Overview

overview

4

Static

static

3

sapphire-a...51.exe

windows7-x64

4

sapphire-a...51.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    52s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sapphire-ae-install-2024.51.exe

  • Size

    592.5MB

  • MD5

    3783d6ad5640fc111b5d639dc084b267

  • SHA1

    08f6f3a5f02590a99094893e7d501779a45f6b0f

  • SHA256

    a0954190a1447ebed0af9ea4f933c95708e485cf1fc554e349e2a431cc827ffd

  • SHA512

    584c1c17e32f8f78f094435ffa2487c4f899c1179d3716e15e707c22aed74717a14758d573403086a72e7c6fa05cba0417f2d5ada2e0eed2ca353e5ca775ca10

  • SSDEEP

    6144:oS005gQ/h30B/awsidTcNmypjWV3GCcO5Pc948a0LQ3pdmtU70wTfG:oSGWh+eyI0ijWf5Pk4CQ5OU70wK

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\sapphire-ae-install-2024.51.exe
    "C:\Users\Admin\AppData\Local\Temp\sapphire-ae-install-2024.51.exe"
    1⤵
      PID:2128
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.0.1312674186\946485279" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d6939d9-d287-4fe4-bebf-adcf89abc0d5} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1308 44d9458 gpu
          3⤵
            PID:2824
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.1.130518373\497750880" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa55fea1-5bf5-450d-b82f-df1ba9cbbf2d} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1500 e72258 socket
            3⤵
            • Checks processor information in registry
            PID:2904
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.2.1333850859\136330804" -childID 1 -isForBrowser -prefsHandle 908 -prefMapHandle 1824 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f63c230-47cb-473f-b84a-22934241f44a} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 2112 1a188858 tab
            3⤵
              PID:1544
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.3.1490043126\810955877" -childID 2 -isForBrowser -prefsHandle 720 -prefMapHandle 1712 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5320b91b-bf5e-4c16-a992-b06fb115b8bd} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 2364 e70458 tab
              3⤵
                PID:1220
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.4.1493859934\2049791430" -childID 3 -isForBrowser -prefsHandle 2652 -prefMapHandle 2648 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd3598c-4a3b-4ad3-a4a3-c630e1c2e821} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 2664 e62b58 tab
                3⤵
                  PID:1328
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.5.391267159\1475588208" -childID 4 -isForBrowser -prefsHandle 3252 -prefMapHandle 3908 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa83638-1937-4223-92f9-c5effc2424f7} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 3852 44d8258 tab
                  3⤵
                    PID:1592
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.6.1138013767\999109324" -childID 5 -isForBrowser -prefsHandle 4004 -prefMapHandle 4008 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b01459ad-1ebd-486d-80c4-f9e2b736892b} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 3996 1d9bbd58 tab
                    3⤵
                      PID:1500
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.7.1363902160\1460798919" -childID 6 -isForBrowser -prefsHandle 4180 -prefMapHandle 4184 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53c4303b-dfd1-4559-9282-a26e486b3c94} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 4172 1d9bc058 tab
                      3⤵
                        PID:2132
                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditSplit.m4a"
                    1⤵
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:2480
                  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterInvoke.docm"
                    1⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of SetWindowsHookEx
                    PID:952

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    26KB

                    MD5

                    234e424bfcf603413584d6b0d895667e

                    SHA1

                    810f42808741a9991d4c7809d59ee865795ac26e

                    SHA256

                    9587636a972c7ce13a9d322194f9342ae99825f4b71ebd59fbcd37157ddee992

                    SHA512

                    9cab82968fff6c017823e64bd1b6d6ace65bda7edcaa594f71444295cf627a575416c3f7f47c60d0b5c5171ee750c078efae27a8d5f12214aff3a96bbd0af1df

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                    Filesize

                    19KB

                    MD5

                    101e5e2b5c734d120519aae1e827af0c

                    SHA1

                    6ff1bdf9344aa25b59c3afcde1f4bcb89a719443

                    SHA256

                    da55bca6ac4ae384fad6bc8a7a1039549c563643b0352a786d0ff69845781b9d

                    SHA512

                    41d99c2b0d07e54537e087a692c2a572b24e94af7339f31a8ab800e1cf6f50b706a6e2ad753ced42dc35e8b94de71babbaaf13a0c1978768c31a9efb426a202f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    caeb552e1d6520097940e83aa815f006

