Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe
Resource
win7-20241010-en
General
-
Target
9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe
-
Size
3.1MB
-
MD5
e9d77ca53bf0845644dd8b2a6a24f133
-
SHA1
58700e47b86cf22ca0e0b96ffa10f64fb11f26c9
-
SHA256
9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
-
SHA512
1bbc659dcb319fcc71f2953a637e55fed2c7249e83bfd3f3ecf963a34482680906b1add3a422594d4912d9aa57d1748bac51ac64dfaa0d5638ef6fcc2d41435e
-
SSDEEP
49152:jhcwdV83L1pRMSeKlxFW7uDiXYM1YcXf+:VPdVoL1pRMlKnc70iZ1h+
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 6ad565fc08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 6ad565fc08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 6ad565fc08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 6ad565fc08.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 6ad565fc08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 6ad565fc08.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f06e409da0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6ad565fc08.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a887e762bc.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a887e762bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f06e409da0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6ad565fc08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6ad565fc08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a887e762bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f06e409da0.exe -
Executes dropped EXE 5 IoCs
pid Process 2832 skotes.exe 1616 a887e762bc.exe 1904 f06e409da0.exe 2356 6d60a05815.exe 2284 6ad565fc08.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine f06e409da0.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine 6ad565fc08.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine a887e762bc.exe -
Loads dropped DLL 6 IoCs
pid Process 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 2832 skotes.exe 2832 skotes.exe 2832 skotes.exe 2832 skotes.exe 2832 skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 6ad565fc08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 6ad565fc08.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6ad565fc08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006862001\\6ad565fc08.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\a887e762bc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006859001\\a887e762bc.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\f06e409da0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006860001\\f06e409da0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6d60a05815.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006861001\\6d60a05815.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001a071-106.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 2832 skotes.exe 1616 a887e762bc.exe 1904 f06e409da0.exe 2284 6ad565fc08.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a887e762bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d60a05815.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f06e409da0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ad565fc08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1340 taskkill.exe 1796 taskkill.exe 2596 taskkill.exe 316 taskkill.exe 2696 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 2832 skotes.exe 1616 a887e762bc.exe 1904 f06e409da0.exe 2356 6d60a05815.exe 2284 6ad565fc08.exe 2356 6d60a05815.exe 2284 6ad565fc08.exe 2284 6ad565fc08.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 2596 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: SeDebugPrivilege 1576 firefox.exe Token: SeDebugPrivilege 1576 firefox.exe Token: SeDebugPrivilege 2284 6ad565fc08.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 1576 firefox.exe 1576 firefox.exe 1576 firefox.exe 1576 firefox.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 1576 firefox.exe 1576 firefox.exe 1576 firefox.exe 2356 6d60a05815.exe 2356 6d60a05815.exe 2356 6d60a05815.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2832 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 31 PID 2420 wrote to memory of 2832 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 31 PID 2420 wrote to memory of 2832 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 31 PID 2420 wrote to memory of 2832 2420 9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe 31 PID 2832 wrote to memory of 1616 2832 skotes.exe 33 PID 2832 wrote to memory of 1616 2832 skotes.exe 33 PID 2832 wrote to memory of 1616 2832 skotes.exe 33 PID 2832 wrote to memory of 1616 2832 skotes.exe 33 PID 2832 wrote to memory of 1904 2832 skotes.exe 34 PID 2832 wrote to memory of 1904 2832 skotes.exe 34 PID 2832 wrote to memory of 1904 2832 skotes.exe 34 PID 2832 wrote to memory of 1904 2832 skotes.exe 34 PID 2832 wrote to memory of 2356 2832 skotes.exe 35 PID 2832 wrote to memory of 2356 2832 skotes.exe 35 PID 2832 wrote to memory of 2356 2832 skotes.exe 35 PID 2832 wrote to memory of 2356 2832 skotes.exe 35 PID 2356 wrote to memory of 1340 2356 6d60a05815.exe 36 PID 2356 wrote to memory of 1340 2356 6d60a05815.exe 36 PID 2356 wrote to memory of 1340 2356 6d60a05815.exe 36 PID 2356 wrote to memory of 1340 2356 6d60a05815.exe 36 PID 2356 wrote to memory of 1796 2356 6d60a05815.exe 39 PID 2356 wrote to memory of 1796 2356 6d60a05815.exe 39 PID 2356 wrote to memory of 1796 2356 6d60a05815.exe 39 PID 2356 wrote to memory of 1796 2356 6d60a05815.exe 39 PID 2356 wrote to memory of 2596 2356 6d60a05815.exe 41 PID 2356 wrote to memory of 2596 2356 6d60a05815.exe 41 PID 2356 wrote to memory of 2596 2356 6d60a05815.exe 41 PID 2356 wrote to memory of 2596 2356 6d60a05815.exe 41 PID 2356 wrote to memory of 316 2356 6d60a05815.exe 43 PID 2356 wrote to memory of 316 2356 6d60a05815.exe 43 PID 2356 wrote to memory of 316 2356 6d60a05815.exe 43 PID 2356 wrote to memory of 316 2356 6d60a05815.exe 43 PID 2356 wrote to memory of 2696 2356 6d60a05815.exe 45 PID 2356 wrote to memory of 2696 2356 6d60a05815.exe 45 PID 2356 wrote to memory of 2696 2356 6d60a05815.exe 45 PID 2356 wrote to memory of 2696 2356 6d60a05815.exe 45 PID 2356 wrote to memory of 2536 2356 6d60a05815.exe 47 PID 2356 wrote to memory of 2536 2356 6d60a05815.exe 47 PID 2356 wrote to memory of 2536 2356 6d60a05815.exe 47 PID 2356 wrote to memory of 2536 2356 6d60a05815.exe 47 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 2536 wrote to memory of 1576 2536 firefox.exe 48 PID 1576 wrote to memory of 2472 1576 firefox.exe 49 PID 1576 wrote to memory of 2472 1576 firefox.exe 49 PID 1576 wrote to memory of 2472 1576 firefox.exe 49 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 PID 1576 wrote to memory of 3016 1576 firefox.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"C:\Users\Admin\AppData\Local\Temp\9b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe"C:\Users\Admin\AppData\Local\Temp\1006859001\a887e762bc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe"C:\Users\Admin\AppData\Local\Temp\1006860001\f06e409da0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe"C:\Users\Admin\AppData\Local\Temp\1006861001\6d60a05815.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.0.1108230453\1659720602" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4932d9d6-71b8-409d-924a-7e1f4c31aca6} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1292 129d5e58 gpu6⤵PID:2472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.1.483383055\1741810868" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {771269cd-b1a9-4c7b-85bc-00b9fc858948} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1508 e73f58 socket6⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.2.585104784\1418956290" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {497bbb86-2679-458d-97e7-af7bd96846fc} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2128 1ada5a58 tab6⤵PID:1972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.3.956079716\2000287388" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b820ace-6610-477f-b598-d7858b204ac1} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2916 e2ff58 tab6⤵PID:744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.4.1870376561\1832764426" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3668 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06d8e657-1cab-4da5-bc24-753591ee88d3} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3688 1df48e58 tab6⤵PID:2848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.5.188275203\355633664" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77eaea0-3158-4717-b66c-ed519738edab} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3780 20fac658 tab6⤵PID:2508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.6.414557578\2081987089" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {369e32d9-6dc1-43ae-992c-ba24bc536b34} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3968 20fad858 tab6⤵PID:2360
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe"C:\Users\Admin\AppData\Local\Temp\1006862001\6ad565fc08.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD54301dbb36d842ed162960ad99fb9e1f3
SHA1855611d68c8f885b47a1c68451ae839a4c53e867
SHA256dd8398132bee86e41a5dfbc534f40f4ff277391a81668026ea3d34b1224da909
