Analysis
-
max time kernel
295s -
max time network
290s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 20:01
Errors
General
-
Target
bin/NativeTrainer.dll
-
Size
211KB
-
MD5
e107b94ae23ec9a56bfa1faaf7118e85
-
SHA1
191d9a3a09ee0cfc0754226988c0373a5f074068
-
SHA256
f2302573ced45cdaaf190f332deeafd3f32e179d7e9102d939608a9ab774b3cf
-
SHA512
86720525ebfa76628a4540a0344de29cf7135ed89dc0c38665fcc2d9ea83c0a2b9341f7d8945e54083317e2dbbb120c68afeb4a7cbbe182db5711c3638d04e90
-
SSDEEP
3072:UPjp1DjzsOn9DTtDs5hmmFlPV1GuV1YTrsof+/3YFoYr6SXvfVd5u:UbbD/PFTK3mydcuDa40iYr6SXTo
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\NativeTrainer.dll,#11⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b75b2132-4c5c-4d5b-b9fe-7f6d966b22f5} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3770fb8e-5caa-42ba-8969-a74964b52c17} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 3028 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d6ce580-2956-4f9a-a986-4edf9305bb33} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -childID 2 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c150a7a-17e3-4a1e-b31c-3bd3e4725478} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4932 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9619e645-a3c3-4d3b-bcb1-37bef2a9f2b2} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5372 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea4418a-1c6c-467b-bfc7-ba525e485906} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7a863b2-a18e-433a-b11e-a4d67143cf9a} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {245c23fb-1535-47f3-bea7-536b6d2957d6} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6180 -prefMapHandle 6176 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d63dda9-1d6d-49ff-85d0-c508d56edcac} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 7 -isForBrowser -prefsHandle 6068 -prefMapHandle 3680 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6362a4d7-5139-4a4b-9768-4e8991b49157} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 8 -isForBrowser -prefsHandle 5428 -prefMapHandle 5492 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd7e7259-b116-4fe9-b488-dd55d51cb94d} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -childID 9 -isForBrowser -prefsHandle 4528 -prefMapHandle 4488 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8a0d27-4f45-4b9e-bc50-b8c1b5b5cd29} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Rutherfordium.exe-main\Rutherfordium.exe-main\Rutherfordium\Rutherfordium.exe"C:\Users\Admin\Downloads\Rutherfordium.exe-main\Rutherfordium.exe-main\Rutherfordium\Rutherfordium.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mountvol a: /d2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mountvol.exemountvol a: /d3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mountvol b: /d2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mountvol.exemountvol b: /d3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mountvol c: /d2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mountvol.exemountvol c: /d3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x464 0x41c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD50eafa5c60325fee64daa16e6b6450ebc
SHA1a150c867076a90797085cc2db98ec75a1b787dbe
SHA2567751be4c2b9a278709b35697f00ca7427cca2889e3a0f4ae45383fb81053e40f
SHA51242bb1b1ce33b7baa2bfbefdd57755b6c196bb05fed8b938a29b50c34813ac1e92ed61b483da4ffbe775f8396abffe1a7dbd8204845bb7733bf0a2431dca8bd70
-
Filesize
105KB
MD5cb291011f13eef57a56aac297202e2e8
SHA18d28624bd50bbd5b13530c9f2d95503830520f06
SHA2566556535f94a7d59ea14b8547a42d2d7c4b6c57401ae10b0fd93fa6e51311725e
SHA512b413900a97e18826fdcc4a9c28505adf350297e6f0cae6105e54d2ed381eda26fb97396216ce905e0211195862c4bd44fcd774a85dd02af17d8d41d7feb9569b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD57638015ce9114eaebad53b849afca18a
SHA1da1e348a6f725ed922c059ad77c69441725597a9
SHA256f933d96397f80b26bd8df4a3800d5f017e490084e2b1b248345eacc7ee18b796
SHA5126ea3a82fb15d069911cb0340ab98de00182d56c80d3718ea9f41b80282b831c9bd7de47b055f26d211933b82fbaa9c910be67f498288a083fff6da499ecca3e0
-
Filesize
18KB
MD5251fdca1d64167fa4e08d5f40a3674b5
SHA1b0df89d313af3f99bf55430eb7547905a064b209
