Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/03/2025, 07:53
Static task
static1
Behavioral task
behavioral1
Sample
155557f5e69e2cf0af05029b9c80d4a1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
155557f5e69e2cf0af05029b9c80d4a1.exe
Resource
win10v2004-20250313-en
General
-
Target
155557f5e69e2cf0af05029b9c80d4a1.exe
-
Size
1.8MB
-
MD5
155557f5e69e2cf0af05029b9c80d4a1
-
SHA1
e53704de709ccbddc75a3f2e3b854fc3a0d99c74
-
SHA256
84b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446
-
SHA512
2c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1
-
SSDEEP
49152:70mBuV7OfF/Ybv9tTrNzvRuYnHlPKGPY:706uV0WL9tHjuspPY
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/2212-161-0x00000000011C0000-0x00000000015F4000-memory.dmp healer behavioral1/memory/2212-164-0x00000000011C0000-0x00000000015F4000-memory.dmp healer behavioral1/memory/2212-282-0x00000000011C0000-0x00000000015F4000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" af87034e8a.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" af87034e8a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" af87034e8a.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications af87034e8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" af87034e8a.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ af87034e8a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 155557f5e69e2cf0af05029b9c80d4a1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84788c744a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 19d5a128c7.exe -
Downloads MZ/PE file 3 IoCs
flow pid Process 5 2192 rapes.exe 5 2192 rapes.exe 5 2192 rapes.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 155557f5e69e2cf0af05029b9c80d4a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 155557f5e69e2cf0af05029b9c80d4a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 84788c744a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19d5a128c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 19d5a128c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion af87034e8a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 84788c744a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion af87034e8a.exe -
Executes dropped EXE 5 IoCs
pid Process 2192 rapes.exe 340 84788c744a.exe 2084 19d5a128c7.exe 1744 6007ace06a.exe 2212 af87034e8a.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 84788c744a.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 19d5a128c7.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine af87034e8a.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 155557f5e69e2cf0af05029b9c80d4a1.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine rapes.exe -
Loads dropped DLL 8 IoCs
pid Process 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 2192 rapes.exe 2192 rapes.exe 2192 rapes.exe 2192 rapes.exe 2192 rapes.exe 2192 rapes.exe 2192 rapes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" af87034e8a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features af87034e8a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\af87034e8a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318640101\\af87034e8a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\84788c744a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318610101\\84788c744a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\19d5a128c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318620101\\19d5a128c7.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\6007ace06a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318630101\\6007ace06a.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0014000000005587-73.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 2192 rapes.exe 340 84788c744a.exe 2084 19d5a128c7.exe 2212 af87034e8a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job 155557f5e69e2cf0af05029b9c80d4a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 155557f5e69e2cf0af05029b9c80d4a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19d5a128c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af87034e8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84788c744a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6007ace06a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 6007ace06a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 6007ace06a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1056 taskkill.exe 572 taskkill.exe 2948 taskkill.exe 1532 taskkill.exe 1528 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 2192 rapes.exe 340 84788c744a.exe 340 84788c744a.exe 340 84788c744a.exe 340 84788c744a.exe 340 84788c744a.exe 2084 19d5a128c7.exe 1744 6007ace06a.exe 2212 af87034e8a.exe 1744 6007ace06a.exe 2212 af87034e8a.exe 2212 af87034e8a.