Resubmissions

27/10/2024, 23:24

241027-3d31zsvele 7

27/10/2024, 22:52

241027-2txcpsvfkk 8

27/10/2024, 22:45

241027-2pv9vavamh 8

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:45

General

  • Target

    $PLUGINSDIR/WinShell.dll

  • Size

    3KB

  • MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

  • SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

  • SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

  • SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 612
        3⤵
        • Program crash
        PID:4064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4612 -ip 4612
    1⤵
      PID:2596
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3604
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Subvert Trust Controls: Mark-of-the-Web Bypass
          • Checks processor information in registry
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6dfcf3-c0cc-45d9-855c-183e29fa8d83} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" gpu
            3⤵
              PID:2344
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a397f5b-4380-446c-a047-c79febc92e00} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" socket
              3⤵
                PID:1112
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2756 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f694f25f-a1fb-4302-848d-bd43076dbf32} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                3⤵
                  PID:3596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {810e154d-15bb-489b-917d-3bcdf3a3fc30} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                  3⤵
                    PID:4288
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f5bf739-3613-43dc-8bb0-21426e810eda} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" utility
                    3⤵
                    • Checks processor information in registry
                    PID:5188
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 3224 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d1c09d-4a61-4773-8cf4-97bc022db62f} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                    3⤵
                      PID:6116
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b5e4ae-d615-4b7a-af2f-c5ca560100ae} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                      3⤵
                        PID:6128
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef7e6654-8ea4-4752-aa0e-508cfcd0d6fa} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                        3⤵
                          PID:6140
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6036 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 6032 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28c9512a-8071-4e7d-87f2-928a1c0d6b2a} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab
                          3⤵
                            PID:5336
                          • C:\Users\Admin\Downloads\Wave-Setup.exe
                            "C:\Users\Admin\Downloads\Wave-Setup.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5776
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Wave.exe" /FO csv | "C:\Windows\system32\find.exe" "Wave.exe"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:6052
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Wave.exe" /FO csv
                                5⤵
                                • Enumerates processes with tasklist
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6112
                              • C:\Windows\SysWOW64\find.exe
                                "C:\Windows\system32\find.exe" "Wave.exe"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:6136

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json

                        Filesize

                        28KB

                        MD5

                        34c7cb79628b6c17392bb5f2bd87e08c

                        SHA1

                        3f959984acb6ae7e50b738c98e7f0a1808ed8e25

                        SHA256

                        92c3d10a51f0016e385301555a6a0c03bf352f294490884ef8a448ccab301684

                        SHA512

                        4af9e82dcb8d215e651de1d6fbd667bf6dd93d7efdc4863dab3b5b6d2f8bb3ffd367c4deb57e2f2ae1f3d7b944d613dc637f2a882116917da7f207643504669f

                      • C:\Users\Admin\AppData\Local\Programs\Wave\chrome_100_percent.pak

                        Filesize

                        148KB

                        MD5

                        cb4f128469cd84711ed1c9c02212c7a8

                        SHA1

                        8ae60303be80b74163d5c4132de4a465a1eafc52

                        SHA256

                        7dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3

                        SHA512

                        0f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\7z-out\chrome_200_percent.pak

                        Filesize

                        192KB

                        MD5

                        944d458f30889193e09e6d781caffb72

                        SHA1

                        6c4922c1b44b43e4c9938c5501f8d0e805ea85a1

                        SHA256

                        3fb2f86a4d2a1b85ebb72fb02b2dd2de62e8a4ff9ca9db5d402fcb86354bc88f

                        SHA512

                        b94c2ee27c1e5b09df87e0d5fd3423b83ffc0da2f73c8f67b133246bec47dffb54cdc72ab7ef0ead4ce194a3c66f06c41b17dbe22fff6e5355ba66d73309608f

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\7z-out\d3dcompiler_47.dll

                        Filesize

                        69KB

                        MD5

                        894f7e73d730566bd6daf5d2d1e350f3

                        SHA1

                        ea46265630af7cd1414ac880e2392bbd17247072

                        SHA256

                        111e20449e119c5c1cce69f4669dd2ddab8f1b1937afe05b9fda568867cbcf08

                        SHA512

                        af49adcbe6807c1bc137a4041e94198dbae73613da92e0159931785eeddf4532bc8da0703b820915518a41b24826e512eacd6d3a3dae112a7b5f6f58223b724e

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\7z-out\ffmpeg.dll

                        Filesize

                        64KB

                        MD5

                        bdb741dc08d62245aa22c439fc2e7fd9

                        SHA1

                        ba33e163f29107bdb0fd85924331855de796c7e7

                        SHA256

                        01f27d644bd64d82112004accba8ca783be337da37a76a7c0f3e60bde64cee68

                        SHA512

                        c8e36cb168f91275335799dc65c735cdd5b1174fb03449a29fa649c2331c1e74b9af936ac6d740609d5e30eff0d0fac3c8fe4d05c57f38e5c57e4dde248e948c

