Overview

overview

10

Static

static

10

main.pyc

windows10-ltsc 2021-x64

3

Resubmissions

27-11-2024 18:23

241127-w1zhra1laj 10

27-11-2024 18:14

241127-wveamavjaw 10

Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    27-11-2024 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.pyc

  • Size

    7KB

  • MD5

    793684cf2df4fe2a45014975fbadb918

  • SHA1

    e96efa7ba483a6b6dc19275c6d18f246ac7ea174

  • SHA256

    1558e5e163919f9e6694ae160efa02f11fa781e6be90e2e8d8ca264b4519df81

  • SHA512

    824399d75293ad72190d7f95ca9ac9519b640c205c0edc60350e1842c1f1970c7af8020c07285e3cdd0e3440bee66d85a5a2b819f98c8d8f9fb9f17d4f8bfa08

  • SSDEEP

    192:w7cLAVWfVr2QD8VSWdXwD+sgoEkyJhwPf2nMdwm4nw:CV4VSSWuKE22aPm4w

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
    1⤵
    • Modifies registry class
    PID:4004
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4632
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1824 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {388cbb2f-3804-4d81-8185-d7d5763174b5} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" gpu
        3⤵
          PID:4132
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6c92d6-3b2e-4263-81eb-f7627bc2b706} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" socket
          3⤵
            PID:1760
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 2832 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27517da2-d0d5-457a-8144-588b644eb61e} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab
            3⤵
              PID:416
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=904 -childID 2 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191773c0-f41f-4a7e-8496-6882fe894b89} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab
              3⤵
                PID:1276
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4716 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91717f60-157d-4027-8278-4f6eaca50027} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" utility
                3⤵
                • Checks processor information in registry
                PID:2512
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4120 -childID 3 -isForBrowser -prefsHandle 2668 -prefMapHandle 1200 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f15603-6194-4657-87bd-30f71a4c7713} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab
                3⤵
                  PID:4672
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a744bc8-d2e6-4701-812f-a2e1b5f3f0eb} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab
                  3⤵
                    PID:640
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc25929-2f7c-4a8b-9a88-c45b87e79d79} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab
                    3⤵
                      PID:3868

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json
                  Filesize

                  19KB

                  MD5

                  04c1ab76664105ff7b94f10221ac3478

                  SHA1

                  3d0202b270950629a42b0e4ebe042ff5ae6b8805

                  SHA256

                  d8f23aeedb438788abbc109cfc91463fb74757ab2285200554db661305557c84

                  SHA512

                  dbfb390f30ac3c566e88db21ebb6d8cdf093a9727e5fe81759f0ea250e2a126476d0bdffe449f53a4029316d2edbdc29b2e12c60f40183e23f6049692a77b603

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  e192fbb8dfb4a87e9cb2d36b5288014d

                  SHA1

                  74140ea89079a9eceacb15dbe63c9c19748b4f8b

                  SHA256

                  b046c4eff31aad8cb3e66cd689ead972d8a9bfae320219656cdc674aa9f971e5

                  SHA512

                  ecb0c21c27cd8dc762eadda75fd5ecdfbd066e5ca14ae7c88453dd24b73418edd9f5814150a5a12219572937628ab1c5cf18b95869f496c9f054f5eb1e23d493

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  8934b811b1b788ffc368b39ca0e834fa

                  SHA1

                  1f4b6142d3d57f0b3d050637b3de9d7e49b86f8d

                  SHA256

                  5b28bab6a06539ae9f71200b826f8fc9c30d059f8c50226c2828c9f148f1c567

                  SHA512

                  d74568233d2eb3eb6f22f9911e9f6e72211e1fa0a985674eeab0dd7afb86824858257c1e93d9720afdc31cde3bf388d543b95e5bef077278be1a9b20b5e400d8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  0c56a8b0c6753d5fafae013d2e913511

                  SHA1

                  3162efda1950d5686c2f7f7250e2d13dbf88cd7c

                  SHA256

                  7cc01e48148fbfdd548071773ff5c847144f81f213cd309e1f3cf9b9d4ebee33

                  SHA512

                  1a004cd394db47b0f0d951fd4fed25e1ea3d91016eb4991e12b35896702fcf96044b5a8c4c806f5164959b9ff643ffbae13230f831e5d2700fd28be9088fb109

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  b61cd895b1701ef155df7f9cd55d3665

                  SHA1

                  1850e887363f3014be589014d2705b8880610224

                  SHA256

                  e88d3998e35bdbeef9c1b0b5405ae1063985e9397142e895f1a2976cbe64a611

                  SHA512

                  91810bfb285d44b1a18cd1456097e8662379e158464508028cd207bce3b963dff1b20c03c9556c1c32e2c331ae7657cab97c7c70130af51d9c073fef6fbad935

