Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 14:31
General
-
Target
Setup.exe
-
Size
840KB
-
MD5
c0e656214d0aa532366da6cc3e067d2d
-
SHA1
7c6eda4648f8d2627f4229044c1704b8c3c4c144
-
SHA256
237cdaac5a4cf21eee70dd48f632a54a713b9f7b20d60f79c2d9f1c25de6b128
-
SHA512
3ce07f6cfb9cbdf4586f64787519faf68b55d974038eb7bc64131e1f11e5828cd75791af0ce766bebbbf69fbf076d4eed826a0d51b5b3a788117b3fb9c85f83f
-
SSDEEP
12288:NsAmEI+CuMPnKTfTOnFxPp65H0YqBx/l+ZZc8RlP0YJhfVl56LJtxyuTH8yvGL0g:NsAIL9+ZG40YJhfB6Vtx7TcCGWDHXmZn
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://wise-thx.thx4downloading.com/Installer/Complete?source=google_pdfcreator-display-grey-US-lefttop-468x60&reason=cancel&user_id=6946f245-9b0c-4fb5-9cc0-4ad8150c14fa&et=02⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://wise-thx.thx4downloading.com/Installer/Complete?source=google_pdfcreator-display-grey-US-lefttop-468x60&reason=cancel&user_id=6946f245-9b0c-4fb5-9cc0-4ad8150c14fa&et=03⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b5045c5-bdf8-4ce0-925c-f9d1b828520b} 508 "\\.\pipe\gecko-crash-server-pipe.508" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01ea068b-88c6-4e34-b528-00db0495d0c7} 508 "\\.\pipe\gecko-crash-server-pipe.508" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de3eb141-f6d3-44ee-8a75-fe63a89a4574} 508 "\\.\pipe\gecko-crash-server-pipe.508" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -childID 2 -isForBrowser -prefsHandle 3276 -prefMapHandle 3264 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a3a2dfb-e5dc-4fe2-a0de-3b92819e818e} 508 "\\.\pipe\gecko-crash-server-pipe.508" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6663521a-e7e7-4bcd-94df-f057b6730ce1} 508 "\\.\pipe\gecko-crash-server-pipe.508" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de7e799-4810-4eed-bf20-164fa251d8e1} 508 "\\.\pipe\gecko-crash-server-pipe.508" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b196921c-67d7-4884-8c96-c11160119467} 508 "\\.\pipe\gecko-crash-server-pipe.508" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f603db-e444-4edd-a4d2-23ab7aa28f57} 508 "\\.\pipe\gecko-crash-server-pipe.508" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5083f5ef69c3961f96ccb353b127b78b7
SHA128022c7530ba79b542795e02a9320f3f104a6d72
SHA256d6a08079a92b93c13746f8c1032523eade303d349ff8c3c58268f59f7877c965
SHA51262574891d46cc6cf8c5f428d1ffc72a6c4c51b04c17df8d7464964083346b34f26b0b26c82215bbe5eb20ce76e881a38a89a3401816c5e0f6e6017b2e3ae7a25
-
Filesize
16KB
MD587966b3dd5c840e8beeecc4ed60bad11
SHA1c8f5d6883b2fca404d1f7e8c14640ab54e6faf08
SHA256a0035e4a8165456f4ed0fb23cdce000ce0982c1cf43a807274b8503e92615dca
SHA51229a534dde6b2fe7bca855c49ae749da51cea88fc638fb75a56a2245bbf44f25dc5d394371bf056fd104f69966f64357d9bb3bc900263da8fcda5e2c2e804774e
-
Filesize
4KB
MD58567a4e41569b63f532c0c42c94dda4c
SHA188932204373ecd214b9182be52398ae27cd44b5f
SHA2560f025ec348d3be3c65b0573b9480cc8bcfaa41797283d71d1c156a19bfd3b5e5
