a652ee8c16aec1d60c7b9c4dc2fb8accfda87992cf4e85a042e69d0fd18a44b9

Analysis

max time kernel
156s
max time network
249s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beat Banger - SteamGG.NET/bin/win64/ffmpeg.exe
Size

81.2MB
MD5

d0b13eb54c937edb80886d87a0643cd3
SHA1

0a120f5fe77513b813fe1df80540179131f65902
SHA256

b6a3561b7b1fdfbf53f67c1aa4081947d097c64c793a5f2c6c220c9ebccdcde4
SHA512

3254ff4a7443d6124969eaa02e32b928d434a840a8de18a694a8ba27e05a6050a72f728f6de67e5b8fdf92b677cba2e9115b3f3f2072ec75728563e819c504c2
SSDEEP

1572864:QW3Uub2tHRINxwdcYS/aEHBt6w5HnflkgpSOFnuT627jzeK:QNtx+FnuT62DeK

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4528 firefox.exe
Token: SeDebugPrivilege 4528 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4528 firefox.exe
4528 firefox.exe
4528 firefox.exe
4528 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4528 firefox.exe
4528 firefox.exe
4528 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4528 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4528	firefox.exe
Token: SeDebugPrivilege	4528	firefox.exe

pid	process
4528	firefox.exe
4528	firefox.exe
4528	firefox.exe
4528	firefox.exe

pid	process
4528	firefox.exe
4528	firefox.exe
4528	firefox.exe

pid	process
4528	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 1768 wrote to memory of 4528	1768	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4868	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4868	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 4572	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 1392	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 1392	4528	firefox.exe	firefox.exe
PID 4528 wrote to memory of 1392	4528	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\bin\win64\ffmpeg.exe
"C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\bin\win64\ffmpeg.exe"
1⤵
PID:4620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.0.1121734464\381073453" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b534f1-2566-4233-ad9b-fe8a01a96e13} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 1796 1c5f02f3758 gpu
3⤵
PID:4868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.1.1095327119\241253306" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c217130-9beb-4c30-b401-61f3bca098f2} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2152 1c5e506d058 socket
3⤵
- Checks processor information in registry
PID:4572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.2.196607049\1894426744" -childID 1 -isForBrowser -prefsHandle 2568 -prefMapHandle 2708 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {099b0024-7fe2-4bc6-a3d2-9249662ab1d7} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2944 1c5f41a0058 tab
3⤵
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.3.1861245078\17512682" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3eb640d-c4fb-4943-a5a3-2f4f8ffc0b66} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2948 1c5e505c158 tab
3⤵
PID:3364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.4.1014688197\267251823" -childID 3 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b0d2637-9174-4904-91f4-55b93c29c422} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 3904 1c5f584d658 tab
3⤵
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.5.1328667561\381873421" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {829113a6-877e-4e5f-9f80-b51f236c4e92} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 4828 1c5f66e6c58 tab
3⤵
PID:1740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.6.1769079035\1101209933" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fed5722-5cbd-4f7b-b407-e9e900cbf8e0} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5100 1c5f6abf258 tab
3⤵
PID:2896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.7.1247906037\197619923" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d5bd075-16ac-4050-af27-02eef32c46da} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 5252 1c5f6abc258 tab
3⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
69073b0470aafac6372451ba7cc924e6

SHA1
895527fcdf29be98ffe25ceef477d16b6a6ecf1e

SHA256
4250cf354148f581ef1db371a48af67bbd3b92299ebc52e219def4ea53bf8594

SHA512
ae407bf308f2409da3be8e8beba3a34a1f94817e5721582aacfe3566bf84e8811b9867e4002efe68cbf1555aed95b38c1e2da8bd7a6889040de8f921a87376ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\600adadc-acf3-4820-8414-0b8d8776b1bb

Filesize
746B

MD5
14b2429958c8a610fec028d3bba8e60d

SHA1
6b579c197977fb40e3bcef580c00abe8c9f17883

SHA256
9cb2b3d96e8095d97a5aa1dc9b8f03d825ad977a6c17dbeb41205db2eeb3d53c

SHA512
cbcacb9d5a34fc7ee215d9bfb6aaebf52f1a949d31c9e607fa57583bb41e7a39845e6d079eaf598032320b3279b16858e1accab38b80ff13fc35cafd634db7a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\935658da-6707-458d-9803-a1e9fd208c16

Filesize
9KB

MD5
ed5c23c477ad7aed45f89443f72604c7

SHA1
d4847c399b7e844e6133e61c13da1daddcfe43ea

SHA256
510a36b7dd3fd67181ba25a05bf3022f5874a797f573926bd965e274f2f74b8d

SHA512
aae81f6cbbaf604b871b34a9e2221918050cab30e8fc293f42df3c3b9cc27d5c4c8fbb1741b2793e25b609f01f40734f0c5a2804444700250607053b0e06414a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
cd5f8cfeb89bcc65d18310dceea4f4aa

SHA1
0f9860bab5eed132cdc37beaedec844a9bcce6c5

SHA256
a7f3a9c4f8698ed32d72db013332dde5237bd088e835372ec3b2202f0a14e694

SHA512
f300fc99363b3871c44273091b84d01163159882c6509e49dea4f03b3016d5698117d29f4a5bb68da10003490702eeefabbe1cdc77fe31c50a17361d077017ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
6d7f2c04352d83b0179c29c06f132d1c

SHA1
79a9a269ddf3f574a489e52ca3aa4747171f051e

SHA256
b95d6a9763d7d968793af18be09b2ca4dddad7f30cc902f7bb863bc99de4e2ba

SHA512
3f756fa8eea5564666d158d57cac0368c67f81d2ede5f978042a2efe04480e8715c7e229f2f053c54eccaba904c5271ed6bcb32b52ad2d7a5261d2232c66f82b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

Filesize
6KB

MD5
94ddc6e4e1d69e624a89281c2ed528d7

SHA1
f2c188b5567c4c232a5f05943380f080f66c211d

SHA256
6b9dfc3fe1f585488c3a70fd98bc545f141a034b8d9652052c51d7a8e7303102

SHA512
47c013ad26fed5f41316173efa033660f22856a35335b93aaab58aaa76413fff177e0d49a6a6c03a8d41c85fb4e1f6b5648b78cf5abd98558d7de01bd8f6ede3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

Filesize
880B

MD5
8f5ea76c0c8c044811e967e5a41eaef7

SHA1
b5590ce8f7a0e0330e1b1567d853307ac1ffb8c9

SHA256
9c42fdace44c2060cc3479985b933c4bf4a0dee97ed3c38faf9b458e69fb9844

SHA512
271d9d762233f2b119e3d818de608b49fc28aaa8dd1e23241a3bc481803f98ed05c0776912113f4726bfe76b121ef1420583234023022e6f7c78a97f6ffbf8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0d0013d9708d9fef539adc917f5b87f6

SHA1
5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

SHA256
f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

SHA512
851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

Download Submit
memory/4620-0-0x00007FF6528D0000-0x00007FF6538D0000-memory.dmp

Filesize
16.0MB

Download