30fe5ee718c0147040c761688ce2ec6652b2aa28314f6e033b2aada575d05dd7f39f02b9a008e925536d46cf0f0fe7c1989e15874fa

  • SSDEEP

    786432:J+ylp7n7mveUyX1ajqJM1lyX1ajqJM1lyX1ajqJM1lBFqi7Oppq8A3W7C5AtD0fE:Vlajv1lylajv1lylajv1lbqi7Oppqj34

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\arsenal gfx.psd"
    1⤵
    • Modifies registry class
    PID:988
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:2016
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.0.1921102906\2130860941" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55af3a33-2acc-49dc-92c6-3dd17e80558f} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 1812 1b4d84d6458 gpu
        3⤵
          PID:5108
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.1.504185561\153751136" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a80a73c3-6d35-42fa-8c42-7595f81d48d9} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 2168 1b4d840c358 socket
          3⤵
            PID:832
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.2.464820199\921412049" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b112b9a-5d78-424c-bb02-e5900bffb136} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 2932 1b4d845d858 tab
            3⤵
              PID:1204
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.3.1140285190\1350662545" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecc1b9f4-1876-461f-8d83-3e01c7b38863} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 3492 1b4cd462b58 tab
              3⤵
                PID:4608
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.4.304897030\977020050" -childID 3 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8693d37e-fcb0-4acc-8356-b41d9d35c97f} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 3788 1b4ddc6f158 tab
                3⤵
                  PID:4912
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.5.1412699978\1441531026" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3e94285-250a-4655-9279-da575df3e6aa} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 4824 1b4deb45b58 tab
                  3⤵
                    PID:2760
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.6.1511847030\672097802" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5149fa-c05f-4a17-9d08-c7765503d3ed} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5064 1b4dedb6b58 tab
                    3⤵
                      PID:3128
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.7.1479251675\2087653589" -childID 6 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79b9b47-a006-4371-a099-30f9cb984ceb} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5332 1b4dedb7158 tab
                      3⤵
                        PID:2388
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.8.1153348720\776115069" -childID 7 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42dcd2b8-c6b1-4d66-908b-6b419859b19b} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5576 1b4e0cdd058 tab
                        3⤵
                          PID:4640
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:4072

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        8KB

                        MD5

                        5d452dec303d50ca3afe086d03ead80f

                        SHA1

                        ba1ed67496cac71527005e616d743d053cf9052c

                        SHA256

                        61f3cf36e8e1dbfc1cfb280be25c0202f60d5fc26977501cbd24381fa8235b34

                        SHA512

                        a66588fe5a69e660d4c876be7012a25f2cfd5c894deac85557e360e78c4f765f1186e40bdceb391f7d8fa8113bdfe7372c3bc4704e41d355fdca82dca41aae10

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\cb5a78ff-037f-46bb-b128-f30d4c5cb4c1
                        Filesize

                        734B

                        MD5

                        8b849e2d858722c1afc39c87e68ec80b

                        SHA1

                        61caba26a58174db84fea0436cfa80fd09df83b4

                        SHA256

                        22432fc3ad8b6588429cbd23ed54e89ada7656a6eb0eb9904bc008031a9ccb4b

                        SHA512

                        8188eb84625513618808a5fe05fc92aa8089d0c3540bb4675b38fc7b248f3eb868afaab58fc41421c46af1c68892fb996d121eed43ed4748d4d9abbe5188d16f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        84ac976c312d0b97f52c2d68a386c25d

                        SHA1

                        126bdf7faf8d641cf293d39eb845246c7ad300be

                        SHA256

                        7107f556af00974ec6c23574080da68698ef21cddfe15ec5db2582abcc29c2c9

                        SHA512

                        14ece0178626070aa72c6d9021a9cec77b53b4ec5f2914ccc22aedf9ab00af8009c0d36f33a6f90c3b82cb8869e4c2e24e9999c282d688743d565fa484efb3c9

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        ff1943a8e6794dde6fea0d0125cc8111

                        SHA1

                        316758361a6d91b423e3f699b39d03b40866c416

                        SHA256

                        373be9f90c924e48b9a3e7cade9377bb24048dbe18013b12790722ef8c6eaa24

                        SHA512

                        0542dde242fa58b940aefdb14a055c1ec5cdde68083b9264f4b3990cf2993062e0b3a0837d3cba09bb7ab4942a8dac3d9017d64807985eb18520a79fe65f3d83

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        23KB

                        MD5

                        569380a664ea0520fa454804cb3975ca

                        SHA1

                        9ebec77145803befb3e523b72e4e39bf32b6a292

                        SHA256

                        740811466d9409016e91fc85e86502b39362dd56d3c89cf71be4320465545f0a

                        SHA512

                        a3974776677279eec642cffaf25b60ad8e95e54b115e61160cf51c6c44e47b7a103c086e94b5d23376382e89191f9b2965450eae096243f6a9bbdb214d29e854

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        731c0e733fe1e3123d366af7c8e578ae

                        SHA1

                        9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

                        SHA256

                        8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

                        SHA512

                        d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

                        Download Submit