Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 04:38
Static task
static1
Behavioral task
behavioral1
Sample
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe
Resource
win10v2004-20240802-en
General
-
Target
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe
-
Size
1.8MB
-
MD5
60d21a39a1b117c3bc3560b0a83aca68
-
SHA1
2fb017dc561235ef750452792d1673dba85d9a9f
-
SHA256
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
-
SHA512
ef5bbef34d70d206fce276fef0c0785685157b3e91baeb908a52d97ac44264dc7b8bb3f1835306e470a48b6e3c24b094318455f6b28e77ced69c74c5446dd106
-
SSDEEP
49152:/EBAhR4mA4x3YcKMqre8LXXBXF4SD/DN:sBAi4xUregpF4oD
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exed50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exed50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeef755d12ba.exe0fe2b59edc.exeexplorti.exedc4c253116.exeexplorti.exeexplorti.exepid process 3804 explorti.exe 3740 ef755d12ba.exe 2512 0fe2b59edc.exe 968 explorti.exe 4440 dc4c253116.exe 5728 explorti.exe 4704 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exed50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef755d12ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ef755d12ba.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/4012-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4012-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/4012-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe 3804 explorti.exe 968 explorti.exe 5728 explorti.exe 4704 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ef755d12ba.exe0fe2b59edc.exedescription pid process target process PID 3740 set thread context of 4012 3740 ef755d12ba.exe RegAsm.exe PID 2512 set thread context of 4128 2512 0fe2b59edc.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exedescription ioc process File created C:\Windows\Tasks\explorti.job d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeef755d12ba.exeRegAsm.exe0fe2b59edc.exeRegAsm.exedc4c253116.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef755d12ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fe2b59edc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc4c253116.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe 3804 explorti.exe 3804 explorti.exe 968 explorti.exe 968 explorti.exe 5728 explorti.exe 5728 explorti.exe 4704 explorti.exe 4704 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2872 firefox.exe Token: SeDebugPrivilege 2872 firefox.exe Token: SeDebugPrivilege 2872 firefox.exe Token: SeDebugPrivilege 2872 firefox.exe Token: SeDebugPrivilege 2872 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 4012 RegAsm.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 4012 RegAsm.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 2872 firefox.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe 4012 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2872 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exeexplorti.exeef755d12ba.exe0fe2b59edc.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 3012 wrote to memory of 3804 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe explorti.exe PID 3012 wrote to memory of 3804 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe explorti.exe PID 3012 wrote to memory of 3804 3012 d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe explorti.exe PID 3804 wrote to memory of 3740 3804 explorti.exe ef755d12ba.exe PID 3804 wrote to memory of 3740 3804 explorti.exe ef755d12ba.exe PID 3804 wrote to memory of 3740 3804 explorti.exe ef755d12ba.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3740 wrote to memory of 4012 3740 ef755d12ba.exe RegAsm.exe PID 3804 wrote to memory of 2512 3804 explorti.exe 0fe2b59edc.exe PID 3804 wrote to memory of 2512 3804 explorti.exe 0fe2b59edc.exe PID 3804 wrote to memory of 2512 3804 explorti.exe 0fe2b59edc.