Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22-08-2024 19:09
General
-
Target
x.6xyyn.py
-
Size
428KB
-
MD5
b0db11ccf6cc25f90b6549b2ac8b4be6
-
SHA1
06505b3e55fea1b45b354ec254948917cc9b7f20
-
SHA256
ea144323b74c05280c4fa2032103775cfae4969f8b9b08b8c32d686f0f48b647
-
SHA512
cb73ff1a0f06d748c1ebc7e648b07cfdff7d89b8c40029625af88eef87ca3d7eb79176970404a8d6c35ccf9958cdc3fe4531fc75799408986b0bb294972cca16
-
SSDEEP
6144:Gsuvg0QTXyAPKah7y8c0vJuQP1CJTqTAHvYzIBTREvR8KCOum7k3muBRhRam7mYQ:L
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\x.6xyyn.py1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\x.6xyyn.py"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\x.6xyyn.py3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb92e07-d108-49ca-85c9-78ea530ef488} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {090f3221-2ea1-4773-8bbb-00cb8eb29bf6} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2968 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6be38078-2d2a-47f2-80ac-d902a1864810} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85e8fcc3-e35f-4b06-b434-1d7ad28b482b} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4384 -prefMapHandle 4468 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2304510-14aa-415a-9c11-196faee5eee1} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5264 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1467126b-5f92-4249-ae9f-fc53753e9e67} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {535f64ba-f15b-400e-9378-7c399ec4b5b1} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03ca9d71-812e-436c-a677-c8f312428213} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD55003acac003259c84da11f9c90193ac3
SHA1148f53c95dbb5287e5df077ae8364cc911492104
SHA2565f72d0c8099573f6a8f05bb51eb7e837cb4d2b7a7d77aa7f2664d94c9d1ecfe8
SHA5122824d634bb85f965f11af24877fd8cf333d47b5174d9af8e553d7a06af8145cce1c696fbb69620424872cd376114fede2a92ea5ce2c940572ecf4cd21f1cb4e2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5d92d3830ba0b465d62ba81c340a29634
SHA1af03e6acc47404dde46870d645359e2b49c17026
SHA256b7aaab30bc385afffeb4e1f859e862894a8bbe51f4d65b3bc0796c356dc9ca77
SHA5122e428daee04826beef44464c0de172c08abb623ac77b2e1d55df6e45f5650f36d7287458469cf9e6e707790842f01b1b7df40e2aa8b7c5db49d613763cca8837
-
Filesize
23KB
MD5f71164e81f7c061a2233029d109bbe48
SHA1ae9ffdb5b3b3b3ec08642f05308fa93bf522bf94
SHA256ceee58ac4cef08757d9911eadfb2882d9161d63581838bce9ea35b096de16982
SHA5124fac5768ef559cc71a4711938bb83fe03389ddf9a4ded9e5a503bf66afca211e25310d4365dff57eb62b4ca8c91909704bdbe98b76b1ff853048996af9b2779b
-
Filesize
6KB
MD5d1004c88cad5aedef68133b89deb2a71
SHA1800f0be41e3eb98e465f229cd2951e44c0b9ebfc
SHA2565ba637b0654bed7b38bfaa5ca1fcbc09b4745cb5715f2a2d2a9011f9b4e669f0
SHA51282aff2f96202ffda4649e67ab53e9591951d4272cad529036232660246eb5854fedcc132b5ce859a80ea7e3bb58a6ad914ebce15d825629cf923d430447856d3
-
Filesize
5KB
MD5e0bcbf8fdd2d5308c641632b7d4a9e40
SHA1323a6bac28665b0a0c1adf2143509075be2bd590
SHA2565371e32a3139dc99a3221d64dc12f8c5566dc85a4fc77e00ad3f1826598f7755
SHA51280ae7f506216ed7ee7d7d3a0ce2ac29dcc8ded6e7874a1627e70b4a0656611a9474aba180ea0fc334065ac0f876b36773743bd3c3c768c3f9d2e05ac906b0468
-
Filesize
26KB
MD577de0b46e275c1a1f037c254d1fd2ad1
SHA15a4b8e863a8be42aa5c11a16ad1650f558f42e21
SHA256a471607f7ddace1c60d4544b653f15e6e3fc174e1a18cdba90f6a4fe62220c60
SHA512c81f95ad21fa493b4fc28785e54bfcdc04755464522d638aa82e417b47bdf44cbd8dcdb60ab26d836b66615c247307d6d9b10a39023b32f2971e137a8b0d8deb
-
Filesize
982B
MD58edf3ab49d48668a47af73001f900946
SHA19ee26558f97929269f13e5a9bbd6affbe397fb1a
SHA2568f42212387e81c27c5c2b6f9408b0fb354f9f7c3d8e7c7df9a79d14c965b291e
SHA5120d65bc792dd10247592b4be18c55c31407e3b901188f65409419f65540ba6e4902b0233af77e5173e3bafac9bfc19b376e004349666e598a0b16c84fc37c3dd4
-
Filesize
671B
MD5e3c007704ef82709990f4af4e37b3aff
SHA1f856eee4dcd4b3348d2ac140011ea4b8ff36779f
SHA256d684b801c6d44c73698e44142e725fff37f87d7bcab449f0348f8bcf3d54e307
SHA51281ed0d251b46abea4fe6e5c3d83043d613e92dda75e34fe3c674775a695b55cb17e370441ad7adae56f192061192fbaf19b2a8ffa3084aed0a633d5334c4088c
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5b1b4a56a67595f4cd3decba6eb5587c6
SHA17e7eec4f34594b6b7e856e3a8e9878a393812489
SHA25668c61749db54372fceceaa408bce1f121a0c53e414571b739fb607fd0287e4de
SHA512affda6130765bd89cbaf169c61452f4280b3d3fb99b223f023ce1457f39c031cef2ce30d45d775df0463850a9da0bbb8b9b39cb4e669f20083125e1c60ab487b
-
Filesize
13KB
MD5652edee793ff5d4aa0c1754241621988
SHA1c6d17d400271c39552fde1dc798825ba31059a10
SHA2567155776268445d4afb1b42c6dfa92dbe4a7dc44d905c76cc64c6d6710753a00e
SHA512c05187a1989cd87b95efc568ae8c531aeb0235cf3a5fd6aa633f282b64df39c9cd5a496073315e81c06b63521741af7736ca94123f984f4ad5b1e0cb125dadbf
-
Filesize
11KB
MD579e9182c23be7c869c24f389d910a3fe
SHA10eaf32e37633d4f358bc593285840fe5d0a2481b
SHA2563f76c19e3176f32a168fc631bbb5c33ea5d672dd7b34b0dd9a665d5b02e31fae
SHA512c057c7a69e8af400cf4cc18af009d801cf5923125d521f19a62e0195525c285b48f225f7f3d70553c4d1f551b0514c624b11cc625bfb52c3e5398eed8caa2b15