SHA2564947e2c3d1c8eacf0dac1d9965363c73cf838b5984e884fe5243930e1b08ebf1
SHA512c3d3446d4fc58ab45530308b528a5101524895be133b2cfab0ccd5fcb31a1c93987f4ed22f5e85e06ce607305a2bbb25472685fea83d61cf48b525e2e90ef1b9
-
Filesize
65KB
MD50163ca541a92c5cba1be6817c1fa55a5
SHA1939bb1617b4a7141c815f971f1bbbd57dbd8fef3
SHA2566d1043ee10344521ada49c3632d0b83a8d27ac7943bd58d4a75a5ac6d71710e5
SHA5126c003736d677218fd29da440c9ff30f40f3bbf4fb234a2558cba4bae50ff7e38727568c01a308b72ca351838bbf8d6003887532c6d7f5c7d3d9b34899e0b6448
-
Filesize
5KB
MD5441e18a19fd6d94cadd61494d767f002
SHA1301f185113186a1eae391acff16bcd98b98a7607
SHA256a5a44b23f6cd80c0138cb3dc784cd6219cb5d47d183356161c9463c5ae2f59b7
SHA512c8951abe74615ff1840a9f5c395699399370e9f3a3bc199a7b13ea55ae7f2ab2752c56d30e0474357e7976472767424417a39a6af1db0fe0cae820d9dc579d30
-
Filesize
27KB
MD577a733c569d76f753f43448184999fca
SHA124753a095273852e4d1bf12a073c1be55362c741
SHA2567d9b91940a15c2c9c5148ebb4483f1c71c1e84bc0e66739f70ea45cf7afbe599
SHA5124047823a0036dbc2192dc360d978305de253d7da9502b32c77471ade02b28bcb36be92e173379fa9a0fe4851554d3d94a85b4700139d96461151804da8a70280
-
Filesize
671B
MD57fedc653f2d8f80bfd346f028b7767a2
SHA1a43fd708670a9e7c0b6751fc05b3770be0a5c628
SHA25666876c23188145e57e7eefee14b8f6d73bad166c97147131fa4696a3e3d44c00
SHA51222125c58afec050f2af1ec851e71ffda92b3859cf742bd8fee5166df81341b416ff9bc5777cddf005e0bf6d619de05fb38ed28f70870fb973527c43a27e25af9
-
Filesize
982B
MD5d5346986669d6a4fb0a6f36fa9c19857
SHA1965d1ca8962e53600c0af175c3ac57d325d2606b
SHA2567ce3b2949024e10796c8f791308b0e289431b4c3bd01db594c5f8edc681b66d6
SHA512d95a35581eff405c4148546013af626d648d1a82420d59fad1fa355d52f6a3d12fa0b255956c248bc39d34b687a27db0ad6bda84a7205ab7da72314658b69381
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD56016f965fbfe3c32c86262e4a6b2529c
SHA101ec7527a335b1be463d5435965267ac56e5e992
SHA256bd7f5bee305b65d5bd3ae2d91917d61a9c8409efae82537797f0f098cdb04a5b
SHA5127c0bbcac09d18b2017d32e11efb40bf56b3e8fb739c5dad7a0296eb45970cf2e41880adf54241277633e76d2d0770996dad914d56dea3a17bee3151b87f1bd5e
-
Filesize
11KB
MD53058f886a15931e9d2bf13937cdd4686
SHA1cca67d198637556f61f14331923abff0bee7a896
SHA256c3c25b4c1a72a95e0cc5bf8218a67edd2987ed8f9ae81b3511682fc2fbf8232e
SHA51210294897a3e19c313cd3b10b764a24a6a851ce740f744cc7ac87787fe12d39edb6d17c043be848e75fcf9ab0d9e8be9f1e3ef802c7fc92f6bc35c768377bef18
-
Filesize
10KB
MD545fd74cfae9c434c026ab11c62676c00
SHA1722de77bef76efefcdcf801965fbaf0aa4f8bdee
SHA256587bb95dd3c97012278210368c6628c014ac1c009bac60ecad27c582ce448d4f
SHA5121d71f71741b1809ae6899aecf8e13023980c5dfec06c6a928efa05d68aa9fa9649cbbbd0fca2bc25f10506440bfc3f252f8657a6de6d7b8b8976251aab06dd30
-
Filesize
8KB
MD5922c8cb7ef676d5e0a492e501ef29efc
SHA1a8035e6e2f03485463af5efc13bb95f35d6a3f26
SHA25614cbf9f17a89d49b1c0109477ad15d68d3ff7d91f2fa511412e4bc2e3c1c7ea8
SHA5127a2e29c4400c0553d89372e3c282b053ab75d3956a8c6a756eece370dfb467fd4cad96b0bd730e2df2f92de3fc9151048df2d307691038173efe0c34c8074d5a
-
Filesize
1KB
MD5b1b599fa586dc36b92648d5668c2ca51
SHA1bcb4f3bac50000bb3bd55844bb2bfdb9ae6a5dfa
SHA256da15713eae2469b0ede179ca67073692e034af62d1c78bbd57b790e2b966a164
SHA512731c3493dfae3d265f049744db7d678e071dd31e8c004218789a443ccadfda4265a0328f7eecd200d48ae2b7f6411d90acf3644f45c03194d4c595c012e35efb
-
Filesize
7KB
MD595822b60d8b8e5d361596ca6e0d2f3bb
SHA10435904f21a8fd6b265d123b277bd4f1bd166577
SHA2562d0bd4ecd7047891c1214af8ac18542b10d3b3dd83c6867f1e9c950ac2614069
SHA51202cf441d6b718ad83d80ad76402aee5c647a2d1c047f295c64444b24457fde7585f40a0a91fef9509433c2512919269cd7e4d8a1323b7caec1a9d55a6eb5a853
-
Filesize
4KB
MD5967eaefc7b15432abb118bcbb8ad5758
SHA1bdb5a91445623091b000d44950ce2bcaecc77c9a
SHA256f986a7e44613901683cf9d89c7e16dcb69b69a34f82870011342fcae5ec4aed2
SHA512733d40cf85ed6dfb6ec33d39233c811838f5a4f799a4005225e9f22e4d9fc07da6294cc685a0858e79e647cc983e22d0e1ace9d24d350beafc5ed80e2fa5b77a
-
Filesize
668KB
MD5d078268bfd50180e2f202222d43374d8
SHA15a1d76d6fb5d892565a8c106ddb5fbc37d028bad
SHA256859f7ff63811ac93eb9d8ed44893a52e216c03a6cd6dadc464c538894491d235
SHA512669074121ea0f492f1636b6aefa71cb767d547cca85087da41a0022a9346d6d73b3c48cb3ec537848c7dcc638fe5f2cba806b13f73d1f10641039cfa5727f104
-
Filesize
288KB