                    SHA1

                    d1665fcd924dc67617c5038474eeaf6eb4dba0f3

                    SHA256

                    a822661da588db6b9697a52ec34156fdc05a52fa968904e0d0144129354f51c5

                    SHA512

                    70a23fe91922a1f2d62e57d3092f6d6adba9c2aef03bf6807811e1c69e1196c8200756a25f480486c1eae723700e15bc980825df03f4070fe37cbf08db7310eb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\4534e9ee-cd3d-440a-be02-e8720d59f153
                    Filesize

                    11KB

                    MD5

                    3651c55102025a03100064c2a492fb9b

                    SHA1

                    bb3a0d101fb186af61b6cf0bee7d481e280eee38

                    SHA256

                    d5525a21fbc175db9e0bd06c53fe0547a48ed7ac5741e772fd6d8de5d14bcb6b

                    SHA512

                    3b8f048eb383047ee08f3dc9b7f50136113de6f009afea42e36ee4692e20c90a3468243a7376d3e42c49416569f4046c30427a1a2ec139f0052cb4b6fae98316

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\a2ca3357-fc95-4098-bc12-3f932aa3f5c3
                    Filesize

                    745B

                    MD5

                    c1e2e717d4d0ef7cd0cdb4894edfda42

                    SHA1

                    9b4f2a367a1655c83011c2e7f9360262f4a355e8

                    SHA256

                    24f377c9ac532bcc9c0a9df8254efe5283765542dfaf16694d93a063dd52b314

                    SHA512

                    bec86be08fab9e807bcbcf3f2bf7e68aa18241b81c303cea01a8d4d5da6c4d606de3f380172602a3c11b4741e7e715da5421cf9797e097c596ae68307c18b0d1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    6507a974bf190c3a8d460f322618b2f8

                    SHA1

                    882ce873835eec69242980681a8794a3883ea575

                    SHA256

                    ecb8a7f1d854b7e9021714b53e83e84eb69eae3dbf24641c1e6042b4a0352c48

                    SHA512

                    3c05dd5471bff3f010ee8a1a562e9a1dabc63db3bfcdc6c121bca5f8b734cc9c25e119d74a214ec81125e088de67a2220f21be8685e2adbc244f3f7173d6bed1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    745c52ac80e03daaed7214e462f3b290

                    SHA1

                    c6f1a72697e6682cab0909dc3f7279ec83fa262a

                    SHA256

                    13be8d5ac4911d3825e31960f7a7146d2b80bfee30afd968b875b8b971df19ce

                    SHA512

                    3aeb04c8db11a3b7515f82aef38d9d1b4d5d573188dd3d87e1807c0ee61814da508bfb5ea5f4582f2b8b18f77793aa005fd5d9c580c0da0d62644591c1fb10ec

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore.jsonlz4
                    Filesize

                    833B

                    MD5

                    b61f4c34b39a5f6e59c5f5494876e388

                    SHA1

                    521571faddb695fe069037cd38c237d61c73dc72

                    SHA256

                    f4f7a18a9d0be5bb7660039fae7381d2a7b449a48c5a03074a9434fa971a1ced

                    SHA512

                    5ed0f499c19efa55f12deb3e0dacead1bec8bc327ee172f89854fd22fea212662b72a528e7e5ca5b19e56870204fb58d511f3e426e29937c4dd22ef344eadb59

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    6c5fc24f72571cfa8c892ffbc5274e35

                    SHA1

                    58a463f935ac0cb3cba7f83b09c40639e2432d5a

                    SHA256

                    6dfcf6b8d3d92d66364e306a198d1f96dfae565546f0c6c6bfdf3f377f00cefd

                    SHA512

                    a98ceddae349169c56976f45958f15d692213686eeccc29acee17a99f5cf744ec7197fa400c6b1774b213f8e925c8d0782c7e639f20d19076f6f87a652b452d0

                    Download Submit

                  • memory/952-202-0x000000002FFA1000-0x000000002FFA2000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/952-203-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/952-204-0x00000000739FD000-0x0000000073A08000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/952-211-0x00000000739FD000-0x0000000073A08000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/952-224-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/952-225-0x00000000739FD000-0x0000000073A08000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/2480-200-0x000007FEF5A50000-0x000007FEF5D06000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/2480-201-0x000007FEF3900000-0x000007FEF49B0000-memory.dmp

                    Filesize

                    16.7MB

                    Download

                  • memory/2480-198-0x000000013F740000-0x000000013F838000-memory.dmp

                    Filesize

                    992KB

                    Download

                  • memory/2480-199-0x000007FEFAF70000-0x000007FEFAFA4000-memory.dmp

                    Filesize

                    208KB

                    Download