Overview

overview

8

Static

static

1

http45.151...xe.txt

windows10-1703-x64

8

Resubmissions

24/08/2024, 19:10

240824-xvmgnsvarc 10

24/08/2024, 18:56

240824-xlh3wstfpb 4

23/08/2024, 11:21

240823-nf4mza1bqc 4

23/08/2024, 11:13

240823-nbkz3azhrc 10

23/08/2024, 11:10

240823-m9qsjashrq 4

22/08/2024, 07:12

240822-h1kgyaxfpj 1

22/08/2024, 07:06

240822-hxesaaxenm 10

22/08/2024, 07:00

240822-hs54nsxdln 10

22/08/2024, 06:36

240822-hc93patara 8

22/08/2024, 06:32

240822-ha293awfnl 1

Analysis

  • max time kernel
    35s
  • max time network
    31s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/08/2024, 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http45.151.62.96setup.exe.txt

  • Size

    29B

  • MD5

    688fe12c2f39d3d739a04e6c89b1b22f

  • SHA1

    e2ea25ad47861e77b912026839666d3a99f5c90b

  • SHA256

    35e4cca77e38bd9beaf4a33c97a6f2464ca5ff63bbcf59831bd829b4683fda3c

  • SHA512

    f56694118d4adee2e0c65fb28c3ef86bc5db032656e2306e02e0f5b19706e260f0505ee97f5068d07ae5149a410a15eccd3ebc758d216a5549d7dc0de52834ac

Score
8/10
defense_evasiondiscoveryexecution

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2536
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.0.974040290\1114389451" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1668 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb41fb8f-5404-4c1c-86a0-efcadfd91a77} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 1764 2a4e03f3e58 gpu
        3⤵
          PID:760
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.1.1618104587\1181048756" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47f30655-171f-4389-96d0-ec7305111bdf} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 2120 2a4ce372858 socket
          3⤵
            PID:32
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.2.866457157\237572596" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2836 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {328fdc4a-467b-4e2c-b9f6-1ed5ec51c3d4} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 2828 2a4e0359e58 tab
            3⤵
              PID:4612
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.3.1701111360\1343833503" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fff022d-6de4-4460-9609-b1fcc29ca590} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 3396 2a4ce36b858 tab
              3⤵
                PID:424
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.4.1023684130\1813810357" -childID 3 -isForBrowser -prefsHandle 4380 -prefMapHandle 4376 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a376385f-d61c-4d6e-9cd2-c554bf9e8c8e} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 4392 2a4e67cbd58 tab
                3⤵
                  PID:1788
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.5.1573068189\776986783" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41d98163-1508-44c4-ad90-11ac58bc964f} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 4800 2a4e6f3e258 tab
                  3⤵
                    PID:2712
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.6.1373494887\1993526562" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7cf85ae-a2bf-441c-9d1f-9f4f6ee60a9d} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 5072 2a4e6f9a658 tab
                    3⤵
                      PID:1804
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3996.7.1848729516\1957305340" -childID 6 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c07263ee-493f-4db9-ac67-979a5c0449a3} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" 5272 2a4e6f99458 tab
                      3⤵
                        PID:4192
                      • C:\Users\Admin\Downloads\setup.exe
                        "C:\Users\Admin\Downloads\setup.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:3240
                        • C:\Users\Admin\Downloads\setup.exe
                          "C:\Users\Admin\Downloads\setup.exe"
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4444
                          • \??\c:\temp2\Autoit3.exe
                            "c:\temp2\Autoit3.exe" c:\temp2\script.a3x
                            5⤵
                            • Executes dropped EXE
                            • Command and Scripting Interpreter: AutoIT
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1956
                            • \??\c:\windows\SysWOW64\cmd.exe
                              "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fahfccd\khbfecb
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2684
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic ComputerSystem get domain
                                7⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4928
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Drops file in Windows directory
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1560

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\fahfccd\khbfecb
                    Filesize

                    54B

                    MD5

                    c8bbad190eaaa9755c8dfb1573984d81

                    SHA1

                    17ad91294403223fde66f687450545a2bad72af5

                    SHA256

                    7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

                    SHA512

                    05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    116cc9fc8cf21527f26c1f307154824a

                    SHA1

                    c054229ed7df629b51974c595bdd6d0c44acab8c

                    SHA256

                    69a271c5ba7157b1d9c0ece49e60555d0c6063c4b3b82010bdb44a4a93e1d5c9

                    SHA512

                    ffd6362db34024af39493742e5f29ccb25dc95e5dcad9d26e8aabd9c37d4c6d71a16e1c4a4fd9934bbd799e7347e1479f6453fccec401c4ab98878ff91a0e6b2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7f0485b5-986a-48fa-842c-179c3127a66e
                    Filesize

