Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06/09/2024, 12:09
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
41fcd50f34127bc0d16bff8f4a78a431
-
SHA1
c1edd4a84647628fd2454f3aa007792355d8331a
-
SHA256
bca034c34a5686e1d7d79ff1978e4c904db5232c5d246cfda47e13a865d72ee0
-
SHA512
fb5dfcf5a743dfa8c4f444c4ffb46995d7dc23427287db4e235092022414dd9f57bc8b649b979bb4e4ea9801c8cbb5ecc3da5100929ed7bd6059bffb72c8f584
-
SSDEEP
24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8arnAb7B/KCIGhFal8:NTvC/MTQYxsWR7arnAPphI
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c3167b7-82e9-4a9a-8849-c53765664857} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7941348-c37a-45c4-a628-df688d328e7f} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 1 -isForBrowser -prefsHandle 1568 -prefMapHandle 1512 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e84f6846-d0d8-4e52-9473-9c3eb539bf0b} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6938588f-7de6-492d-aab6-df7f4afd4364} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4616 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0e1665-ca16-429e-8552-b801a3ce2ede} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5196 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21acf381-6759-4807-a676-375068d9878c} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5248 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f99a6171-834c-4540-bcd3-6e596e9f32a1} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c53036-380a-4a7e-a481-a3eede677d8a} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 6 -isForBrowser -prefsHandle 6268 -prefMapHandle 6188 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfc54142-53b3-4bbe-821c-a35d42612657} 3996 "\\.\pipe\gecko-crash-server-pipe.3996" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD59659332fbb46d0e08c875a4c1595c161
SHA118cb2e7aac17674d08c341cd7132fb8ee07a0425
SHA256b766291efbbc3522fda006ef7a465db7d0cbb4fb0e96d83b74ff39fd68de98e2
SHA5122186f5a20269fac9fcbcbf6237b6c6b024e58608042592e153b585ebbcd1a8ac96d8eaf400d5513fe25396caf9407728f63bfee4a5a721ba5fa81e319a0cc066
-
Filesize
13KB
MD5b915788a0440a19b09b5d5b53730652e
SHA195d8a4c435d1a8c937b3448f79e0c2cf5d1b9dfe
SHA2567372d1bbc50f5e236561078f6564449b8f63beb29ff87b419e2eb34622639fd8
SHA512b9254a6db693e173350b9074db53a704ae23b2b3226220988fdff0861793f0bc8dfa1b3348df2b6686ef8f239d6009d1441e57371d1da0e1e260effe8c782607
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5184d62ae64ca2f5a2d3517b4b080aef0
SHA1fc94c5690401047da815a7b025c0a33903e712b6
SHA2565bcc5f82849e0ad44199bdcf5693ab263098ef58b789c935feb63a351547570b
SHA51243721fa1fc43de67fdcc72e4cb48cde4604272703bc0472b6c463d20c6c99368a78dd296fbd9957d134b1ad308a8b70714bd50cdc335275b1ce37af786f60563
-
Filesize
8KB
MD5d1bab192cc17df87549f9b798c9e4b42
SHA1da86afb209d9748b3bfeeda3898be6ec297523d6
SHA2567bf94317fb56844e4776cdca3bfea435c11989d0bfcd13942bb810ccb5ebcb95
SHA51204d652f5bc355efd45596208f451cf523a19c1f202a79da620e5991226759657a4921888de90a05d225d0dc830e6611551911be736d134d3eb9d057d90bb6440
-
Filesize
12KB
MD5513ee20e7130c11e43149e6d5d64ab00
SHA1222c885c3a162985119340a402e4c126bb51fa42
SHA25667d0c489fe3f0e7ca51d192785acc8f757644f5e24215f32142bb1d521d5be08
SHA51272d99f142b7ac82b38ba70cb626b5893a5dd5bdc40bec9e08da3c43ddffe79b04794996110a945c66532cb8d3c5678d22de165c1a1627b916d67d56d72dffce4
-
Filesize
13KB
MD5ee44710d0b09969b75991052bcc072af
SHA105eb497f825a0ceb84071a123fedd7a5f13c7fb6
SHA2562f714fd31a8b1df72dfad1085981d67b16d1bf33557b76dbdc58a25235cb54a9
SHA5127fed8e689919500fa83178ca5f1bbb2a05a76e2e30d8c62ceb162165bc36ffba9e9e412fb72e1f5df084ab6d23f158a46bb3dea87bc7cb51f13c392d9ce84c57
-
Filesize