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\SpiderBanner.dll

                        Filesize

                        9KB

                        MD5

                        17309e33b596ba3a5693b4d3e85cf8d7

                        SHA1

                        7d361836cf53df42021c7f2b148aec9458818c01

                        SHA256

                        996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

                        SHA512

                        1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\StdUtils.dll

                        Filesize

                        100KB

                        MD5

                        c6a6e03f77c313b267498515488c5740

                        SHA1

                        3d49fc2784b9450962ed6b82b46e9c3c957d7c15

                        SHA256

                        b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

                        SHA512

                        9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\System.dll

                        Filesize

                        12KB

                        MD5

                        0d7ad4f45dc6f5aa87f606d0331c6901

                        SHA1

                        48df0911f0484cbe2a8cdd5362140b63c41ee457

                        SHA256

                        3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

                        SHA512

                        c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\nsExec.dll

                        Filesize

                        6KB

                        MD5

                        ec0504e6b8a11d5aad43b296beeb84b2

                        SHA1

                        91b5ce085130c8c7194d66b2439ec9e1c206497c

                        SHA256

                        5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

                        SHA512

                        3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

                      • C:\Users\Admin\AppData\Local\Temp\nsaC25D.tmp\nsis7z.dll

                        Filesize

                        424KB

                        MD5

                        80e44ce4895304c6a3a831310fbf8cd0

                        SHA1

                        36bd49ae21c460be5753a904b4501f1abca53508

                        SHA256

                        b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

                        SHA512

                        c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        5KB

                        MD5

                        4b0fe2843a20fda264d45ee4b7153aad

                        SHA1

                        880f3641da26b284463c2a75d72fac07bcaaa43d

                        SHA256

                        c007c9f3cf4654e4f4cd89c46262ee8d6e41392da13e4844abc069d5964ff1eb

                        SHA512

                        01b8734d68fbe49c31bfe30be0b7a1e4264e3c8580f3a5991b0a27efbc00fc7da265bb4a183c160d3ca7605cfc65c2d261bfac24d424272ccbd84c8a07df7f68

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        6KB

                        MD5

                        b321c1b17c69871b752e7dca12bc53f0

                        SHA1

                        7edd40a5dacc60e819cf659058f217248a3410f4

                        SHA256

                        7cf88aaf219712e7ef33d417b045e6c0086730998b5aca7d6acddb9a3f79c332

                        SHA512

                        5872928d9b952629005280b11a5c0586068babe79b6f53f8c4efe55db9646e08da76857cff0c89227b8fd1265930fe43be2bb1e7212fb07bf1fdeb41298f178d

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\261e81a9-6a71-45b9-b4c2-375e474fdb42

                        Filesize

                        671B

                        MD5

                        a304e1888e2ae3a4ff78bf87ad4150dc

                        SHA1

                        fe003ce092844d8cdf0da1986957de080f2f6ae7

                        SHA256

                        6dbbaaa3ee5cd06eca001c6fade4e7d9cf34625c00054ed24b858314a5d5222a

                        SHA512

                        ac3e980df29b2589b3631565c5c3275f28f25d9098d208c204984ab1ea63f4675d0caec98e625804ee6c262b8a5d6d0c9f989a1ad2a432e794feb46035a318fc

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\77bf0ff6-09aa-4bd5-af5b-5a0cddf0a7ca

                        Filesize

                        25KB

                        MD5

                        f35121f042badded108f71302e7ce5f1

                        SHA1

                        863d41294648246d5224a3f515fb30a942076911

                        SHA256

                        2467726c50a05c0dba062303d905ee543a1ff37b7ea1e901dc3f70d759658fe9

                        SHA512

                        182f317ffb31f3d056332c5f806e96a2d3372f1e30d4d3f423a405390c9b27bb83cd71d5dc34e5fc1875623b23331fe78132cda95cdb5abe4218ead987cfc749

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\c27a50de-fb7d-4a61-b570-9063c6cbfe92

                        Filesize

                        982B

                        MD5

                        df62f5f944b499dea4ef8f05ff6c2890

                        SHA1

                        3bb4b973cd735165df0d8b835272d8dc726fba3a

                        SHA256

                        5c0964189c9ddc0656363b8337a48c50fc100acaef6593244f4ecc34a852bf3e

                        SHA512

                        71d0bc8e862cba3e85d1c85e48b1c55d7ae1adcc17025ed9b5211cc95a8971252d3b64b2e20d8e20f046aa1a8e868b98f5aa9e5adcd674cc8b360a4c508e2b57

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

                        Filesize

                        10KB

                        MD5

                        442cbd9ad7c4729803957f58e34d7315

                        SHA1

                        1f02bec44f5d23fa77b8052796f4f189c044e5ef

                        SHA256

                        8463a87716542469a24addd8a982a316eb8ad51d456b4fe871fddf2016916745

                        SHA512

                        892fbf57bae69186ec97e3511fdaef6d9eae6eaa0b001da77c207e9762716e4f84e574f0c91cf97c07a7e77946338395cb034befce2b760b0f3154d0a81542c5