Analysis Overview
SHA256
cf4ace71e2fb09825dca8f3a1e0180708cd62050561d733027cc1d6b46d184a4
Threat Level: Known bad
The file vbug-master.zip was found to be: Known bad.
Malicious Activity Summary
Wipelock family
Wipelock Android payload
Requests dangerous framework permissions
Declares broadcast receivers with permission to handle system events
Declares services with permission to bind to the system
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 18:23
Signatures
Wipelock Android payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Wipelock family
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
100s
Max time network
106s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mobelejen.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vi4a.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:23
Platform
win11-20240802-en
Max time kernel
33s
Max time network
21s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\߆Ȧ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\߆Ȧ\ = "apk_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\apk_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.apk | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\apk_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\.apk\ = "apk_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\apk_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\apk_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\apk_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54af5a02-210b-4def-89de-6f667b345198} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59dcf9e6-69ce-4e14-8b0a-5f3cbea463a4} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3220 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e21c8e-c9ac-4eb4-b065-6fc6d0c763b8} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 2 -isForBrowser -prefsHandle 3104 -prefMapHandle 3140 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d0087e-dd0b-42de-ab3c-fab9f035c3bc} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5184 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5192 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d41a5ca-1797-4b0c-a5b3-3fffd9532d3d} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5076 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {275930ec-a962-402b-bb7e-a7fe5b1d97ae} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a515120f-b737-44c2-8662-bbdac91a4954} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bdd5915-5f13-43a5-a8f9-05ae88a6c389} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\vbug-AIDE.apk"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\vbug-AIDE.apk
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:49764 | tcp | |
| N/A | 127.0.0.1:49772 | tcp |
Files
C:\Users\Admin\Downloads\GwGZwOYI.apk.part
| MD5 | 90c72d2c718ef0e16579befb4aa2b193 |
| SHA1 | befc0a75d30d2d3d20e9fb3643ac64ae587234da |
| SHA256 | 08d9dda676460b38cb84c66887d30e0da4e5b37803fb5bca136a0d5534fdc6c1 |
| SHA512 | 20bd4bbaade22969c74f98a408fce4cc89d51b3ee59d4487a5f771d687f956a12e59a9ae15747bac29642d6995b1eed04a70b1c2989bf449a9de045be4d32062 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 81e1b2f170673a0198ee3e736a73b1e0 |
| SHA1 | 421cf56babb67155d9fab7f12ba82da00c07ba43 |
| SHA256 | b56f4493db7b09fac4cede43f08cb84e8efa9f8b770a4c2b8bc2ef8f3e0494a4 |
| SHA512 | 491dec024bddb6e7fc0827de142b5f29b65331a04218d133150c2707d5d4a2677ebedf9915209576a92ff1f78d18337a7c66fe1e488626056af56ce77122795c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c8cb9a95bf10f0925ff1a23b71a02156 |
| SHA1 | af3c483150368209cdeeb8472aa5afc5e51331bc |
| SHA256 | 1137f9ace6186930a35b81468fd9f740a7ad4459098d86fe5c2e5c2cb2664ec6 |
| SHA512 | 073aed8206e028d08e32f4c176abea542abb402315448ba5e58ab5654f94c94d6f0111e8f268837f61f1aed46938b3d6e5f0d28fb6f5020191c2e050726365ee |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\65c7422c-12f3-465c-a0cd-b926d5008ccf
| MD5 | 2091e712ba0bab4935d11a189147f219 |
| SHA1 | 6dcd36b58d2a01389b527f957526365a3370c3c5 |
| SHA256 | 0821306ab6cb6956e92e1e725b82a8089f23bbaf234b06dc1e3589d1c932ae07 |
| SHA512 | 31b7d63755193035400bb4d13bcf0c7d0b9e2234919d6ecc71ef4302bbe746e85e549d8a793a66bc8370f9a018235c4f49740bfaca2eb7c501a76a9c87b33585 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\c3853da1-0292-4ba6-9d2d-d20fdd51595a
| MD5 | 82cc43cff9acc99cb99135a040c2dec0 |
| SHA1 | dc8506b4b77290a9db1d44d8eb3ec08a1f905ca7 |
| SHA256 | a3522acab138ddcabc9c6a9120bdfbe14891e5ec8e84e406b20d752772d82d84 |
| SHA512 | cc58582b291f5e1f7731eeeea5a6e323ddc02c34ca91e678da34cb4fd206a38fcba2933b0ea3fd8a435c32768c460cefee429b122babe5a455fc9fb87c06da3d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\ce21d755-6c90-4ac6-bc24-1339151381e4
| MD5 | 184a68e3139e39e58cf81bec427a07cb |
| SHA1 | 22d535e89e6dd840805a95f784ca48df71b59bf2 |
| SHA256 | 370642b3701953304ff41482a492a95b86062c0162c3106406ac2df9cf053acc |
| SHA512 | b5ce10470b255dc9203d724db8448173a0e2ff1707013876460908d9e638ed2db79dcbf05bbc4bfdde4cb176365bee73ad7e96707f78a370b12195105631dff8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 9f70a43cc9a41b27ffaac0c6cc70ca39 |
| SHA1 | 006ea17f9c810a95b1cebb4d9c0a29394ca101fa |
| SHA256 | d0b556bb4f309eee18f634aa807ebdc62d2c7b7081920aca19f51d20d326aa77 |
| SHA512 | 03807de91e51447a5e3e0898605ad906e7957206d84099421944e8b8a3e67519ee357fb480da643b342dd74adcf6224def17705e998cf7e1120efa1df608afaa |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json
| MD5 | 452b516b2c3d025d7ad763d000dc7c65 |
| SHA1 | e4ab0bd8fe12ccbaefc5d1158f7623d0a7619ce8 |
| SHA256 | 8789c63d77f54ce21833e48648fec3f3dd4b9dad392e27864036f4cc86920275 |
| SHA512 | 9bd111a616b9815fa73d79796e97d6d3ab870e461411c4ae5686a5dae370022016d0d87797aea11252a5de8682d81a6911629bb22b3fd1c31c549d50981a3441 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js
| MD5 | 418db74e42e18ca0f3b29711db956a7f |
| SHA1 | cce99a41f7327bcba1a147c276c04226bb3a45bd |
| SHA256 | 24c9c82cec4f4ab63e5073660e4409f3813d91ed5cf1c9e7a1f1ab92a3ebf40d |
| SHA512 | 5c3171aba2b4e16032cd9f815ad40e672e0e311a0a4e23b1566d9eeb246d833cf5e6567ef6837f34c055f2463a5c6fe76930168fcc83cce54f4c28aec8ca335d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-DS.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
30s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\elite.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-22 18:23
Reported
2024-08-22 18:25
Platform
win11-20240802-en
Max time kernel
98s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fbcr.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |