Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
05/09/2024, 02:08
General
-
Target
Firefox 21.3.7 Setup.exe
-
Size
163KB
-
MD5
34d62303e757aac3144ad3478619fdde
-
SHA1
a6fa411c5e8b1715568805ee7d09150d96ee8977
-
SHA256
851fed5d7b5c0f331d61ff67eca02c3d0bc5214848bdaaa5f6069a86050792a4
-
SHA512
248358ccdfd86cc56ca77edbe5aedfb656751d312dfff9598f1eb59fb4494ff07566011417808b94451064f0e323c3464142f1b03d337ca5a895c0d435b19da9
-
SSDEEP
3072:KOXpHv1O0vxki2FeTOc3wxdxU0G6ovH86bzEQPAoutufqX9GY:7pBapgTN3sa0GTf86zEQPAoSuCX9
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 5080 papaj.exe -
resource yara_rule behavioral1/memory/3552-0-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/3552-12-0x0000000000400000-0x0000000000449000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Firefox 21.3.7 Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language papaj.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4972 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5080 papaj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3552 wrote to memory of 4516 3552 Firefox 21.3.7 Setup.exe 70 PID 3552 wrote to memory of 4516 3552 Firefox 21.3.7 Setup.exe 70 PID 3552 wrote to memory of 4516 3552 Firefox 21.3.7 Setup.exe 70 PID 4516 wrote to memory of 4972 4516 cmd.exe 73 PID 4516 wrote to memory of 4972 4516 cmd.exe 73 PID 4516 wrote to memory of 4972 4516 cmd.exe 73 PID 4516 wrote to memory of 5080 4516 cmd.exe 74 PID 4516 wrote to memory of 5080 4516 cmd.exe 74 PID 4516 wrote to memory of 5080 4516 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe"C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D205.tmp\Firefox2137.cmd" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\D205.tmp\papaj.exepapaj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310B
MD5141b39729c97b1601a94b88ec4541758
SHA188d3c8d1175c93f0489a7614e1ce55e64fc25b49
SHA256fdc9c6ded6792bc9f158f0638fda6f44da8e625553adeada223d8abd7ce0b663
SHA5128e9da5ab576837a3c409bda6e08f43c375af8dfaf486859e2604e48e621acaa09dadf2b9f393b5dea9d17a7dde5d36052667b2a7e10f270944c10a69394e9f32
-
Filesize
88KB
MD5107ae8b0226ca50a2a39c9eb1b4a31c1
SHA1515e99757bf9fe05b8d840238651a1c0ba8ee577
SHA25699d80c79b645feff55265bc82c1c31589209fe8df93c311afa58a6845e337312
SHA512723844497c7a5dda33548b1a9800816e7ebbe050f9db0a5d5d061d1f2d7ee16861856c06a35d859fb1f408a8d84fd1482e28187ac5cf6b51fa5a5de28b89ebf2