Analysis
-
max time kernel
769s -
max time network
781s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-11-2024 20:36
Static task
static1
Behavioral task
behavioral1
Sample
CuteVirusCollection
Resource
win11-20241007-en
Errors
General
-
Target
CuteVirusCollection
-
Size
333KB
-
MD5
bc72b3b37984e3a5206bcfa16229ac4c
-
SHA1
f206c68165a2188cd7515dae7a7817b396a4473c
-
SHA256
895c9cd797e4865711752484f0c0eea949e2e7bdddc01767433869fefff894c3
-
SHA512
24c47c5ac0a2feb895d8cbe6d273a7665013425f8cf387e8222b785bb544f4b7a2d4e7ad248e85b7f54d05f92d6e09372171f515bd582065f8f1a21d88b63e85
-
SSDEEP
6144:VTN0zpOL/saqkPV9FemLtcsDSsmwb9TvZJT3CqbMrhryf65NRPaCieMjAkvCJv1i:lN0zpOL/saqkPV9FemLtcsDSsmwb9Tvj
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
000.exepid Process 3732 000.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
000.exedescription ioc Process File opened (read-only) \??\B: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\O: 000.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 88 raw.githubusercontent.com 89 raw.githubusercontent.com 90 raw.githubusercontent.com 85 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
000.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
000.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper 000.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\000.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WMIC.exe000.execmd.exetaskkill.exetaskkill.exeWMIC.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 3600 taskkill.exe 1340 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
000.exefirefox.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4249425805-3408538557-1766626484-1000\{75F5BCE7-59B1-44EB-8BA2-337A0586F5FD} 000.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon 000.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\000.exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exetaskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2240 firefox.exe Token: SeDebugPrivilege 2240 firefox.exe Token: SeDebugPrivilege 2240 firefox.exe Token: SeDebugPrivilege 2240 firefox.exe Token: SeDebugPrivilege 2240 firefox.exe Token: SeDebugPrivilege 3600 taskkill.exe Token: SeShutdownPrivilege 3732 000.exe Token: SeCreatePagefilePrivilege 3732 000.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeIncreaseQuotaPrivilege 1936 WMIC.exe Token: SeSecurityPrivilege 1936 WMIC.exe Token: SeTakeOwnershipPrivilege 1936 WMIC.exe Token: SeLoadDriverPrivilege 1936 WMIC.exe Token: SeSystemProfilePrivilege 1936 WMIC.exe Token: SeSystemtimePrivilege 1936 WMIC.exe Token: SeProfSingleProcessPrivilege 1936 WMIC.exe Token: SeIncBasePriorityPrivilege 1936 WMIC.exe Token: SeCreatePagefilePrivilege 1936 WMIC.exe Token: SeBackupPrivilege 1936 WMIC.exe Token: SeRestorePrivilege 1936 WMIC.exe Token: SeShutdownPrivilege 1936 WMIC.exe Token: SeDebugPrivilege 1936 WMIC.exe Token: SeSystemEnvironmentPrivilege 1936 WMIC.exe Token: SeRemoteShutdownPrivilege 1936 WMIC.exe Token: SeUndockPrivilege 1936 WMIC.exe Token: SeManageVolumePrivilege 1936 WMIC.exe Token: SeImpersonatePrivilege 1936 WMIC.exe Token: 33 1936 WMIC.exe Token: 34 1936 WMIC.exe Token: 35 1936 WMIC.exe Token: 36 1936 WMIC.exe Token: SeShutdownPrivilege 3732 000.exe Token: SeCreatePagefilePrivilege 3732 000.exe Token: SeIncreaseQuotaPrivilege 1936 WMIC.exe Token: SeSecurityPrivilege 1936 WMIC.exe Token: SeTakeOwnershipPrivilege 1936 WMIC.exe Token: SeLoadDriverPrivilege 1936 WMIC.exe Token: SeSystemProfilePrivilege 1936 WMIC.exe Token: SeSystemtimePrivilege 1936 WMIC.exe Token: SeProfSingleProcessPrivilege 1936 WMIC.exe Token: SeIncBasePriorityPrivilege 1936 WMIC.exe Token: SeCreatePagefilePrivilege 1936 WMIC.exe Token: SeBackupPrivilege 1936 WMIC.exe Token: SeRestorePrivilege 1936 WMIC.exe Token: SeShutdownPrivilege 1936 WMIC.exe Token: SeDebugPrivilege 1936 WMIC.exe Token: SeSystemEnvironmentPrivilege 1936 WMIC.exe Token: SeRemoteShutdownPrivilege 1936 WMIC.exe Token: SeUndockPrivilege 1936 WMIC.exe Token: SeManageVolumePrivilege 1936 WMIC.exe Token: SeImpersonatePrivilege 1936 WMIC.exe Token: 33 1936 WMIC.exe Token: 34 1936 WMIC.exe Token: 35 1936 WMIC.exe Token: 36 1936 WMIC.exe Token: SeShutdownPrivilege 3732 000.exe Token: SeCreatePagefilePrivilege 3732 000.exe Token: SeIncreaseQuotaPrivilege 988 WMIC.exe Token: SeSecurityPrivilege 988 WMIC.exe Token: SeTakeOwnershipPrivilege 988 WMIC.exe Token: SeLoadDriverPrivilege 988 WMIC.exe Token: SeSystemProfilePrivilege 988 WMIC.exe Token: SeSystemtimePrivilege 988 WMIC.exe Token: SeProfSingleProcessPrivilege 988 WMIC.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
firefox.exepid Process 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
firefox.exe000.exepid Process 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 2240 firefox.exe 3732 000.exe 3732 000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid Process procid_target PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 4052 wrote to memory of 2240 4052 firefox.exe 84 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 4660 2240 firefox.exe 85 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 PID 2240 wrote to memory of 2760 2240 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CuteVirusCollection1⤵PID:3812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1656 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {176d1e00-646e-4452-b1a8-943636ac21c4} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" gpu3⤵PID:4660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9017026f-faed-47ad-8178-2f281d9b8983} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" socket3⤵PID:2760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3164 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3999bd-c522-4324-9374-53727e2234fb} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:3624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e3b441-8f5a-4b25-b562-301f52652930} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:2964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4044 -prefMapHandle 4164 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c5db04-44f1-44ef-b740-733353642c1b} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" utility3⤵
- Checks processor information in registry
PID:2360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d8d9bfb-6bba-4754-9777-7770913fdef7} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:1236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8479d5a-3d1c-45a2-90e9-ff323d78cbed} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0afeb08-9a53-4705-8dd4-f902cd234ff6} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:4964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adc4295c-adb0-46f4-aadb-c653bc916869} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:2448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 7 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee15fa4d-fae2-4f2c-b0b4-0600c8ebcbec} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:3384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 8 -isForBrowser -prefsHandle 2772 -prefMapHandle 6576 -prefsLen 27401 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8d9980c-240f-4dae-9abc-01bcf0423bf5} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" tab3⤵PID:2316
-
-
C:\Users\Admin\Downloads\000.exe"C:\Users\Admin\Downloads\000.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""4⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 05⤵PID:4212
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a15855 /state1:0x41c64e6d1⤵PID:4812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD5fb4e0124a703cc53581a13202b084bac
SHA1f75755e764e47ae44140522873aab69fbbbf4033
SHA256c16861a388687906b922152e581b4f636986958b1a64f9eb5b689bb0fe9c1148
