Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 16:01
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
9b0fc472d182005be2aa3136057fe010
-
SHA1
5534108357cee4f1c875cf3cfb88bcce28e86a17
-
SHA256
625cb795e97368485441344c0156e0673862094a5f8dbd942b49bae809cf6ecf
-
SHA512
0c58b44f72654da93e625614da0979b59da2a1b44d79cf9e28b54d87580e0eb86dc56debf2b161ef734df5098b540137f42692c81d4ec4965b7367b10c6decea
-
SSDEEP
24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aXYDENuT0jOtg:ZTvC/MTQYxsWR7aXYDF0j2
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d138449-a67a-4914-9d7a-279462a03447} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4c90991-4a15-4875-968f-14f675b8f59f} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 2832 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87e1c550-ac85-4f1a-bc29-8646fa474039} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {253b1456-381c-4e23-b172-055ab631bbdb} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8590f039-964b-48d4-b717-25de4468dc29} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5332 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5de4e196-9478-4aca-b69c-54dab9a12c08} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fc72e92-7dd3-40e2-922e-85cce44a454c} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5304 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {166d4ae4-3519-4146-af4a-94fa9581b559} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 6 -isForBrowser -prefsHandle 5656 -prefMapHandle 6004 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ec6cd0-3da5-4909-a4c0-467164484416} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a7ac7c9ca53f4832555a0556f7302773
SHA18fd860b16a1898295d94338614bb8d70e2ef0c35
SHA25657228f26e57a22cff4e3937c50b21bcd57bea4b793a2bb2a7932dfd91e7a0916
SHA51254704457d2e776d5736636c09887aca17f058b4901937c5983538ec1ffa51074f1e5e8275ccbc2f2203ee233a26b3a2cc01a7c56df0ef3720ab49d3b22d45f69
-
Filesize
13KB
MD539c95c6e1ed2de37ff8454b3c3050eb6
SHA1c30a20d8ba1d4f3cc4dc88bd4dbd1633fb316b5c
SHA25637ffdc6fdf70e87b5541da11bd9163b166748d652d29e8cde65270f5eafbbf44
SHA51205cb73572dc146e4303de37d6eddb8598ec3dcd568ed4f4aa0ceaa528a38cdbcf39eb815eea8c96daaeb11a922c3170c630be3f7c6ae2958017365bb62d01fe0
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
16KB
MD5e6de474aefb5254104b3eebe4a51a73e
SHA13dc0ccaf3f8913717854d209339f56ab60383966
SHA2562fc3d60ab9719751f322ac77cd13bd65d5332fef29a8dc4d489890e459c00b37
SHA5123b886d947afd09d41436ff8c8193c43bc3cef089c0caaff7d8ea61db7fce52cd2c8437bef6226b640a6f8af8b6f6ec460373d0a9ab0a83f50bb423c864a1e2f2
-
Filesize
10KB
MD5b54fe76705e8e1a462ce3675ca416374
SHA1dabee809a1371503f1be43f432757fcaa3aab8ee
SHA256e9e2891f17322e3ad133ca392184542e74357856838c2a67b62678a7c2bfbde8
SHA512fc06f0c1100b6abd592e0f5ba68743a09d07ad71692ed2ccfa0f7013411fb5d526787cf11745015e40f3c27cda962a345ce64466cf9b240976a1d33d66564d86
-
Filesize
5KB
MD590d1f815a1957567ca6b3c88dd6c1b01
SHA1b0019e9fd1bb7cee1aba7ef91109a6e35510da7d