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeDebugPrivilege 3028 firefox.exe Token: SeDebugPrivilege 3028 firefox.exe Token: SeDebugPrivilege 2212 af87034e8a.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 1744 6007ace06a.exe 1744 6007ace06a.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 1744 6007ace06a.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 1744 6007ace06a.exe 1744 6007ace06a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2192 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 31 PID 2188 wrote to memory of 2192 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 31 PID 2188 wrote to memory of 2192 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 31 PID 2188 wrote to memory of 2192 2188 155557f5e69e2cf0af05029b9c80d4a1.exe 31 PID 2192 wrote to memory of 340 2192 rapes.exe 33 PID 2192 wrote to memory of 340 2192 rapes.exe 33 PID 2192 wrote to memory of 340 2192 rapes.exe 33 PID 2192 wrote to memory of 340 2192 rapes.exe 33 PID 2192 wrote to memory of 2084 2192 rapes.exe 35 PID 2192 wrote to memory of 2084 2192 rapes.exe 35 PID 2192 wrote to memory of 2084 2192 rapes.exe 35 PID 2192 wrote to memory of 2084 2192 rapes.exe 35 PID 2192 wrote to memory of 1744 2192 rapes.exe 36 PID 2192 wrote to memory of 1744 2192 rapes.exe 36 PID 2192 wrote to memory of 1744 2192 rapes.exe 36 PID 2192 wrote to memory of 1744 2192 rapes.exe 36 PID 1744 wrote to memory of 1056 1744 6007ace06a.exe 37 PID 1744 wrote to memory of 1056 1744 6007ace06a.exe 37 PID 1744 wrote to memory of 1056 1744 6007ace06a.exe 37 PID 1744 wrote to memory of 1056 1744 6007ace06a.exe 37 PID 1744 wrote to memory of 572 1744 6007ace06a.exe 39 PID 1744 wrote to memory of 572 1744 6007ace06a.exe 39 PID 1744 wrote to memory of 572 1744 6007ace06a.exe 39 PID 1744 wrote to memory of 572 1744 6007ace06a.exe 39 PID 1744 wrote to memory of 2948 1744 6007ace06a.exe 41 PID 1744 wrote to memory of 2948 1744 6007ace06a.exe 41 PID 1744 wrote to memory of 2948 1744 6007ace06a.exe 41 PID 1744 wrote to memory of 2948 1744 6007ace06a.exe 41 PID 1744 wrote to memory of 1532 1744 6007ace06a.exe 43 PID 1744 wrote to memory of 1532 1744 6007ace06a.exe 43 PID 1744 wrote to memory of 1532 1744 6007ace06a.exe 43 PID 1744 wrote to memory of 1532 1744 6007ace06a.exe 43 PID 1744 wrote to memory of 1528 1744 6007ace06a.exe 45 PID 1744 wrote to memory of 1528 1744 6007ace06a.exe 45 PID 1744 wrote to memory of 1528 1744 6007ace06a.exe 45 PID 1744 wrote to memory of 1528 1744 6007ace06a.exe 45 PID 1744 wrote to memory of 2264 1744 6007ace06a.exe 47 PID 1744 wrote to memory of 2264 1744 6007ace06a.exe 47 PID 1744 wrote to memory of 2264 1744 6007ace06a.exe 47 PID 1744 wrote to memory of 2264 1744 6007ace06a.exe 47 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2264 wrote to memory of 3028 2264 firefox.exe 48 PID 2192 wrote to memory of 2212 2192 rapes.exe 49 PID 2192 wrote to memory of 2212 2192 rapes.exe 49 PID 2192 wrote to memory of 2212 2192 rapes.exe 49 PID 2192 wrote to memory of 2212 2192 rapes.exe 49 PID 3028 wrote to memory of 2688 3028 firefox.exe 50 PID 3028 wrote to memory of 2688 3028 firefox.exe 50 PID 3028 wrote to memory of 2688 3028 firefox.exe 50 PID 3028 wrote to memory of 2376 3028 firefox.exe 51 PID 3028 wrote to memory of 2376 3028 firefox.exe 51 PID 3028 wrote to memory of 2376 3028 firefox.exe 51 PID 3028 wrote to memory of 2376 3028 firefox.exe 51 PID 3028 wrote to memory of 2376 3028 firefox.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\155557f5e69e2cf0af05029b9c80d4a1.exe"C:\Users\Admin\AppData\Local\Temp\155557f5e69e2cf0af05029b9c80d4a1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\10318610101\84788c744a.exe"C:\Users\Admin\AppData\Local\Temp\10318610101\84788c744a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:340
-
-
