Resubmissions

01-12-2024 17:26

241201-vzv89sxjf1 10

Analysis

  • max time kernel
    78s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 17:26

General

  • Target

    MoonStealer-main/main.py

  • Size

    48KB

  • MD5

    ce6bbfc8f624a0590495fce46648d3f7

  • SHA1

    182880bb1eccc344455228afe6eabc28b0d25875

  • SHA256

    f4c4c2476408c644b2aebf613d42ef361e2a5630c7a62c505bf4c319aace6293

  • SHA512

    2cb207f86bd64ae448e26d456a9970bec46d7e196209983a9e1c822136248b6c4795bad4b58809d4cf1a74bdd46d5e7ff56b0c2933e5a94dffd7e414284ea58f

  • SSDEEP

    768:gDaj4Pvv8PZmsyhTuVJ7AWyykW2WMWLWLWLWQW7WP2uL12oqcW7WFufQtRPPWMCd:yaj4Pvv8PjyhCV1T2aRtufK8MK

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py
    1⤵
    • Modifies registry class
    PID:2624
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f91271-73a4-4c8c-8e53-ef068c939f64} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" gpu
          4⤵
            PID:4608
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6eb5ff5-02b1-436a-aa67-522608151b77} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" socket
            4⤵
              PID:4352
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3000 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c3d907-86b5-40d9-9625-25b3f3662b64} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab
              4⤵
                PID:4824
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5946be18-eadc-4268-9aa8-6558d2aa1c50} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab
                4⤵
                  PID:4528
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8db9ace-6760-47a7-afae-b9893a86fd99} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" utility
                  4⤵
                  • Checks processor information in registry
                  PID:5424
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5308 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fada8118-ba1b-4d43-8bbf-85704512a551} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab
                  4⤵
                    PID:5992
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5488 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {972a854f-b26f-45f7-b93d-becb3b2b213e} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab
                    4⤵
                      PID:6016
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78f9bd2a-d00c-4b57-9931-710bd10ae280} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" tab
                      4⤵
                        PID:6028

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp

                  Filesize

                  13KB

                  MD5

                  f99b4984bd93547ff4ab09d35b9ed6d5

                  SHA1

                  73bf4d313cb094bb6ead04460da9547106794007

                  SHA256

                  402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                  SHA512

                  cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

                  Filesize

                  6KB

                  MD5

                  25f3f287239e9b7f8abac606db1bd43e

                  SHA1

                  573fa94e46680136ecbef847b1598b9d39f2f333

                  SHA256

                  e50188074ec4d96a0e0b05f84fdfa296c0e56668efae2000e525d9e5e58d803e

                  SHA512

                  efde161d95017d7c7b5be419baa6d578cc002c3c069efd77b7d345a883cefa3d232b16ae78f7dcbb07c8e1a38ec311d73ca7753920a7d57e6e6d8e34c4d62f5b

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

                  Filesize

                  8KB

                  MD5

                  5c4b6a505b73c2ab34b480bbbb987cb6

                  SHA1

                  20dd221f1554ed63e2ae04aeff315198e29335b3

                  SHA256

                  152852eecdd136065f889c0618de4f01ec1a307281e7f720d69a095df2f92326

                  SHA512

                  3896ae306fc5a7dd9cc9e53a98eca84bb821cbd48da4c59519c4b6baece9b56c3ce7bc035372c47461178f81bcb5080515bfd5d0d4c3b0f601be2bd280b67951

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  5KB

                  MD5

                  94edd5cb85a77256260d97a5119dc28b

                  SHA1

                  f006b2a633e641872949d0459dd5d07d6a86f3eb

                  SHA256

                  23df3712b54c577d78e1009f838fce22fa7eb85a6c7b38b35eff041a8846e14d

                  SHA512

                  10993bfe7e747c95c7d9b7fa66adcd20095c09633bbc2876c5915ada101355a75e66cbf9e1aca8b693e83550c8a4d13be34049c2e86015affc0a22869b5a6d54

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  4KB

                  MD5

                  c500cf1b17225c3d9a49028ff9f1b672

                  SHA1

                  c6cb200a7cca65ca65e38f1dc74ce8403d726a8f

                  SHA256

                  4184dfe6b9468081541be86e7e499c729f9be1376a7327198da0c2b83f0b59fc

                  SHA512

                  6d21233a31c31006b6a8d0f5ebe549173809f454569b5c866736edf1d2591cadd2e5eb18d252eb773e0447cab4a04dc1df6c38cc93030f96d62b91d3cbaa69fb

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\4e22d860-7078-4630-baa1-ecb0ea614834