SHA5123bdeb9378e895ca3c95b2c5ae021ba644befd3a0e16530acbda2eae584f5cd6f21216abd8b03bac67ac9d48c7177cfaaee5df9509cb5a3f8bef1c44d5a746ab3
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5aeef4019622757b687597d717dcbe9c8
SHA1ec6a7d84e9d68574db37049b0d73efa013d7c087
SHA25698c9d0f1a6b7601a48cc4f19fc789ce954f0120cea2160e6ba100d742fb32fb8
SHA512e74380b26486a4456178795771e859d7a632c210a1b9ce34db68bc3ba55c68064b5f1db4d7b22b70189a71c60e5695f52079f2a1d5fec069d84737065ba0de7e
-
Filesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
Filesize6KB
MD5c63f00986f29ec79040a1e5fc98d130f
SHA1261bc9cf14f2eedbcc34372140d78f72f449bad7
SHA2561e4246bae8cdab5080eb5c708a116fb8b59167fbd7aa5391dc38139ae27b4ce1
SHA512df2f0343e911eb7c14e15ae1279f1ac03cc8c967ee2fbc43cb38234871f052fce015d24d805c6e96001193419ac4a7bd81d23117496e4bb1ffc95a4cfe6a7c65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
Filesize12KB
MD5f85bc47c4e58791fef218e283290c4cb
SHA10fe0958cc5088cb40328fe6f1096f087101ce09e
SHA256d732020a8333651127eaf0032beca3b66f51f7549fa903a88d889526ea56f870
SHA5126b29636f6a4cc04eb482279b7e61cae34395efeb325769fb334825e622a1f91371a07c45a4e804844e8049557b40b9c00fb86d4405b6da9d8253434bd88a7140
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f81d32891d00c2c86d7c497c9533f444
SHA105f82382560e778a5b451047aba0208f19c45aa9
SHA256f5013ca5d0c46c4408e240810945377674feb5c3af3e8ccaf60592958b49cae7
SHA512f17b602bc369b5ea884febc3d1342c25378a78595b213a92fde73b19c7dc6f82d5c5df374cbfd9d8aed3e00563028f865d3a13165354474802cf8bcfc33c6600
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f18013a32e540122abca322bad127080
SHA1ab7cb17284a896e20a8067285eb389d2a9736627
SHA25660824381ef22049603494182f8e07f5ade7c9e45f9ac381f9ae487da0d073bd0
SHA51219fca2b5a9d6cf6947446d9e7432a45336b4cab08700cdbc4ea1b1bafd720fdc83376781ac2a60c03a90993a95cb42b106f80ca5db6ccd89784e7c5eae4833de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5ec3da449089ba2d690ef3933ad560dcb
SHA1f069911ec35c5479ab04eeb75bd79ab7c393091b
SHA2560bc3a2248755077e90a2b470589f339ace3e0a48aab7c422345e1e1ff0a264ea
SHA512f43ada4ded7105c977a19ce71646464836ca4bebcdad49afbfe8fe9da604f8ad9e445b3554c52ed14f0a524ee7d6caab96eca4ae8a28f57dcb95005a787c656f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57834ba671a9224a6cdd98c675f4c57ad
SHA119c847df051953b583d8638aa297ff6636197b9c
SHA2562f86474b4a0eda89fdc2abc429b37f5715cd652adc1a65178fb9761339ceee91
SHA5124a578f5b824de7da65b7b3b52dcbe427634cd3feee151726c6ccb2e0766e013c137dad09cb9a6837b1eceab8475b28a1072f4c3e23845a7ae9bf722175bf5268
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53529f09411ceed10b216a8284ca0f336
SHA1ab61764fc41c441dfbfdac1802bc60106358c7b3
SHA2567fbcb05f88b18c95123bc95b1c4dbaff5bc48d9728e42cb60daf93a72e8d96cd
SHA5123f926dddc4164fe967a21dc729c358b1bcca4918ad4dfc7cff6a36bedf26db9d623a797a4a50dc373b9ff356a4973ce0f02f6acf8923d1e1d5d08d5e235a08e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
Filesize43KB
MD5eb63c896f53d813b2c4b4e982a358732
SHA102938a7f1c95a03df1901bfa55d3e56219c92e38
SHA25693708c180f7c091587a78a76b964e759977108d939a010db70b4c353a169bfe5
SHA51222c1b3af03fa7260c60a2673dd8cd35d5a70afe0c8b879e04485d6108631c677035731a5289958ee10a8acf1e68cc18c4dc5c0152c314d2bb8702ca628a7d06c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\450abaf6-3091-400f-ac18-f01d6093a6a9
Filesize671B
MD5ef351fd3d5531dc9c8faf2b8425460b6
SHA135df6f56af2c187bf9a29a05bd6f7ede5159ce9e
SHA2563d7c7e390ceb2ac26888e1c009d6c58515b3529171d141f0d60e2e82a9048b4d
SHA5129b67d461bf90dcdd4c36c11d5798e0b5d9e96fb200ee003f7f951b4ce39d187e361825e91b4bfab67fef5abb04490477edafb383e29250596e0288131a390104
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\7fad0d7a-3739-4d0a-8bec-2e83238fc3a4
Filesize982B
MD5d0144b08648a0c0e4e52c2660c41a351
SHA15dd35233e1c3e2c46c5768f54c87c860fc2bf15a
