851fed5d7b5c0f331d61ff67eca02c3d0bc5214848bdaaa5f6069a86050792a4

Analysis

max time kernel
130s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
05/09/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox 21.3.7 Setup.exe
Size

163KB
MD5

34d62303e757aac3144ad3478619fdde
SHA1

a6fa411c5e8b1715568805ee7d09150d96ee8977
SHA256

851fed5d7b5c0f331d61ff67eca02c3d0bc5214848bdaaa5f6069a86050792a4
SHA512

248358ccdfd86cc56ca77edbe5aedfb656751d312dfff9598f1eb59fb4494ff07566011417808b94451064f0e323c3464142f1b03d337ca5a895c0d435b19da9
SSDEEP

3072:KOXpHv1O0vxki2FeTOc3wxdxU0G6ovH86bzEQPAoutufqX9GY:7pBapgTN3sa0GTf86zEQPAoSuCX9

Score

8^/10

discovery evasion upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
5080	papaj.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3552-0-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/3552-12-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox 21.3.7 Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	papaj.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4972	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	papaj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4516	3552	Firefox 21.3.7 Setup.exe	70
PID 3552 wrote to memory of 4516	3552	Firefox 21.3.7 Setup.exe	70
PID 3552 wrote to memory of 4516	3552	Firefox 21.3.7 Setup.exe	70
PID 4516 wrote to memory of 4972	4516	cmd.exe	73
PID 4516 wrote to memory of 4972	4516	cmd.exe	73
PID 4516 wrote to memory of 4972	4516	cmd.exe	73
PID 4516 wrote to memory of 5080	4516	cmd.exe	74
PID 4516 wrote to memory of 5080	4516	cmd.exe	74
PID 4516 wrote to memory of 5080	4516	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D205.tmp\Firefox2137.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\D205.tmp\papaj.exe
    papaj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D205.tmp\Firefox2137.cmd

Filesize
310B

MD5
141b39729c97b1601a94b88ec4541758

SHA1
88d3c8d1175c93f0489a7614e1ce55e64fc25b49

SHA256
fdc9c6ded6792bc9f158f0638fda6f44da8e625553adeada223d8abd7ce0b663

SHA512
8e9da5ab576837a3c409bda6e08f43c375af8dfaf486859e2604e48e621acaa09dadf2b9f393b5dea9d17a7dde5d36052667b2a7e10f270944c10a69394e9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\D205.tmp\papaj.exe

Filesize
88KB

MD5
107ae8b0226ca50a2a39c9eb1b4a31c1

SHA1
515e99757bf9fe05b8d840238651a1c0ba8ee577

SHA256
99d80c79b645feff55265bc82c1c31589209fe8df93c311afa58a6845e337312

SHA512
723844497c7a5dda33548b1a9800816e7ebbe050f9db0a5d5d061d1f2d7ee16861856c06a35d859fb1f408a8d84fd1482e28187ac5cf6b51fa5a5de28b89ebf2

Download Submit
memory/3552-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3552-12-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download