Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21/11/2024, 10:33
General
-
Target
84ecd88b245e58f57ca29cd44cd2bc94ce0bae7dff92ce9bd9bf9b97f91f4158.exe
-
Size
898KB
-
MD5
9516a10a1f5ab3f62d09659ac994246b
-
SHA1
efd31c81e585603f89d6b069794eade8957d423e
-
SHA256
84ecd88b245e58f57ca29cd44cd2bc94ce0bae7dff92ce9bd9bf9b97f91f4158
-
SHA512
f4e9548c35c5317d2d32886685d0e4f0a35ddb3d290c269b6066bc8310e79fc9180b675b153ec5276a5873d0c61dca4ad03cb5f22a6e9872ae2730452111d670
-
SSDEEP
12288:YqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tl:YqDEvCTbMWu7rQYlBQcBiT6rprG8abl
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ecd88b245e58f57ca29cd44cd2bc94ce0bae7dff92ce9bd9bf9b97f91f4158.exe"C:\Users\Admin\AppData\Local\Temp\84ecd88b245e58f57ca29cd44cd2bc94ce0bae7dff92ce9bd9bf9b97f91f4158.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3eb52a7-caa9-4b2a-b1ec-d04b8f29b840} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b1b289-4949-4920-998d-f63f9455f2b5} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {023f75f6-67b2-436a-a17c-2a99f78da6db} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 2 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a68794b-1852-4339-90d2-488dce4f35a6} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4608 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d022a8e0-dc01-40d2-a6d0-33006957bf75} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15faf2d7-eb18-490e-aa75-9bbed29a7a1a} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1b9dffb-657c-4969-b7d9-3369d3fd3296} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1284dbd-fdb8-47d3-bda6-1685ebd7457c} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" tab4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD51c6794d7a1e9941dc20cb65e12a5ac84
SHA19aaaff57da7f70797048a68bb8fc86924c8cdbf4
SHA2569e79e011467c6e6f46a0b0b59d027118ca08eb9f883dfc47f4238c5f01ec4767
SHA512583f3d716759b527dc3fcf3dcc0adf28ba9f27dc14575eda8ea5a9b6686538a174bab602995b96ca4d79451bdc81b8025a277cd004ead751d701635cf2daf458
-
Filesize
13KB
MD567f18d3c0e69f9ebe465a04f8bc52cff
SHA1330010f925d739244d207bcb8f1b2f7a9eafdb1a
SHA256fd862f718be0697807162735a3aec2b2c5177c77ea3d192fc8dd195933dbb9b4
SHA512115850ff2ec02da6b3bbbc98115018400048f376a1590f9a74d388c52311799374e2e623b4bc118b3c8403b8bfeb6804a886d62cd585aa357af05d1e1026b035
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD56531c80e06468e3fb6e0495d77cd67c8
SHA13bbd27bacd496326add2caa1b308c909006329d4
SHA256e1450675628a28386782ba6ed864ff490ed00b3f65c74aaf6120973d6d91e4e8
SHA5126a440b3cd24cf584c36dd58f4ce99bdd4d89b3c435d4e6a54a67fde993b81b45cc60bdef6c805e497324dcdf8c64f6a77b265ebb920c96b7202320539798d0f1
-
Filesize
12KB
MD5763ce319a8fd30dffa0fd13ada55a440
SHA1749582e6a4fb13b37967a65cfa593cdcf520c258
SHA256929d5db29c8f78511c42187076173ad45bbc6d0eb464db1c1366eea2aef51fdc
SHA5120cce241d87a85c8dc4bbb3dc202a8c08e5380aecaf574fb5f8c0d207e952e4f3d5d04eff8f239672d13ceb355d4f567e069f5746b000c027de00da40409a97d0
-
Filesize
5KB
MD5032d8157f8bf462bd0e872d90f7f2c87
SHA15cf7175ad0ed74223ce9bbcc286d3a0a3800f1e8
SHA256c200f9289cd82dda434e6d45ea5704203dd7c4b6ae0a2acba1b47a1a73379840
SHA5122a53fb8cdacceb555da3ccac7541700a094fb7363083a6165dfb8d10cc2fce60a219bca80a2f3326b58e3678c9cd3c0c15abe0c843dc0046e2eb3ebfb88dd9fc
-
Filesize
3KB
MD5f86f53827679c682218f4dd75333e3ac