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 2512 wrote to memory of 4128 2512 0fe2b59edc.exe RegAsm.exe PID 3804 wrote to memory of 4440 3804 explorti.exe dc4c253116.exe PID 3804 wrote to memory of 4440 3804 explorti.exe dc4c253116.exe PID 3804 wrote to memory of 4440 3804 explorti.exe dc4c253116.exe PID 4012 wrote to memory of 4636 4012 RegAsm.exe firefox.exe PID 4012 wrote to memory of 4636 4012 RegAsm.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 4636 wrote to memory of 2872 4636 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe PID 2872 wrote to memory of 2440 2872 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"C:\Users\Admin\AppData\Local\Temp\d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\ef755d12ba.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ce529de-d97a-4ca7-89bd-d8e4f095dfc0} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" gpu7⤵PID:2440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a51799f-6216-4369-8202-c2d80f1e40de} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" socket7⤵PID:4992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 1 -isForBrowser -prefsHandle 3388 -prefMapHandle 3348 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7aaccf5-3c9c-4f65-beb0-08fe7d396440} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:3848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f56e6d10-f5b2-4d34-82e5-5cf976c8dcdd} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:2640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {569f0f70-b004-460c-a066-929533ebfbae} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" utility7⤵
- Checks processor information in registry
PID:5440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5192 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7129cd28-d531-41b3-b156-4a48bb58a090} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:5884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5268 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5479206f-9e05-4098-895f-14891d046b89} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:5904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb27ac1-1e02-42aa-9fbd-e4ac071f3a6b} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:5916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6204 -prefMapHandle 6208 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69dfc7c2-ce29-4b87-8070-a8ce7e8c6eb0} 2872 "\\.\pipe\gecko-crash-server-pipe.2872" tab7⤵PID:3224
-
C:\Users\Admin\1000037002\0fe2b59edc.exe"C:\Users\Admin\1000037002\0fe2b59edc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\dc4c253116.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:968
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5728
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4704
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD5adbe410e187ae39241d2378f7719f885
SHA1c6f0456e21e72b5546dc0399531639ed7049c00c
SHA256e0d894321ed7dec422d647ab8c30e8488a28ba923fa61c13154d549170f9d368
SHA5124a0db229a221be9ab1c59d0688177bf5e5e29e002fb976dfa57e185dd0613ca58a98919093b02f4d42cb915282ef12d1cbd61fd8828cae1f5d4d877b66b121d5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5545a7b2b3d341d18f5a06e30c222d446
SHA1db46b1ca190d93fedba22c7f3baf29b4416a8e73
SHA256fe6046fdd2ea8a6ce3324249a17c44c48daea96eced4c53b4de9846d9536b694
SHA51262057d6672ead95fd03088bd1537b97f71ef09d0d4e5cae062090791901960383cd5f0eabab32d6395a1361b79778bc3e01dc6ff45c14229325f685186871df0
-
Filesize
1.8MB
MD560d21a39a1b117c3bc3560b0a83aca68
SHA12fb017dc561235ef750452792d1673dba85d9a9f
SHA256d50bbe61a6728c0320d7e939a7d880ee0d694b1011616bd51e63a272261594f8
SHA512ef5bbef34d70d206fce276fef0c0785685157b3e91baeb908a52d97ac44264dc7b8bb3f1835306e470a48b6e3c24b094318455f6b28e77ced69c74c5446dd106
-
Filesize
1.3MB
MD544e6e18e8db12ef131a8be9d98aee0f7
SHA13a40de306cc9a8799ca113d7cf17bbbda56c0736
SHA2567b2d7d6f2f33c8daa980a619541045a976794e26ab72bd7689ad2d2a1e476382
SHA512ffccece392b813ac071fb31c8aa8574f2a2e2ea6e6089aa9ffef401035b338451eac63302d79562aa64b9568858be91f9273d2e80180f85e018d583e912772e7
