Analysis
-
max time kernel
129s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14/10/2024, 00:16
General
-
Target
file.exe
-
Size
898KB
-
MD5
d29616a63cc243d71d01c45a8c366bf1
-
SHA1
6870b92acb2d8849422cd18bb60a79135c7d17b9
-
SHA256
301dc00582a54384072627f1ce837d6ce3059d4d10a71b2f53cd478933f4bd3f
-
SHA512
6031fd857eed359dff5a52ec071b8afb524d61d420244abecd647745a20491e84eacec79ec3fc9e2c6c5188c336a867cdeb34fa2484d16b5939e1860f2879071
-
SSDEEP
12288:6qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T9:6qDEvCTbMWu7rQYlBQcBiT6rprG8ab9
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69a3c73e-8c4b-40c0-bc70-7e21c65adb2e} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dba5a43-e774-4279-9380-377f283b28e3} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 1500 -prefMapHandle 1424 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91768f6f-995b-45a4-b571-ee3d09de24b4} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 2784 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43073afc-dddb-4e56-a53e-56b89ce1a0ed} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4872 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08263f18-372c-4e42-bb21-f0a4d89a5c42} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {999a350f-44fb-44e1-b115-04c5aa0fd098} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5528 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82096aa4-bc50-45b5-ba3d-0f15308ef7a3} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {242f5fed-cfff-4c0a-ba80-d603d2c68033} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD544cb77f323200dca4323eddb6596f663
SHA11b011fc294c5164db8f979ffeea2e54fdfeefba0
SHA2566b42b925fa7648884cf2da59e7c291819a60efbe3cbcc729a08dee9d4fde6b2a
SHA512b373a84063a87dc6ff812e651a167993a010bdddb6455fa91c94b87c50c7dd89cd0fc0b3b7b9b4de887ba87606419b61ba4f756f99f5752c6685175be80417d6
-
Filesize
13KB
MD521c9703b09676e31bc1925f01dfcf6fd
SHA1702842252a0bb31d14ec8e89926608e1dab21fd0
SHA2560689a3cd9c8c4140017a4faf9eb38964ddf7d791e68eafdc0b686e81bfdf9ccf
SHA512ff1470281aa26a27dcf09df620dbf024e94fba20101d1a90434add473c2717214d037fc5d87cb6e73325890645658471800ab27975a97a1394338c9b1bf1ed57
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD5312476179da9e50b3f219b8d83c7ca0a
SHA1ff10b3d355b377648fe7135fd53dce21847f0e97
SHA2567addce60fdf5323f28520f85a7497deb0323069e1b58f2fbe6f5c1bdbb97b21f
SHA51238c3ac0ea801ec6f344abebc78c81c9ee9c1802b1c4f895217c46d5a73e0937f5f1cb422ee2a183fd5aea44781871d1c702e49804b011a13b9b3e66f49326da6
-
Filesize
21KB
MD58c1fa7672bba351858b47ec1ea1131df
SHA1f89b0f3e83501e81420c0d736f5cf7de0bff90f7
SHA256adbcbcf34c3598558bccdc4ad2dd7247326a31fdea971e45d5c9f6037df87148
SHA512d34bd31eb70d87502f7a836f754dcbd04c8c4cc026221e870d79c91b906a42f15b055d101a0f12946c3b7c4b9274309f011cb67c8347ff15249b4d73acc4039c
-
Filesize
24KB
MD534a66fa9e94fbcd5e17bc2906de224e7
SHA14b6c30e53d947d4f729ee48aad0caee8d4e9fe30
SHA256d3b6bb70579448e4b6b471ec3076e08b61bf4a9023f57ebb5c53997d19954473
SHA51201fec591abc5adb2deb72060d628686d5c3a4f0dd6dc7726f565189497e1d8f8dc076dc3a7238a0e52a6f233d088448ffc791b379aaeef43cde1b3f324b7f1e6
-
Filesize
982B
MD572b4dbcc9633ec11a79a5932bdf6170c
SHA1be6cb726c5689c870c30d4595818a286b2f533a5
SHA256c198608a6d65e38a71eed2fcd5449bc9e8b14a90d8e0fed101f3e2ad7d9cd59c
SHA512391af07a9682f7c0d33c9e2bd5bdf89411b86ac2be9ac3cba9bca976992678b5928b187590d727a9253993a02830d07db541730207330f90fb87d68b3c57cfd7
-
Filesize
659B
MD531515f1c6737dea96a5714d148f95caa
SHA1c24f68e7a74db66bb245e7cb14c88626dd806fa2
SHA256eb1c9fb5655abcaa0a74627e71ca0dbf74a081ce63d3960f666bc3404f7139d1
SHA5126ebd88657c347d74b10fd84996a3621588ef5c48622626b1b2f28c79ddcec70367557f4ff6b266f2d2c83ddd8d9164a36fe461a792e9e1cd625ca922e154c780
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5629f5b27d3cecc0e4fa6919d36293be8
SHA19370ffef9b045d6338a4131614829bee97852dac
SHA25639ba153e148abebc6ee3f021e3b88bc39a257cdb93ab76603dfff34becaef34c
SHA5121d2c8bb8eee04c4ac5469021a049df1b6824b7dd78854d86e5eaf181a400dc59710842aa3b02abf79efee5ecfed67c4d659eb3a44f198df013a6a1bd2bbe498b
-
Filesize
16KB
MD5536e261b277c4c04b7c2669600abe69d
SHA18896cee93e708fffa54eb7309c23dcd25b4d29d4
SHA25679f3e9dc08e9823e38ac204c697c911296c29b7e30db7ef3b899e0f602626a51
SHA5125d1cd75f23a911ba943b789a80d27ba24c9e3ee57f1ee774a0c3cf71462d68ccf7e600e2f16978e362dcbf1cc20f76ceefc0e1fc908a27b0c98b1705ca035465
-
Filesize
2.2MB
MD5a70132533f119c7fc53bfc7f923ce964
SHA1b356e343a4a5057c5305ade13d5948a19bac1835
SHA2566ccfb4b1871a9d5de404a48957c70c4ea164aacbf83284faa32697737698d083
SHA512cfa738231470cf25ae5817fefede2195dddc4d22829e05eb28851554f5d8e56844cd6042a931c2acd871be99325a031e41087a0494cda4b250c1316642f27ce9