SHA512b85f410bd1495884ae4a2e4bc61a4180065d1669ab7a6eb1223dd6cd176fc5d9b203514f5127cb3e0314b515a4f73be119fb6bf0b0d56ef056714771873d246d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmhyv50e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
1.8MB
MD5c3384cbcfd7f594f40fe489f5f67a36f
SHA137f8f298e7ef281a821e38cc08abb72d679c9b2d
SHA256dbaa65c338340985131358f76f903a03045da28aaaa6297f37bf8f5123defcf2
SHA512e68fc70a6bd04045e13712f95bee04070eeb2fc99cd02703eb15a583dfa49e0ee1e70a08b294072e0a6676cdaeb9e4dbd10fc06e6f3d8d7cf6ded951afc215ea
-
Filesize
1.7MB
MD5a088750a78a264d0204488fe6bec85d6
SHA1d7cc85364e6481188de1912ee35692f09a126f44
SHA256d165a92f40ed9c2ec60c492ab46e9632e740d1af310215a6b464f82dd8418e21
SHA512d00d35fff97f54d304a8f70b6916902987795124e7aeff103c248c2f7663bd61f8d9ed4985ceae8556cff308494c2063235aff7285f0892bea12850e802ca4ea
-
Filesize
900KB
MD595821147e42ab35fdaf3ed0147f6e84c
SHA14e8b988e3d461eb5878d6a59b89a079570cec9ef
SHA256eea6ddef3eb7b22725ef536cd859593e65ede2edf38955533b85bf0e1f1667f5
SHA5125f4203170cab652dc91bdd39f35ca8ad88aa867a3edd089009ecd0ae441709766724e6e20307fe8e77d2a333ceece4db517e9d6e421ff8e129904b4ee7fb54fe
-
Filesize
2.6MB
MD520d45eddc965d7714b3412a9bf7ebe7e
SHA1888e3f63a63cef84f8b4deb3ef570967725766af
SHA256fcc5177127503eb837af31d6d1c483ad753da3c863c415224cc0c3b31911b331
SHA512441911b9d3dbdac8a530420b40e7f4ebe7e9a3b68daab44156aa8a0c230267d7c8df9cc3aaf97c485d4969d6d63f33eeff88315dc0026bce68740cd4e977baff
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e137264c3528f68f764b2305eb5a43b7
SHA1e8cb45aa719e18f5ff65bcbcea3caf18d8cdc2d9
SHA256ece03049cc869d88844ab4296ccf71bc2f5e27272da6e9ab4f580ce82deccf3e
SHA51219994c9cf8a8212083360229f8935ca544617e5ee99659fdf4791bd8ac2838faf522344236882333b7ddbdd2ce26d578c55bb145e51f2154f380c397c3c7e96a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\a5f04ea5-b74a-44ab-8f02-8e0e01266f9a
Filesize745B
MD56e088b872bb1455de01dcbe045210acd
SHA1b9db0825bd7825db965416b37a95c37fc3c48b27
SHA256e8a15296fc61ced0f71fcb8bfc86c247550fd5c13dfddbf368cd6f3127ae3fd5
SHA512e63dfb9597a18c209c7b3b17eec80ff278cc42d5dd9143491aed482c9ea490078fd30aec05763b211d26db66d61df70b6e4d669139e4a5d644addca3500cab23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\datareporting\glean\pending_pings\baa42ce2-31dc-428e-a69c-b02db6d6a681
Filesize11KB
MD5279d6d83b659b0d39ceb647f80711a44
SHA16e4c68f01c619034635ef6c403f92e0317fcc18b
SHA2569ad2d5c52c69150be0e4c6b8e06a9caa78644ff3940691beb16b8bc8a9cbd9d0
SHA512e2ef3f7984db276c1d5a0d2747b42d2e46522ef8cd8608fb388ec2f801295d4165bd96c5bba3b85f6293a379b78cd130932b52142649aacade6d862b241ab0a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5a84d3785020471392b65ca8433944098
SHA19b090ac23397dfcf0bcec80a3564a3654d5f9851
SHA256b205d6eca9c63e5997d5014e0ed56d11ed3c739595bec39be02ad0d7f74756e8
SHA512e7cb8d9132248baf9207ae8f7095a12799332dfcabe3a428984357474f03b7baff851e56be085cb8b3acd992b91c632b17d2fdd59c20117988667f4f8c7b4705
-
Filesize
7KB
MD5b7d3154d1aa40e6a4273776b97eb1875
SHA1c0affd72c1877eb2ff4164c80b836d2603f357cf
SHA256937bb17a25bfa3d81ee30ba8d86f1771d9c55ca018ad858198dd95fa1252fa52
SHA512da27a6b01933d724e875cf453906ef6d95eb4cc004eb2c8290260864cab05cc1ad4214894cf6af7d4232922585f95d6a8c57e5b31a5c323e4fd05070e3a137a8
-
Filesize
6KB
MD581ea13301d40ba02b99e61ec0ef6cd42
SHA14fa995957afda48013c988945c90c0cc0c93cc29
SHA2561577ea0ec48a6e368f53198c79c35e86a7220373cbc7888b296c03af43c74cb7
SHA5129a36e266ab9db0bcd21fb96d2687c35e14ad3f5eaa97d261c0d5135dba269abd273f2430c5db7edfab16b69e5310d56962755a70361c877415c6280afc9b06db
-
Filesize
6KB
MD5f95dc42c66c5d3331dcba775cb2e15fd
SHA154135408991e756554931655da78e001a0ca2f2d
SHA25690a7e2ae45e2c56f8d91f70ca8753806c343127b09d003bd4b55e313a35ff15f
SHA5127b944ba94b8db6291e1d02098acae00139eeebffc2cf99acd7e3c27a1700736052ac21c1e60afaade34bfccf50d0e316923474a70f47f48719e86bae365ea7ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmhyv50e.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a64eb7d569431a053994892338f3d12d
SHA119ebc0e7fe3f67490b195d6680a93c055cc0b488
SHA25665a21dbf86f95e87d00f7fcd1283d3365827289c85eeeb4c016445256a4d7eef
SHA512ea4ae0b3a5112b92adc186e3cf806cb2b6b09bb3d18863cf015bf2582fc6d7c747b107774ecce68c69ac454c7e969d25ce57cb6945f8055bd18cb5398abf3943
-
Filesize
3.1MB
MD5e9d77ca53bf0845644dd8b2a6a24f133
SHA158700e47b86cf22ca0e0b96ffa10f64fb11f26c9
SHA2569b28f484a66dfc0a5ab87cae9a7ce45e3a542c06227cfd28f0db4338f5bc3f15
SHA5121bbc659dcb319fcc71f2953a637e55fed2c7249e83bfd3f3ecf963a34482680906b1add3a422594d4912d9aa57d1748bac51ac64dfaa0d5638ef6fcc2d41435e