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
Filesize10KB
MD5fcb86346ea84c1cda6d0c6d7fa811b1c
SHA1cb1d867c0755074db6d9da088a834942f6561bb2
SHA256b5f9a5b7f6e26478a7bb90e96cc34c6c2254ba39d3e8fc076081983cc6c92964
SHA512bdba25271b96f63a8f3495a50c4327a9f50b25efed3e2a9f43a3d46cc9c7eef11198f45665f29da87b635e419e65328ee6f92b648d10b295cb85239f173b09dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD518b31da0e4cd8a3d252bc68429078a19
SHA10c309dc972ad51e03a70d861b392d28dba7999dc
SHA256b2f92c694d0657536daece10a84632d5edae0d9abb31a9c43ac70a6c343aebfd
SHA512b3036d59bba11c451265bf967dc87778894779691d880ee43a9fe64bcec8bfaafb3ae325b65d54765c48ca230d1dd1c335db302596ba0b79ea48af1ffe94e280
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a91e554bc1eae409868d3675289509ae
SHA174dfc86fadbf75b04f81ed742f81058fc701fd4b
SHA25655614d910aafb5389f25ddfefc89593b83a69d4c3a67f453877f4d19c497fd01
SHA512bf9d401fa58765ffca8e1c8815a1b78e00f4356bd72a62293d9b1cf78919db6da5c77f1ede53edec3c348ec529dc7f9d40245772df394ee1c84ff3a6631efbdf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5a5f3da50adf7297ca54c72d6c09df5cc
SHA13071b6069911364bb55f34780271fcad5b7e5419
SHA256eeced2fd5a1173eccca9f65ef04e0886527c18791f0a7fd4fa6aa1b3ce1280ba
SHA512b238d70123768cea6e8910d8c0c281b85bad31d78131f11bedcf367ce2eedd29a32230119eef309d2ff913429243160e88f97f90623ebd651511f36a467023ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD534cf8a4c908ff8510d0f2301e4333b25
SHA12ebd99544d244ee62300dc603c07abf535d5c5e2
SHA256b84b8db2935c5388a082dde7e580fc30a9c0f3f8dc95019d6c0c23385ae47bc1
SHA51238c48f33feb24a659ab8516343ac1314809a426867ff57d8f19bf6dc8a8e12e566b18ed7b6ab8bb4f377a3d047e6d2bd0c481b4744a6409f0b393ea7eb535469
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\7bfd9825-0006-407c-bdc2-d21534ec43dc
Filesize671B
MD54e220afab4e3ee3c23172d8eaddd9160
SHA14763d6304e23630d220ba980150c5e35431e5e62
SHA2561525d399e4f568f8daff3c4f1c5663a5ce76a6b54418d6ce09eb8a0505afaf8d
SHA5120f30fa2f7c7930ef91c10be5886077d90dc3c10ed729fe771922d620e25ae7940e505635890ff56e4c6a78314f0bfdbb28aa62bce138211f130b0d7ecf84a0c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\bfb19937-00bb-4c9c-96b7-4b21d1f4ac55
Filesize24KB
MD56d0191d8a9122f6f4d6fad6510500976
SHA1a9085f0b3cfd22a0df5eaac3cac092c882fcc089
SHA25693bf2b3eba6f0709d643a9392f73cc6e2217c6f727b89ce31dbdefae434c1b15
SHA512187bbafa77b14809afa64d0ec41486223e5662ca2daaede72959c1eada5f7db9781af42b12fe5aec7ff43ca72124e536ab9795fa6e778c793676f06883a13327
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\c21163f1-7c5c-4ebc-97d8-54ae6227952f
Filesize982B
MD53f9602f5f5ae642e3af4923a3d7c7528
SHA19bea6256bf6d9813e4c1d3a776798b02783e0b14
SHA2560e9b57867c3c3822f1e74df9de32605f4e2fc4910feff6843e91d8db74d36f62
SHA512801d5a44e72f010eb7046dbf9abe48c31c593559b06c0b749976306eb346dc7328cd6f60cc3827ed49be6a37d7f5b7d35f6423bdf274a00b4fe79886e0414799
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD524b347173a6917e4c30aee133dad4540
SHA1b34d004af576198dec5c65e2e249343f33b2875f
SHA25620ac4fd9d73c65b56cdbb62cd69a05f63f380fc30d409daf1c6aa72c4cd1c78d
SHA512194143efe87d6207128b619cca3db544a3b072e88299eaa83a4c73dbedac864c052393304d87ded674e3ea8e533df758df090963615d6c91c75e3aa750897b05
-
Filesize
11KB
MD5aab328e6ca0188727a7faaf7d6586447
SHA104644da532daef94cabe1d5b18f80bfc61d6d34d
SHA25652f39b5fd3bfd559691f8f77533c88a2486019dc8fc9a6b89a13cfb68b78d584
SHA512ed12ef0abbb8d1c59b178f32f293d4e6a0fd2af045b57ddda1d7541522702b9245f514e3be895719db37398f27cff61263836f0429be837dfbf33b68ba8bbf03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize960KB
MD53caa66e84182382f6c048bd44e3578cc
SHA1c794b8edceef4ada60e55a2fb71b41305529af2a
SHA256965f03a78b538ea4f90711c154edc4e5e11ce864789dce10729284f0a1d80a07
SHA5129fe7992ea19f726bc1579004d3e21e50326e150f564d87f19f70e66d0167025d89cdc0cb622669a718958f5767c694ceff6b5862a8be37062e4b855849db4875