SHA256933b88edf2c00cd9fe3fc13fe38423dff882717b9bea7421f75544e0c1f786a5
SHA512cab4c67a18ab39f3792f6afb7ffb8db314c5afefe107c8cc68096cefdea90ebdbddfbb2428725813b902195130e9003227d64b101e75961ab9f249915f729f74
-
Filesize
16KB
MD592fe5d171da3e19ff03e93469d8010ab
SHA191803a7ffe67b1f9b777d548392cc08d947698ce
SHA256ade417b1cba028eb7bc5ca932f7602edfc207c83bca2c6f23311fa34becc2cdf
SHA512bfaaad5e81cd4a4f476dbf6bd004ea34c52601bdfcb7d8fde2cdf3edb0486a8727798d231fa071dbfde88d85b646a26b81c6f0a771a0410ef8fa1db8748dc694
-
Filesize
26KB
MD54afff6e79835230af5c62b1ff4be8719
SHA1d9574fdd7198fe742e2766e15e2faad61f821b9c
SHA25613c4727ab1e97b457edfd5ebc97e1fcfb4b9cd906f68ec080b57c99c3d003112
SHA512a3f6365e2123d83fd6e0ecbe784cf6fd70cbeeb1b0445cf6b007f3504561c0bee95964bf5b49af8d66d275ee157cb9e9f8879524e250773f5a3eda2949e2c6cf
-
Filesize
671B
MD5ce976caaf2c4e8240a41ccafacd5d64d
SHA10182f9ea84f24519c44a70f9788b754e7b07841e
SHA256945178ba8d0225eefed731347bbcaaf4adf2f3f775891aafbd5c96406148e031
SHA5122c214882dd414c32120eb683753b93ba8c886601a74c8509fb1a47b2f5a3e76d76c7822ca687ea7c6be79f2896c5f6969b64bb99e6b72f91a3d48fa193e7b1d4
-
Filesize
982B
MD59d3edb8d5a0fb7e8d7245cfc54cb7d28
SHA153782cbde7a0ffb8c01da8583302bea8ca307090
SHA256502fa5b67eb5a3fcdddc9945fa75cd4df8999b9c00d09621b583ca0c904b00a0
SHA512eb3f6cc7948c5a3c6473cf83ec134c50b08676b96710d8e396385fae8aced5450f7260b4ad8b351f7aca0dcf58b1743e55f87f9572c7dc3cfe9768dcfde5ec0d
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5ab54d41b348777262abb368a4e194bd8
SHA1cffd58801272c79340c09208355e7ae0400158d4
SHA25683aa792545cd94d91d5ca894307eb6dbf192d203fa06294a422393a02d878383
SHA5125d42c6a6a3001c3e72c0c1da1af86ab7606b3cbce7b75fc5234c43f927a04286079052a528be35316e0e16abc97dc1256fb870dd2953c95f3acfd1b760753bb5
-
Filesize
10KB
MD53166913ff26abb71394368445885c4f9
SHA1022bef3d98236d51708e88b4ef533a3c540b5388
SHA256db564347930cae2cb17da5b0ec900ebedb34897cc7d13ef9c6052c1759adf767
SHA512693afbecc5a2174db2d225fb5e98933ce404ba6df51375179f8c065c85811a8cb214f6ca791a6d592f5ef6553c08fec880956f592d83fd6dc50aa82d255b95fc
-
Filesize
12KB
MD5dbb4bf3e06577e0b9f13f30bb651dd31
SHA128c3779a739f285d3a6bd691300f58bf8d3b38d5
SHA256334636255cbfc8e4954989180d1a0efa0f85150a3a85b3c0acf94eaa282f7021
SHA512e14df1a686c5f873b5a32c24d77a93c22a7bc1703350aca213a4551cc477991798ee5dd809156ebeafe963137c4372e7634a3e1514fd608c8cb73c7f0666f581
-
Filesize
11KB
MD5ad5f865cd819b8731ed5afafcc6d51a4
SHA1378c0eefc5c5824b12d313cce0b27468eb310690
SHA256b0737a781d8acb6227da1991092d258a8d16ac97a54b9b18480e0285ebdce339
SHA512f74cd57153c60fb3de3971d2b6806740b9bcf609f7711f95380f2d1016c2111b9530dd2d9519fac7df60ee6f89168ecc9868987ee0941aa62cbd1295041f82cf
-
Filesize
1.5MB
MD5a62fa822d97004e8e4464f8bd1a13a93
SHA11746af61485a389e7377b0b7a2e8751edd223638
SHA256557da4f95a9e0a295b3a4eee794e0bea5541d0ae4c14114a2c7e559f17cef6e6
SHA51219b87402009d2ea9bfc34ec02db069c762aecb30c2ac2660eb7845a2837effff46f8bbd5bb0170b70d36c2e56f7726dd8d0f8cc1cce9b1c9662abe192f9b8641