                    746B

                    MD5

                    4cc04678731cf4c2e2c1b5df54a69fe1

                    SHA1

                    ebcabd215389d1ee160d824f09f79be64527fa3d

                    SHA256

                    556fb6c1ace03e2c30dd29c770e7e7ee240e40e2a3a172e403bf15191215a6a2

                    SHA512

                    7bea5523bef7dd92a56bc7eb2bf4813459d85f4e30e09feb93afd6d441c070087cac75872078cd6ad940becbcda7664f8f728441641800678cdf1f5422969179

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\e067924b-1a18-439c-a1a0-14694f3cf48f
                    Filesize

                    10KB

                    MD5

                    f1bcf9036a586e55b0d63b0803215fec

                    SHA1

                    182bef4b51f716566e537c678d223813e6db1ec4

                    SHA256

                    1fadbcd20c67e6f6b96453cbd41977d7130535129cc68b392b5901a62a8ace9e

                    SHA512

                    3534e2de573c626cc55d5c88050be8622284bd1b4b7db7f0b739ca5a9c914278cc2b546a6cd9999dd4b688c60691d8c6b1cc0b32f948a85df7d614a01e31d7f0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    b2311987c96b0c719eb5a430a042d7b0

                    SHA1

                    a9b613e250d9de21f1a99eaa0a3403b53aea35aa

                    SHA256

                    328853e53411cdba6f24a617c01b508c593ba0d14ea7be38406394154f04023b

                    SHA512

                    645dc1045c3bb2dc99d8a4383d5e2a807805d216e055db0e291324f4684b7502040bf06e7260e601f455e296714ea37c485a1ea635b6b3853ef030822866d247

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    d791c2d4f85dda3d4d032472882ac2ad

                    SHA1

                    0734d8a06fccc04ce28ffa7d95e869b14b93aa14

                    SHA256

                    264084c91abade9793f500ba838a6c802fa7a5206aca113baf079c19630359b3

                    SHA512

                    9e7c6217d87fb94c57b0ba385f7e228127c33d2eb9dc89ac530bf7278dab691ac22927cd58867599d0bd3e93216c7b6779cb6102b7df5a9cb6e234fc40689cdf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    7070cd68ab059e5e1f4622a3c959c9c7

                    SHA1

                    263e6bf9ff625e9ed6311cfd8f525bbb98401d2a

                    SHA256

                    6eddc8a1c9f9394264a3f8dd350a998693fd939bca678d4313bd4e446134a5d5

                    SHA512

                    8984d7c70eb48f9720faf9aa11ea02f9319e71ce37186074725993ad0c475ee5c4fe7e5feca0e3ef44b9dc7f011e0f9b01addce2666e8cf786cd33051c5c6bdb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    acb98d3d4e718735b97cfa91dc502aeb

                    SHA1

                    169e52e36b0118c591b2c7c4566f7d24bb48a1fe

                    SHA256

                    d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5

                    SHA512

                    a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227

                    Download Submit

                  • C:\Users\Admin\Downloads\setup.bTJxjRkd.exe.part
                    Filesize

                    12KB

                    MD5

                    24dd4f81a955e938b58be6e6e628140c

                    SHA1

                    cc82377c85d7b3cab2f503f442cde8b811aed608

                    SHA256

                    a5f06becbde9cca0b20fb5092537514cd39401670ea93c5eea3c204b1255e8f0

                    SHA512

                    31ededc1702e56e25f1147787a8dafaa95f9239a5b52e70a0ffa17b695f09d8324d33e8d21ca8a180748aab5b9b1858895535e2dfb776f865ee21ce2f184790f

                    Download Submit

                  • C:\Users\Admin\Downloads\setup.exe
                    Filesize

                    2.1MB

                    MD5

                    fc99ddf185aa553bf30c431cc897c903

                    SHA1

                    72c3ae0ed953a4ed3a5d1d8e3957f530c952f48d

                    SHA256

                    48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939

                    SHA512

                    0be1916e9f0fa3ff2282bbfc23ac9c5f19c15c17f5e0e6aa68edea3db7b780c53f473d40292f0ed324596996572917dfe584cc2d989773c77ee489b643dd2e46

                    Download Submit

                  • C:\temp2\Autoit3.exe
                    Filesize

                    872KB

                    MD5

                    c56b5f0201a3b3de53e561fe76912bfd

                    SHA1

                    2a4062e10a5de813f5688221dbeb3f3ff33eb417

                    SHA256

                    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                    SHA512

                    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                    Download Submit

                  • \??\c:\temp2\script.a3x
                    Filesize

                    544KB

                    MD5

                    2e861f2d8c1dbb17adfad1553493a14a

                    SHA1

                    77fdca0697900729755386d00fe89240ceb97f7f

                    SHA256

                    f8a9100f6fe719f091cdb4115b43f53d4b6c11eb51ea667fd57af81556067bcb

                    SHA512

                    55f571e4a51f10d8c83e9b157685bdadf7d73df2849700cfbfb4aa82314320c84a35b678a6566cf17f2c115f37aaa6bf22c9edfc745517b4493cd68fc4f64cdc

                    Download Submit

                  • memory/4444-129-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4444-126-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4444-122-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4444-123-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4444-120-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download