revengerat | 3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446

Analysis

max time kernel
79s
max time network
81s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-10-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
Size

1.4MB
MD5

5673c04d81969a6603184069b6846213
SHA1

49fdd9c69f1c281d94486029dfaa5108dfc168bf
SHA256

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446
SHA512

c381630f7c9c72ca538679bef37b9e966ec2f906bd5eb36a42069e3742ddd57bd958d867ede257edc3244e40fa3a6c65c10cddd07dddfd89cc2085eef13291cb
SSDEEP

24576:rq5TfcdHj4fmb9Ve9u2qTPIMeYyBMLlQjzCEzKJ9TtLzCwn1jAh0zQJ9TtDRli:rUTsamC9uxKjY5x1jAF5i

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

dmr_72.exe

pid process

2908 dmr_72.exe

pid	process
2908	dmr_72.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/4604-12-0x0000000000200000-0x00000000004FD000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4604-0-0x0000000000200000-0x00000000004FD000-memory.dmp	upx
behavioral1/memory/4604-12-0x0000000000200000-0x00000000004FD000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exetaskmgr.exe

pid	process
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

pid process

4604 3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

dmr_72.exefirefox.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2908	dmr_72.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	2172	firefox.exe
Token: SeDebugPrivilege	1348	taskmgr.exe
Token: SeSystemProfilePrivilege	1348	taskmgr.exe
Token: SeCreateGlobalPrivilege	1348	taskmgr.exe
Token: 33	1348	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1348	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exefirefox.exetaskmgr.exe

pid	process
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exefirefox.exetaskmgr.exe

pid	process
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2172	firefox.exe
2172	firefox.exe
2172	firefox.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe
1348	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dmr_72.exefirefox.exe

pid process

2908 dmr_72.exe
2908 dmr_72.exe
2172 firefox.exe

pid	process
2908	dmr_72.exe
2908	dmr_72.exe
2172	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4604 wrote to memory of 2908	4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe	dmr_72.exe
PID 4604 wrote to memory of 2908	4604	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe	dmr_72.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 1432 wrote to memory of 2172	1432	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3248	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3248	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 3760	2172	firefox.exe	firefox.exe
PID 2172 wrote to memory of 1488	2172	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
"C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54417509 -chipderedesign -a80c61fa351a416282afb39d6c109d6c - -BLUB2 -tnfjosgaytdatxhj -4604
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.0.1237409014\71667361" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9827846-ab45-4f4b-9bc4-928e07a4ae84} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 1812 207c60f8e58 gpu
    3⤵
    PID:3248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.1.1454392233\1785369258" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da59febc-b0e8-41ea-b958-d6d4970ab882} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 2168 207bb070a58 socket
    3⤵
    - Checks processor information in registry
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.2.623796676\1519840293" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2748 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca6adc52-e357-453f-a8a2-44134d7118b4} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 2752 207c6061b58 tab
    3⤵
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.3.874842602\231275194" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3336 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edbfdff6-5c3c-4c8f-b385-b4ed3f7b0d11} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 3500 207bb061c58 tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.4.945998174\322007660" -childID 3 -isForBrowser -prefsHandle 3808 -prefMapHandle 3804 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2cc2de-00ab-4976-83e6-e8db68b91704} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 3820 207cb69f858 tab
    3⤵
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.5.765948719\379189537" -childID 4 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64592aa-75d4-4554-a2e5-60f884ffa3bd} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 4764 207cc72bf58 tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.6.153192245\1028952975" -childID 5 -isForBrowser -prefsHandle 4984 -prefMapHandle 4988 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ecab528-5268-4fb8-98fd-00a383aaba27} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 4976 207ccf30558 tab
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2172.7.68180470\774596715" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5ac393c-34b8-43c3-aaa6-437f4c4b2cbb} 2172 "\\.\pipe\gecko-crash-server-pipe.2172" 5244 207ccf2e758 tab
    3⤵
    PID:2836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
508KB

MD5
da9e9a98a7cf8da14f9e3c9973328fb7

SHA1
42e37cbfa37877d247ebd37d9553cb6224d6bee6

SHA256
c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063

SHA512
ce98f1984a3db301df7c1078dc6014fc1a03a1643c5635ef59775ee8019fbae4e07c16e99ec3d1998f45947d57493ada96e5116c359a590b14573833eec17343