5KB
MD5ad7f2576eb5d591da3b74c49bd63bf54
SHA1c313ff344f5d82027cf6da31fedc86c5d70ca224
SHA256640c4f3f1f563721d528fe61c103748d3dd0b5407da8eee61dde6dcd1440b3dd
SHA512efffa9010f6d32ce82b5f9f5c887725633a081d23e296775a32fc6be2e8afaa9ef261b25f6b709c5b8a89e25f254986aa24b8c7c57c757789d943becb7ab6664
-
Filesize
16KB
MD556d67ef3b8159b423d9987e72bb3545e
SHA160ea731a88889ad0fc8639ca04ee14140a4360fe
SHA25698ca307fa370c1618c26d642eff86baa4155a9d25a09141d8694778e497a62a5
SHA512c018a36706a55845d4f91ecf7e8502f2dbd189b02ecf15f32dc8ac56fb633444e8291a8b2bd377f23e047c1340d3a2bd3c5285c0ebcb7b79774d20f5cc848de3
-
Filesize
982B
MD58b246e567bbca29c66075b6d3d3dfcce
SHA15466862a17d6116df9912791154d37261d537e1e
SHA256e40ac5a9e07237ef5b8e4e1553b319f1abf74586726dd30fb243bda17c9642f1
SHA512d95fdbfb320ea221c127c8c512784dfd9a452a6c29197f674633874e30e2c161c72a1e94fffe77b2626da8d2cf0c612ed169dcf66af768fbb11c3b6ecb001085
-
Filesize
28KB
MD5b752e9b89d2f704cbcdcdd95fa32b261
SHA14203012a6a3009872a74dcecd4e11632b36413be
SHA256b9a8962bcac94080acbd78900333166de06f3b9ab21eb4080c917fe67295a3db
SHA5122eb3f2864b622d2156a30363a523fdeb8536dadd44da52f744800d89750361af547100255ea939a4300521643d92e9935f7a501e615f261a616a0326d1ce25b5
-
Filesize
671B
MD584e23aa68970f820208579e1ddb5895a
SHA1d400c65aa35b64e5adaa7c9aae5fad4a621de870
SHA256bfa722c03ef9a492ffa8b8c24da14ffae3c21086ff4e5b4fe54ad9800f252e56
SHA51293cba65184dd02a3ded14e9c9ab483cdddefaad6cff2b9d32b26f6290b817f77b006e6dc44771f7a9456a95c54ff52229ef51372617d2aa857b34d0f3dacc15a
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD57953eff62146fca1fad0db0aaa634322
SHA14f61e7343a9a70d4485b248238e70ba36a2ced9a
SHA256c05fe109c5a16228c440d1dd5acb50b25a0f33dffda0bc35328a3e2f2425c6d7
SHA512af182ba1dbdc649eeeac592c5d5251b88330e3850d53da3432ec005347fd6bfa24962c2dabea3fabcd1fb899acaf43bc3af0f391bd31fe71038994914de939cd
-
Filesize
14KB
MD566b66734687d290e2704f77b34f49238
SHA1cd19aa9a6cda0861824291e5779ff8e5e01db2e5
SHA256d15959ced31444ab4c6be1357298888e33f12c6081adfc57376f0651725b1244
SHA5125a85eafb11ceecc0e42d3882b29edd6446f89298eb967bace9eb9e2e360ad3b6d9df0342c3bc4c278aa509a751cc85867711bf734a5924645f016c2f12ac3bc0
-
Filesize
11KB
MD5d71e4e6d0ddee56b5b127d8d10c17a29
SHA1e17f1235341fe7dd64fccb240b2ad29a630ca3b9
SHA25602d09c1dee3ede07ff27c68299067d8e16ce02d8110416b26c653095bc723f90
SHA512ad4e0e7f0e9d8a39be6d353db1bff88bfbc02d26784a0eb4cf3e8213202add406c8f01788e41c1b4380323821543c965d5bbec2cdd3f552128fa94cb79e559c4
-
Filesize
5KB
MD5f94b71ea21e188f86425485a593de66d
SHA1c45c45390fc1dcf21f15c67f28f64fc6d7bd1a55
SHA2568cf6c3d0e798f895c7654a79a01ca3541c6ff188c3c9481b7c3fb0c0988db003
SHA5126bd427649a53d7b0f5a6e8e963bd0c5576cfdb35f656b0090d98f882a12353589ecdca2edac476b20a03e3e3eabc8c352214f4f2bad78bd3df4b48acd1f6eab1
-
Filesize
376KB
MD5338ea86ead3bdc42f13d17d0619b999e
SHA1a4c8ca6f61301241b6b46be310dbcbca0a117d59
SHA256056b4d1953862455ac36ef76bc5269d837dfcf366aa99fced53976807131198c
SHA512aae9f2cb132e27e0673d87661fba902a816892cdaa225645a226cf0f7b15a1f19168c99f133daf096f15dd267a2eb7f248aa3f80adfefc914cce0c495e0982e6
-
Filesize
2.3MB
MD57aca9de80a15f3c866c01533aa5ce9cc
SHA1fc840dcfc75f1ec89bea97a2d2b1f892c4270cea
SHA256f0a681beb96d4b7a8b10b4e833a79fd3f5ce862a5b7ec05e75d0f542facb9709
SHA51244c76dd35edd092f800b9a0302aac8bd0a5c74a8fb9f2fd66a8837323143364653cfcd00694823c49816dc1e855d6a74a31a839351fb2b891e4eedc168a73cac
-
Filesize
2.9MB
MD5ef4a3a96c28113c3a8b2d56a76c756d6
SHA121c05e08292d9a19d82578791bedf2b1a7480916
SHA25672d5ec08fa7aa6fbc67ed3fd417bd6452686857b461150928b521298f296bc84
SHA512c166ed94e99d7c9a46620d0a61d2bd652225ed7e8c08344cea60a1253a09f45a22b0bc1be1c076a33072168fe17c1fcc5604a7adab58e64ff9e4fe3e3c0231ad