Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-09-2024 07:46
General
-
Target
API 6D Ball Valve spare parts Manufacturer.eml
-
Size
3.3MB
-
MD5
e8f5445af9994e467cdb8dd07f551507
-
SHA1
cefe110f17acc98cc93b8f23090664e0f51dc32f
-
SHA256
f67529b4fafb344499cb3543b5ca86ebfa8587b78661c5b984d82e26497a495a
-
SHA512
f4628e4e450ad32140d1ae2696f4ddf88a935666b30f5b4612044cb189498317d70aba2c8ff3f9b01e9ef85ed0b6714502874ee824b4951439657a1ee8caba8b
-
SSDEEP
49152:74DJmXm+AULKEarxsEWr6sQd4uWaPvNla:9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 56 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\API 6D Ball Valve spare parts Manufacturer.eml"1⤵
- Modifies registry class
- NTFS ADS
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\API 6D Ball Valve spare parts Manufacturer.eml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\API 6D Ball Valve spare parts Manufacturer.eml"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca1bb62e-03ee-4cf6-a381-fa6dc8ce30ad} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6ab1c63-ca12-425e-b056-c5f145dc70f8} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 3424 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efb525b9-700d-4b93-afa6-1e5c57a07855} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db81874e-90d1-4436-986e-2fe58e41dd30} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91b42aa0-435e-46c0-a2e0-252954a1c540} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4790addb-fa1f-4767-a613-4523c60fa351} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a580da-9a60-471b-86d9-a4e089131d81} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56686a78-f817-4779-a1da-f871ea40d87b} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" tab4⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\API 6D Ball Valve spare parts Manufacturer.eml"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\API 6D Ball Valve spare parts Manufacturer.eml"2⤵
- Checks processor information in registry
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD55913d78fb6cf326222dcfae7bba24903
SHA1a10270f1de72f8c9d00d12148f84e522f134aa72
SHA25669a2e23d98a2cdd57fe8982cc947633c2bfacf6cd3e419215aa1fa351bd39639
SHA5120bdf0f807bc8c4c688716a0b5641e813aa63de2e79ba0659c0ec803d5e484d0674226e9907f81d95bd476e6a621d14791d29bc96720cc32e07984896bcd459e6
-
Filesize
13KB
MD5587baf6aeb6766e0568549530d62dfe2
SHA132e4293336e45196b402503453a1328f0b49ff12
SHA256d7e74f93c47f844e529f3873f0c3be7fde38c6669035173b0241bb3580bd13a4
SHA512bde323ed18a57c25b2f85039f5b2d7fb5b4b8dcf31c8237066966fffa5e4acf3e93e231951730a61dcbc770be1ee28830f041acb2206a749f62bdadd311af2b9
-
Filesize
3.3MB
MD5e8f5445af9994e467cdb8dd07f551507
SHA1cefe110f17acc98cc93b8f23090664e0f51dc32f
SHA256f67529b4fafb344499cb3543b5ca86ebfa8587b78661c5b984d82e26497a495a
SHA512f4628e4e450ad32140d1ae2696f4ddf88a935666b30f5b4612044cb189498317d70aba2c8ff3f9b01e9ef85ed0b6714502874ee824b4951439657a1ee8caba8b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5097f9155033ef7e99b8946d26ae2a1a0
SHA11c4ed15c4439ed4ec5939eff6b5c977bb2849577
SHA256baeca1f502cb14be3b25c7e3ea9835530721f62611d1af1be10756d2f07f0a51
SHA512a2de51b27736cf5e8e6d1d8df081efd6d67a25a5883547c2ebb8d27226ea547038cea793f0198dc232ca106e9971ae2f3524d86271b525b63a70bd4fd3dba44c
-
Filesize
14KB
MD5e86dac4cf9462639fbbc7d8c86501726
SHA1166f7cd3f7ba255fe348feffe3c625e1653fb0cb
SHA256ceec28b9ab11c5ba4d5303a5495acf3e77e87f4ac55162fb6295063348208ad1
SHA51230bc62c6a05cdefab77c83ac7f7549a18446d8bc1c33f9a410d06a1edd25f01cb2e500fb400eb67f4b109d9b3386474729b0fbda230cb5927139399d59f1379a
-
Filesize
5KB
MD55515e65ded79f12c67d4c4923c9e488f
SHA1273efba11d6a4bf51b2cbf647640ebf47530b807
SHA2568df0a3a10dd408f737a78b92b3aceb69692ef33a2fefe2df8c7a0c3fe9a4cbab