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  14KB

                  MD5

                  e59a6b6825992e7e5d9478a7dc8bb8eb

                  SHA1

                  f4a5dd1da33aeb6d32ff84725eef8b4d9eabd6cd

                  SHA256

                  ab263dbaee7524199577a92732b29433a8fa63e6b8f32bc53ecd7c4fe7c62f10

                  SHA512

                  0ca7c70c4ad11ea4c77509043544211db447172aaac76fb2884c7cf80d3b1874535c2d38e5fae80db0ddba70b4eef148eb8cb0c916b04eecda7f9ad8231389b5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  dee845ee076ff82e3a3f411394630d30

                  SHA1

                  8857abf59260a725b34e3c867ec7e01d5793115e

                  SHA256

                  28a92402140a5caa56120ef04ffd70e8168d13f906648beca4de065b75f085ad

                  SHA512

                  11fa4addceff651354495af6724efbe63ed23dc452503cbc614de8c17b6c8b31df8089944a3cfd9f4f9e62fa526d23686c9ab3831a502bc6b25283bb55a7db00

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\7fe1b546-3429-4cd4-9f3f-286fd2d143fd
                  Filesize

                  671B

                  MD5

                  509f3243b2811f05d14ab83be6a7e383

                  SHA1

                  58fdc9899d9c49e906fbb033e84e79d4e6c0a79a

                  SHA256

                  6a729dd50d903a624b5ce9658ef84e9c0a5b83e648da77ed17a79c83703c9d51

                  SHA512

                  f5bdf5321fcd246236af2a36354a6a2c026456c6125a73fc708f334ba61596f8b5d5aff98c7fe9f67848ff19aa8eeb097ed3615f5cc7872c6b0717918eb4e9c7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\8c46e030-6de1-4fb1-820e-74a6d5828463
                  Filesize

                  982B

                  MD5

                  99a689f1f3b527d205d0dc5f1cc6e1e9

                  SHA1

                  72749d03d081707660731e951d4a363c38e92af8

                  SHA256

                  e3fbd1c2466469da17a18449f42558dfb1fbd7863372ea47bfab4ba4a68dea32

                  SHA512

                  2c76a9440ae57872da3f0008924a41b8c6ee1de72dbe773673e3b2e4d6ae8c48591cc5f3e93444a2e4dda93ba775b147cf35866db5c102a77ebe9b3cb627c8ca

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\fb2911fb-5d3e-4db2-b285-e5a7ede9ffd9
                  Filesize

                  26KB

                  MD5

                  d1b639c65ebffbf835c67ae0203af4e9

                  SHA1

                  8b369af746179cc1f2b8a8060a7264db83922075

                  SHA256

                  cc7330879f48497a62eddb7d63f41c276204f38ed1febd0e717985579fef876c

                  SHA512

                  044316145f7c02c25469aa0407c8f906c70c2504f13884d0ba34541ba1c88250f4def8a372114d401d1a657f6a79b805357edf91dc73621cf581a8e4fdd6c56d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  e21b90022eaa7b6d64cb92594f831ed3

                  SHA1

                  8e79200ff3aeec8ac1ad9a0148decf7e06e34768

                  SHA256

                  8be83f3132aea7f62d5c1e7cfbdceade81d071fa3aea88bc0188f51d66fb230a

                  SHA512

                  40ba0fe649267678b3468b895f7c27d1fe8da28d287080fb5d6bc54ef3e3d0a7a40e27ea987d1551525382d742184a1fbd1bf50d3fa63cd294921ff2ebb5836c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  9c84c422102bc03585da0ee083287f75

                  SHA1

                  da7c868cd812f89945c55373ec330df8fea82aa5

                  SHA256

                  c23d8065d9e1a1a88758b8318ccb201af53c1790c125de56b3d539eb585abfaa

                  SHA512

                  62fc13ba7124b805a8c0b3251d0e8f5ce019943e9f2e96c29da133e8ed0a97433637d7095a1acd0738349b4882891a7829c5a841a3ff03b6a37ac6a7d21a3850

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  3eb776f0841cd4804ded7943dd5da11c

                  SHA1

                  bd5d5c9a7613e9925a705ab84bd70337cc57f943

                  SHA256

                  33b7dad048e530831eff74a121cec9c464dbec92dbf892dc2a76d32ba14128b5

                  SHA512

                  bbbb7ba385152e781317ce16da77079e378d7bfb2220152b0bcfbc18f11f9db76d2d79aeae6b9ee1d83b448e3aa2cdee8d06f37621823b06f369c449897fc918

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js
                  Filesize

                  11KB

                  MD5

                  2d21207d3245c63104310e6a0ab4b914

                  SHA1

                  7ef1b03ac0366ce3c9d8e44625f5130dcbc8d13a

                  SHA256

                  ccf3ca38307b013a0a188de5adaa1c65d42c4e45ff31212f12b415d842934c0e

                  SHA512

                  4154021d7a7f7b9ccb994ca42964c2cd69ac4c9d23f0a293c475038faa01adf4d3da91758cfc24c5c4b332e42207c351205bb682fb6b83275a7324b9bacff36f

                  Download Submit