SHA25691860300927d459186f53f763c4dd4a26fee09501f4fc01d51f5e8863aeaf699
SHA512c90c16c47183bd551e63a12bf896f0173e3b9cc1d7798798b9aee130bcb083d3c920849801b3b8a3af48d6dbd06b835bdf9b55c88a1a759c7ce6bd057a0b2bed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\c33ffdd2-4c79-4101-abd5-33c6362541d1
Filesize23KB
MD51bcc0822b3c4ab66eac80cb9462436ed
SHA1c6bdb4d540ea531e74cb1dde31c535d61d4a9258
SHA25602cf68e83929ecd49a9df50b951a8930ce46a81823eadc69730601e2d7bca99a
SHA5124f8f2a82e9beb9ab9de5ba88b8897a839a37092881e1b5227f7ed145392f4c8785990b39f960cdd1db78548796893c1cce31f9b62d9da32af578c92a23d107e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5af46171c7a325e24b3abea517068155f
SHA17188f2c982dff650737129f3177c409187058ea8
SHA256603534cc030af5df68f156cfca981a907d13cfef77e1aea3e4edc3732851152f
SHA512c9c8c48e034b02f5088b39e2152617c9b6b9acbda502f99c60c445803f86d8808c3c6cb7b11b208f56bc6ab1827a55795f6c30d6f97fb8d6a01339b8ce59eb6f
-
Filesize
12KB
MD5bc423f273ca1c1ceb5d79a75fd2b0a17
SHA1ca81e0ac1c3995d1ea540addda3fdb30827e48ec
SHA256bb46ebb57d7588008b6b86029d3e5ee44c800d512677d15f7aed307d42ca05e4
SHA512d1c45bfcc4e54eb70b14a0f91a0a51f77efc2d1692fa518ba0c6e91ee41ad4c22af4668f9192c435109cd644e517891e3c099f2d1aa63478c28440a6bc546cbb
-
Filesize
11KB
MD565a861302df66dce85f5928338022217
SHA163178393f02e08dbbdd848932781105bdcc8b173
SHA256c28db7dfcd34297b191f8d339c84aaa63540d9677809a7c6ceb66e5745a93b1c
SHA51237f10a57ede3367c9bf0abea7f44252938d2b7b0a197c1ab91d8bd5f139afbae7f6b842c680d1aa71ec828ba060ba422a9c8adf1f11883f2164477f3eeecaebb
-
Filesize
10KB
MD5d2bd82cf817f3ecb1fb9feb1c841f1d8
SHA1d133aa4065838e93d4a412408604a20fc1aec6b3
SHA2563f319327547f38354710cd8fb73dcdda652db9b65e7fd81a90f56c1334c2e859
SHA5120da539d5d79bd95be52686a83c3b063316414df7cfb95fdb5d1293a99632c8aa8301111dce264fcd43f7560c0a4b2674e425b7ca8abd3c1193ab68c980a5e461
-
Filesize
12KB
MD51f3442406f13184ed6747c805893659a
SHA16423f2b4ff54bb29fce254ae75a3ebace5b62867
SHA256c462d2f565ea917335a292c1e961860bce951e8d0623f9f43b6fbe68d2014613
SHA5123d8f36e5a0b28df8745862c383a4905f74c00f642b88a8ef5ef4c8161334f99404f0c9bb5a77bff6277d76512b532896211d23c296729079dc5b0bf7ef65272d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD5aaa03a8a33e957eabdb5d14f4958650c
SHA118d73122c69e6e97ac36958b2e437a1b23d1c85b
SHA25688a1673b3044ebc6865f89e6c52c764fdfc0a2cf091085fd901f635b8be0d423
SHA51263a3e06c98c0afac7231f27146937fd5f003e127138a38287926bd04932a2a352311de5586ce0f48ed4a8ffc9479aa3b89d11dd4539c237ddf41de3aa9b7a78c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5c3bd600a39d6453fc6d20a3ed6724c19
SHA11ba0dd3dc516b32ef61b322832594440b8f793a2
SHA25648da59051986dcb632692f15fdbeb353ba9b5f61423fdd00748a4a47bd443e9d
SHA51285d909ad691dccf12e13d27ffa5575e060c56839c3232db9dbc811fbb7faacbf6e84486ea4da53a97a04c2757b7905f874e6444afd2086d4e86023bc1c3673a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD54748b53c4827632c4664acd7e23b9c76
SHA18e2a8bd20101118e25c4d086323abf835db179c1
SHA256f07b58c3b04362f55e7a5729aa1354c84c63ff769cd6cb2622c6cfbb217e13ab
SHA512628d98e1131b91cae1b62bb20f563623327b883d43b8d5e87d8757af434179a9f0743ede1177b6f6fdd330de20d938a19e24c4b61ac0165cadbd1e69e1b5a0ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD5ff55497a356f7d9116028524a8e62211
SHA11078e4221006ab24b78ef23bf40cdf708949221a
SHA25657112fdb17989629ae51389b5aa3ef18d03314ec78321f319edc127494e205c2
SHA512f2d06c8a4c771cad9efe536dde0cbd6b50958dcecfa1f93819cbe2a3862a7f7a3663adc3473f0a1bdcbab52c64f4b24e6179d305b78d1fe515eceb8864ed500c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD51a0a89fd1e02efb6196ef0713217f19c
SHA122836cd935d469f52a29365a0d4c0258fcad5f51
SHA256ffd477b9ca80838ffde90c75c461c697cbd3f63e59809ae956f6355d069202f2
SHA512d74b5ca90dd32a2e98017ddb67e0d2f6e33c3c53a4be80d7fa47acf37af11029c23e49cd89c994726dbdf6eab9fd537d1e9b1b286b933f54e4fd25c3bf8a99f9
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641