SHA5120d2a005b3e325910d8562ced08c65903ec991d3335bedeef4c574094b8bba4ca76b45d2fdd9f35d562bf578d527bfb87bec663b62066fa0686ec9c13faf9aea9
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
5KB
MD51959eb33004d6107d3412e109c37b742
SHA159c3a787483e7743d5b805cd36726a0bec7e4992
SHA256e60a764cd4d721c9fd261555510c51c668d112a37f2da2f0be1da6dceaa5f8ad
SHA512238724a6b809d371c6ebab6057c61019e48caf7dd3245c6dca77efb5c015703a206472a9b82f778114c8dce3f10dd13fba972644b137020e4e5507053358e68e
-
Filesize
8KB
MD574cc51e1abb2bc075d26bf69d5fad246
SHA16aea0d1ed2cff4914af7214743788ab752e0073c
SHA2566424443425749cb3683ebcefa614c4cb37ed3bc38b704f7d96e6433a3b853c75
SHA512312aad51b4e603735016d4c8b87c62c4f15977aaf11dcf69177ec622f64bda54576d17cc2e5835969b778ff5af67f2fb24b0cf77129582334e0b414cb0daf64b
-
Filesize
21KB
MD5e7bc6f8876561253fdb457ada67d3f72
SHA11d6e69751d3c84474350f2f63ce182170d710f99
SHA256c9fdb81ca5ae8f722d7857c2fe3387248212cd0b4694775388185de853b0f58f
SHA5127e0693af7b349bcabdda179c2fcb10135b1ad69211df252484d02865028328c28f5fea2eda85dc5e0073b3caf492d95d1e8d011f6e8f0d95a8b0ffa536971f5d
-
Filesize
5KB
MD55310b9618664c951121f627a5d290804
SHA16e1facf43bf220c87340bd9206284ec4f3cd0279
SHA2564b0c8f0e35d5d10043caa4d45545ecfb7b6b4cf84f17e74be788d64eca57e464
SHA512fb6a381f7d2bbfb46069861c1cb13dddc0283699a17b32d4f232072c1d85d64cc01e459f6effa8814ff07e976862ec4ceae44bb631d329a99c0e8134a276df2b
-
Filesize
26KB
MD5544c3a7c5e798d5813aa49c4dd9599cb
SHA11b7c852eeef034dab6a2f6f2aab52e8a8178163e
SHA2566b7a2a19716b4256dd918b67e827e7adccabf922699ed84a4c17f0b48d422644
SHA512a5b7aaaba4fdea4ff7da1316e9eb33363170a2e226acd3ab9b74fa94b136ee8c2c4fe09a547b69a8a7c8e519931a5c8b45e352602906e4494d2deb65bc0c2378
-
Filesize
671B
MD599d571d787052fbbf3e81b5dc379c91b
SHA128fd7810f1099daf29ed9e4bf506d085d7fad889
SHA25697a0a849992f13aa8051ec76cf64e8f243606a2bf3e4b9d7630afb7847175b19
SHA512607f901fe54ec995643e2b3d1ac06d99e6de3acbbd3fed9bed6aacd8335fc1eff95517406e6cf40d970fc246b9b4959a5cedcb29a5203e6dce37bb92e5b94457
-
Filesize
982B
MD577dda26b4d38925b1b74ae55e8be02d8
SHA1da06e7300389c02187c4571e656204816f2fba92
SHA25659dd1a7b5f71c4e49874fecc90fa95796c45cbd6e5370481cb21ddd20c722fd0
SHA5124473ee2c5154ff295ad04fe1c5a0bb38d7830a8cde12bc15711c0653bb00a3d9932d3c508b14d796c9a6e6942f69d7506d2ae5f4c8bb96bb525d3353aaba555b
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5d1eff9fb5458e76c9f4c521c1949065c
SHA1edaa1e297e5b32edfb73ac51d23c2dbe473e02db
SHA256b8c536a1924a26f5853c192dd6da28e11d6636f173616f533752d254c3fe97fe
SHA5123f7e7dc70e52773179bd6233c47f7e167701943ac90a3242c80803008cdd905a30a39828406680ab72c1cda759b66a0c32c70e8f183250c84fb544b5af653f43
-
Filesize
11KB
MD5d5cb344059bddd15828c0818a93b94de
SHA1816051b4d84793ef6f187bf7da2fe1aea7f31df4
SHA256c90d306f899909fd84850b340dacfe0bc9e660107ae07a1035a878236cd71784
SHA512738181be4b08035b1ebcbf81dc86b694458ad81e932b23f3b5e247a7804020d97702907336421dc80832a52301be8306f5c43c445fc51b0820600d3be54a0f47