SHA512cad31e9e04077801e9266d5380537aa510360869e57894b6227e75142eb6b3f2218c86170ba91da6151954364cccfe098ec23548372076c9ce84201466862bcf
-
Filesize
6KB
MD57fb1ad480c99afd3a921c9584977fd2f
SHA1d012598a8b745e40a2a0401b950df434d72cea46
SHA2567407e61eacff3c4db420108e3522f392957ca1579ae1ab9a3876c3e9f2615cff
SHA5121227d0f13a9aa2fe99fed8b1af744c0932afcfcde79e822f41fd0cd1561ad504f928afe4f8dd5355383dfc95c9b719db6e3dbc067c9e3a49f4b0fdbf9a336bfe
-
Filesize
6KB
MD59502ef622caa833118ccf67da8b6063b
SHA15f3c7d7acb9cf5e53c469d5c222f1c51f10648dd
SHA256899a851bbd89a2c1b80c7f3acb8c52a65815bcdaa133a0449d500a39a5d94c9a
SHA5124aa26090c6fb51cbe1c4bdfe151c83944e3e3cf0b8fa781be27e63add9aa18d8c0c5fdd044677ef26d53dc0aba671403973ac18bef831272b93da2d1a1eb9d80
-
Filesize
982B
MD5f48fbb85d0f3d4e781a9d396d45bb873
SHA1c109b1ad8312f6ad58d4df52e17be7dc41a461f8
SHA2568faf35f2bfbaa0d23c0fa8a3bcf3e4e593612c85affd3dd7a3db148f8deddbeb
SHA51294b08099122ebecf5af4965428f01bf61c3ef5c636bba21b3415bf1c3c25eb420b88d46b8f9f615d612715ea300a390d8d2a9bc5cfd0fc4eb3db0b45fe48dedf
-
Filesize
27KB
MD525bb3d15648a27745bb6a7016dd960f7
SHA1f959f6f4822de3a53a732837fe70cf4d3522d939
SHA2563c9ae0a3043c80f671f6534432d7dec4e33ee692169ea468a67744c870850e13
SHA5129efbee854107a812877466471f48a1c2d472d541d5c546ce95038cc9540ce9da9d1773c7594342b4ed19e8aab0bf63b79638b2af46b2f8da5e45fecfb2ac4177
-
Filesize
671B
MD50ef56debd64c8cd093c9fce9d6527e79
SHA12817246c9f3cd010351efeeeaa866f67011df29f
SHA2566289f5a8a89a323e4bb39ade69b00185b64877db781cb478e6a71e7456704746
SHA51294ce0b59cbe0b4adddf9401197e289b125c4910530b53df6b436c66a2dce7c65507c4da8b6fb642b58fcc3204f90fc65a4150cc6feeb57abe2ebc7ab7fbb1d87
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
14KB
MD5db9124145a904d3d53508dc86affb16a
SHA13b0ef348bac7e4b5b1b3ccc4ad20eadfc9435cc5
SHA256b789a77fc2ba8deed68c0bd7e03833de098e350d8c57b4ce4a1c13d24fe09f0e
SHA512f83bad4c72b7832df13fb8bbc70cbc4a4485e22dfef5a55c617207a6e485ee7f0114263e12539d46fc610e054665ccbc8bbd67846d46e6cab38ff77d75793e57
-
Filesize
11KB
MD567dd89e98fc40ea5427903efce090f66
SHA11b89244c8473e006795312b8bcfca328a2ed035f
SHA2564a3b53c40f5ba34be507a9e4f40e7ed8f9a18974fc17c6b8e091b0da942bd57c
SHA512284f004aeacff5143b02b0646af80fc27dd6e7223f16e2c523e4f2e065637c5de7f8f41410dfb3f5d76a59c9c6894cde1ce310285b2ae3ad29af2ab08f75ff0d
-
Filesize
13KB
MD5e401a62fb2dd5f40a10adcaf346e9b42
SHA15182c7d70ea5ddc578d6cd318b43d9f0bbad5374
SHA256080a8626cf139da44f101fe3f97cbd2f94cc20897e7bbd06034dfa2b98f8401d
SHA512816b3adec3d280c0df4c6a82ba9ec30ccb4cb089f46b0540a8ebb355bae49ba3ac102b6b99c3de89a6c6c3efa19b1411f00c528c67f4c484b4d4184735cc42cb
-
Filesize
11KB
MD5a66ca9cd5f3bc1a70998a1f0f2175467
SHA183a00a58f709d7409af3a724854c01e862dba7c3
SHA2561f10cf66ce960ca95a4524b60ea0a4831533fd932625be7e6a628e677591ba70
SHA51250b5894735fa52ca20c6435c58a0e26a4ca42266288886f9630e3ff43717e27e673f2e2067c97798248fba043697474ad2d4899a0eef538c4b543c3cd448b74d
-
Filesize
1KB
MD5a4725a702238c47f0644534d9ec356ee
SHA123dd20107f82a29871e175da76aaaf431aa62334
SHA25643353b25db29e73b472dee833da2345fb796147999de4bc789af2db5999fc72f
SHA512bd573580bb17abeb71091ae466bf4c4e39f4692fcc0ee6c3b583ca34a11ce2d644764d19330de87ac37c24cadc51aff419f58bd364fed3639428d66541dcea17
-
Filesize
1.4MB
MD5f3ca5f8ba87f2181f7c37d98e278265f
SHA1faf5cdd7814ba33a068aaa3960089f17936dfc6c
SHA2568a626e50fa63b6d6c4caaaf353867b53c898e9ab2ac008007b0c82eab20dcfd2
SHA512301339a7fdf2d367b6a339afd0118f59115c0cdecc7ca0da3dafedce11fbfd87373ac20e6d17cc45f535be7b11a642253e7f04c7aed63a28fbbdaf84311afb15
-
Filesize
2.2MB
MD570acb66416432d90e85b7f4524b30b2b
SHA1c67bd33955a4e5718d6f3f390a439a5676aaeba7
SHA2567082547db850b9673ee7e09306b0f5c45019a80f88c2fd630d3eda630560c014
SHA512543ca4355d7d72adcfa06318a81f3f00bced89a2a75e137d749c20dafd26aa6bda633510e435b2f93cb676c1b6016266829be3ba1cb50489293f783aa7829886