                  Filesize

                  982B

                  MD5

                  9fff02fa9cb51523d7ec53db742517a2

                  SHA1

                  c5423967fe3c67c74688dd44159b81e744d89a8b

                  SHA256

                  df44f188a78b1513e2319bbe7834f45c46d59f939ee0d72de6aeb902eff6dc81

                  SHA512

                  dc63d7d10395790b39bab9dc218bc726daffe96f00d14cb66eddd7936a98f75b63e7aff5a1c20341c5455963899327f3e484c898eff7a389727bec8c42ec3c8c

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6970c312-6d26-4b05-9b01-0fb68242d484

                  Filesize

                  671B

                  MD5

                  4ffa7e8c9704b143eff596924c98e63d

                  SHA1

                  6fee64dcb399818fb0955d98597f3a61b61a0599

                  SHA256

                  fea2b3bd8f7852ccbe196126e428a5f06cf7e9468c804726364ce964bd6e1a81

                  SHA512

                  194b615d80694f80ffdf807c70ef0b17c7ae07298560ab6f2344ed6d53c4e9b97380740725e2519f671b166c10d124c050bd2c012fdc253ad975614fb6c5bbf8

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6cbd2ff2-8e2e-47ab-bf0e-6c6701ace184

                  Filesize

                  25KB

                  MD5

                  2203ff026e956d30427d436004c3c042

                  SHA1

                  2a843eb6381349a8e7a8e7b0fb7a7b4613b4c7b9

                  SHA256

                  ac4c2c529ebc6a978b67f9003fc774364298e7f4c88a875f796659503aab252a

                  SHA512

                  891c6fa533ee97f0a924eb067d5e7ab9a64cac2ab827c131ec81ce9d37832471f64f2026475614e9463df0514176b298d2e6d9b13e220b5c6899a6e5bc3278b8

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

                  Filesize

                  11KB

                  MD5

                  d68eac2569e6870790a24cf39369c66a

                  SHA1

                  378662c5f0e9d59d8a3505cf857fff27acac1ae6

                  SHA256

                  57ca16f32e0404663c4b1496bc3a602cbfcdbe758dfd036947391097f09a9af3

                  SHA512

                  303996a86f7fe27c360645a32665138687a6ad6ab86aed8b7351bbb772b89402c99c1409b5611305cb95459d138d678521a1861f30df5de50316efdbf61cfab1

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

                  Filesize

                  11KB

                  MD5

                  e4c7553e63c4428e645f7ac3a6fcdc5a

                  SHA1

                  dec53163a85dd9d5f6272596cd69b93aa552fae8

                  SHA256

                  3604853cc044d506b820bd5835f9b54d0c9276dc52299fa8f756320e232bd1e2

                  SHA512

                  8ac5a0e92837df594fa6bed8c866bde5fa2e65644c0b5ac51be7d95e8c64cb81d738418e8e2ecd24088bb20bec4fe48da75d0005dc3388f6da053915fc7c088d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

                  Filesize

                  10KB

                  MD5

                  d1f5ad1eb79a1135b47bab11dff5249f

                  SHA1

                  2a9f29e5f4237a49c9dfef8acbd83c4832360a59

                  SHA256

                  5a72dddac6cdc4ffc95e6ffb008cce2d26e05c7c96e2136a7c5013abb84ccfec

                  SHA512

                  3ed3b754eff57b3c17389b602270bdd1cc1a0328cdf79f045f8c006ffe322e8618b3848a99184509de543da9c091e8246c1eb75a6a27c3bc7db86672ac659f23

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

                  Filesize

                  10KB

                  MD5

                  f29f3418132dbaaeda98752647bd29cd

                  SHA1

                  997a42bac1c0cce1cf4473a3d2492984f50d7a19

                  SHA256

                  1349bfd723d9a88dd0081222ea4849423b25ea8751cccba40d49083c4f1b85c7

                  SHA512

                  0d6fd231f95d607110c0c1fe98ea03ffe3a48c3c650dc00840d586bf20274861517eb55a2216ebe4dec1f6ac7b45fc59226067983d16d478ee11ec26a0fc682c

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

                  Filesize

                  1KB

                  MD5

                  2125d8d8364cafafa274ee695b49a3ff

                  SHA1

                  05ca9aa2423224326e09187923e83e6064e76bd8

                  SHA256

                  a780df36fe5295ec125632ea128baacddaba76673aedc61fdda15fa60d0fe429

                  SHA512

                  e5654a3bb11e3cd500ad43f5a42d2369a6749f08faf252cb934e7af4665bafd5407c3e969e17c817fb9b22c89b19a44a13aa0e99bfd5c281205efb4861e028b0