SHA1938aae748ae270a0dd17a375e4ee483627b7169d
SHA256a2127b21aa68c4896201fedc9d4bff14710badc1302a613d647d65ab9a3f3ed3
SHA512d8184873a85d796638caec1f846d9dfa20a00410c9acca57d25c5b47d230cdc1163cd015c909e28283e9f3403424eb7f8047ca4c9510e3845b28812c19dcc8b6
-
Filesize
15KB
MD54a745e0b0c795b9551a53bcb360f564f
SHA174d486d12227014a2a87e5b42dad7a629560a62c
SHA2561d1faa4491b6a00fa9e0dbad8344569cad9854dea1e4bbc162a3601182176488
SHA51267c3d98878eb6d026855f255e93b88c1b5910295eedc400a8220e579282d3e04937e3d3046bce61492248876aa7de6139678f99ba52a5665845eb8c7b14ff794
-
Filesize
15KB
MD5f3debe4efa8dc79beba6b761e9301b10
SHA1dd2fe08eed069a194a10760d7731f67c64e1e179
SHA2568ff88a401202e3565a06fd180a37abd812e0d4885a86274dfdae651ee958177e
SHA51258b71c7e45ec52382d430d4a29c45d927bd6f14c6e2d1b4ebf220807c04885b14ca0cad550b7b0a817dff4d795d2fa9f9717982edd3738b621636d72d363f252
-
Filesize
25KB
MD506286552ee1072cfb375a02de35bd770
SHA156b8cae9eb554dce46bc2ec9144f17d6e2d0274a
SHA256286b1ce6ec934c5bf3f71f886d244da9f069e08101c33c2dcdb09b42a1bef135
SHA51207146c72780c147bf297c5828b7e8e61af4f75301a734f6a242761bb09fa2fd514754cf484b1a5db94b67d910de629a591054feb2c0e67452ee161794e57e64d
-
Filesize
671B
MD54a77b5d0561484205734df72dc788ac5
SHA14f9baf1f0692559d98bd3cae98081d6cd43db8d7
SHA2561d53c5f2d84b271445c6dca3b579828fd29381b5c1e9eb80a04486cb3e39afb5
SHA512dcbcc4e9d7fdb46fd8678859f3d23b6152406c874abb6f862a132257d823826f2210733292741e987dc6a6011d98f6b8f6eb8c4f2eb22e6cdd7653640b172513
-
Filesize
982B
MD5a6ef1bae317d3dcfe1fb58dfde0bf234
SHA1f90b7e65038bb7680deef5e0acdb7fb6d8233e63
SHA2564384b35ae9589691aa774c52d9321c4a93fefae5d25c83f8a31f9ab927272b80
SHA512dc8c0ef6f2668ca9e4f195efc37be30f1d08bafec1433314d1d8e490fe94a0b730e2abbf4c26bda26ad6e78469f7428bd6236112885b4caa6871d6c6570d4273
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5405b27e21af37c2114c16ce1a25f4e4b
SHA14e944e1bd8c73fd2c7a6cfae04badaafc830d3ec
SHA256b09df18e28eca1004d9bed772f75e63b8ea417a6f940013e542f5cb9cf777ddc
SHA5122916cfed0b9c4a52b1891957456e11d964b907788dbd16f6c211419cc005c2738d6720f5616d564b3ed0ae732aa114b43fec342eca312d4b84e91222e29b1259
-
Filesize
10KB
MD58ca44a9eaea292d47549565a4636aec9
SHA1dce996897d57ed74e620a9f2e568e25d39c8d827
SHA256308f5ba7233d3b9342cff498fbd55f2114d20d1c7888ad728eda1224b0f4edfb
SHA51258f90411a9926cd825bf160f99deeba9032cb849ef4f487a5b6af8f6c847d2a233fddb4e6ed85c472be8ee97c29aa0b22037522b3b7859fa93a44671c37c34ae
-
Filesize
11KB
MD569789a1db1a96d532207c3b0a1a3a251
SHA1eb8aaba05c72f15afd0ef6418f2636313dab5fed
SHA2562e1f843da845a8d7962e08349def20b2a550581dce7a772d5e98166b15bd0866
SHA5122a97dc7a6afe4aab1888bb357b7480954011b98898e4138cd0902db3830d1636bc2b1fc2efd241bbdf66615ae8c6404b43227586d3058134ab1f91eac6c2b620
-
Filesize
10KB
MD542743dd04d99701cd750b1fe39d38d07
SHA1bf944cba1140003c3a4e12ea913e7e7f15c886fe
SHA256f310f2d8191e902b6bfa8fa1d4c9cfebacda44799aadbc536b97821a8518e8fe
SHA512c3b36ffafa981193185ae8b607eb481846257affbad111b14348b6bda446fdcdbfc56b548c1f4d29a09b345ed85ba7a19cec837c53e8ddfab2b35aff85852465
-
Filesize
840KB
MD53b18eeca3c74177c324c2157e854f33c
SHA12fc2e4828e8540cdd4042b0574f76a3056498807
SHA2569f9a8c6d91c9d394a46375bfe33e36b6af626fe0592b0514366a6beff1747e82
SHA512a2897145b26a3464d06a2dc6a1debf3c36768064473348cc8ffd79c9353dd0bab2218c092ebe812ffb2840b891bb01d0f2d925426bc4acc5122293feea1ddd27