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\tnfjosgaytdatxhj.dat

Filesize
161B

MD5
c800879c1c73dbbb198fc42669646aa7

SHA1
ab63307099961d43ebb2b64809b7f39d030bab7b

SHA256
4c4dd62b579e43dc1c4cf859299df3023409492281f173bc5c3d2cc00bb782d7

SHA512
0bc20e0c61f46a6c8eb0d8c276edc1f1901ac2f2800199d78490ba0b3c096e4cbf08a175ee19f663d7c13d56e7b6852f32478ea6c85f7829f6fd2880023213df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
25f315f50c977cef37903ad006916bf4

SHA1
932f58cb31fc3e56eeb4929b171f5c36ff756d99

SHA256
1746bf3a2f972faeb620dec7de8dda0bac6c894277febe547898110e31e3e3fc

SHA512
248d5304ad11bc6b1e039a1e39c97bd5ab2c0f70888cd50cd1a80c29b4314f7343059f50d1282cd22d12e16c84457420544d8f48ee5b9f2e6065ae36c01fbfaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8e3efc11-2961-440c-ab13-583c1fd2abb4

Filesize
12KB

MD5
17639e74866ea23c38e6e8e8ce84cdf1

SHA1
b470b5c0cbd583680462bb262e7534b7958605a5

SHA256
8c935ff0f9b39c84eb55c984ec6c707f17d76a307575fd7a71ef02a5a2edd255

SHA512
eeae999504ce8f5363c56db5001b7249344b399cc79b1bfa3e21517f642c34921e736f8bf5d66c795629173d2eeb1d967cf78a5b0743111032135519ef9e03c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\ad7ecd71-9a29-4801-9f02-83e252601a70

Filesize
746B

MD5
1063cdec421591f26dc2c24b5a8167a3

SHA1
a54480b11bf004e6c48d9ea99b00677084006a90

SHA256
92deb1dc9cc1df89ce533b43e11c4ce820c397de926bee7e0c65a47c44ae4255

SHA512
916f5b0a81d723e3e784f3b8d1eeface16787a2b15b084f01192e9c1a5be9f9e519bdee9cdd920f6ad690be393214c9367321b6a8575658dcdf048b89d7469a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
67644700cff13369d5e7f18daefdeb77

SHA1
1c7e884168fe2c398ed9a8d52150f2c68499a3bb

SHA256
e8d287348873f7cc510439311d8000f9683c95f7df24e89ce2faf17658cca70f

SHA512
e417f01827eb2014a9c3a5747bcd5ebd8e59f965ce94273a3d81dced01c20be9af18f5a4dc227116ad2f8a51b29d960380c9f31d1d2426843d21286573238aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
28171099bb43d76ffa3d3a77761738ff

SHA1
b7e85bc3cdca063bf5846ce6df338d1d33e74429

SHA256
4a1630ad63c68be82a0322cda0d2deed02b0b61efe15294b7bc38c4132096e24

SHA512
96cca146464f501f5cb1668aaa649f77c148fbc2cf9eb85fc72cbc12086c84f4e7caf70ed7872bc67bc23cecf5fddbd8024a022598aeb263f69172085e866856

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4

Filesize
914B

MD5
2da417542f3d12ce82d934f739b051fe

SHA1
9be73041401062453083c1c97b89b0f75ffbbddc

SHA256
f9faff1fec85d5c599a1b59385fb8fe34d9f40d35c03a83dc13b75f46d14c12f

SHA512
eeee08f19f6a75337432a4c0c266f9cd2a79f4a8caa857e3ed9ff1424bf3f36e8a455336c1ed8ac83dad71baf198292ad5f5d80ed5f05578f3a530d90a424255

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3018d1aad8385b734068dbad441e344e

SHA1
2a3925bc92ec843db64b6db2cd6fe18ccf084a86

SHA256
f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88

SHA512
7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

Download Submit
memory/2908-14-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-11-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-10-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-8-0x0000000000F10000-0x0000000000F94000-memory.dmp

Filesize
528KB

Download
memory/2908-7-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp

Filesize
4KB

Download
memory/4604-12-0x0000000000200000-0x00000000004FD000-memory.dmp

Filesize
3.0MB

Download
memory/4604-0-0x0000000000200000-0x00000000004FD000-memory.dmp

Filesize
3.0MB

Download