C:\Users\Admin\AppData\Local\Temp\10318620101\19d5a128c7.exe"C:\Users\Admin\AppData\Local\Temp\10318620101\19d5a128c7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\10318630101\6007ace06a.exe"C:\Users\Admin\AppData\Local\Temp\10318630101\6007ace06a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.1715938267\2120927501" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1152 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c94247ae-1927-4f8d-8b2f-7e587797f763} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1332 10ad6b58 gpu6⤵PID:2688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.1615124112\969551069" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2306b91d-6fe9-4f0c-bce5-70bdc6a51dc1} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1512 40d3458 socket6⤵PID:2376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.2.2053623105\1147710228" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2008 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0b1841-c60e-4c88-8737-49610868aad6} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2024 1849eb58 tab6⤵PID:2944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.585626759\1923265718" -childID 2 -isForBrowser -prefsHandle 1876 -prefMapHandle 636 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d4340bd-7220-491b-a6d9-dc630b7b58c1} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2788 1cd40558 tab6⤵PID:620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.4.431647219\1767395776" -childID 3 -isForBrowser -prefsHandle 3768 -prefMapHandle 3776 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43abeec5-cef1-4f22-ae3d-92e9d667d4a6} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3772 1c984d58 tab6⤵PID:2816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.5.530429328\1368453754" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f19fd88-5b35-4ccd-a1bc-213f0863484a} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3876 1c985f58 tab6⤵PID:1148
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.6.894900006\164023506" -childID 5 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 660 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {773c2eb7-9b1c-4585-a212-23e16bca41b8} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4036 1e2f6458 tab6⤵PID:3064
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318640101\af87034e8a.exe"C:\Users\Admin\AppData\Local\Temp\10318640101\af87034e8a.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD503f1a63e8a12051ffd2ffd6dbe7904f0
SHA1856791f726fb061aca67234bdae1647264435e9e
SHA2567ea0ddd248dc842ff52ad18f9b80a96ca162d5ac7b10bbc9a48c17baeff750a8
SHA512648a6b5e638ff0c277a77b556fa859011cfcaff465b4e63bca9fbf6aaaa46a7e5345caf2798a1c9e3135f35a7d726f5258190b0c7206dd631fa005ce86d0daee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.8MB
MD5ddc21af1dcce8a34e50651c30f50fea6
SHA10ee349ca451d76b5e647f0e01184bc5313619107
SHA2562fdec735ecc810b4741cfe97a95fe352ec5cd931b55b148ea98825ca31333ed1
SHA512d6100f447c6b9eb6ccae0343deef01da8bb9d3ce6e570b34c05f217a8ad3540593025bad079f8e64df87710ab77d2be3f44f8588d2247d649515991c3a44d118
-
Filesize
1.7MB
MD58d11087a47c122d153a0f32a60ec79b7
SHA1d60299a6118fb5706dc3fab2b3d49541374720fe
SHA256cc886d5b507c8dd985e23d060b0b890bbf68683b46c572bf7b3e58f66a6be48a
SHA5124119bf9786b26d39d4216481737087529b7543e4382c5860fe7e145571839487ddd783a8d83f0c084df1516ee9f7780212d4d8dac812251e6834d8f26ef28436
-
Filesize
950KB
MD581c02be5ee8d37c628c7a0016c468149
SHA189bc9d55785d71f396fb2b50960aa248799ebef9
SHA256186bdab14c6784d101350b0386d06e3c0b890f895d64cdf2a1a6e9cc32e48f57
SHA512ebf4058e4a096f0b24221574ccd372f864dc4db853c3bf6d763d3286af49a348372656c4de5efb173b07f5096647bed4747e7d13109989743e95a7e6bb091fab
-
Filesize
1.6MB
MD50352afc500e6104d51a1099c441fda4a
SHA1f13c4e80db7722aeeb6a8aceb77fb3ca8bb1a860
SHA2568df4bce66ec1404ffc71cc3cafdbd198f3d6a5b45166e9be8ef42feebc42e9c7
SHA5127e43882d65ad9115b17921792130fd7b5b172eb4a385be90164b979198d4bf5b816b24b6933a9e501300d79b36af4d749f10dcd40e21aa09809ce6518f8c64c7
-
Filesize
1.8MB
MD5155557f5e69e2cf0af05029b9c80d4a1
SHA1e53704de709ccbddc75a3f2e3b854fc3a0d99c74
SHA25684b3819705253e706e5ad1116a32bff8dc8f23aa355815486801bd2a22663446
SHA5122c644539e33396d9127ace36a1f764bbc5a2a984562c86494ea3af30b8896a295e1cdd5faa4dd00b70e998e255b7ad36ccac1116636be02c84d1e374b1975db1
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
6.5MB
MD5438c3af1332297479ee9ed271bb7bf39
SHA1b3571e5e31d02b02e7d68806a254a4d290339af3
SHA256b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194
SHA512984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin
Filesize3KB
MD529e585f56043268c607b3191e7d8ee1c
SHA1ab0eabe1933738917a1011934b4e57bca99b2f73
SHA2560640d7bfbee899ae388c4f77b36efb1397c7833cf0b57adb7d0c958da20c2287
SHA5124df05e1f766da3a0d6feaabf7c82d44f0c797c8b66a21a0cebf1be9b990878b3441d09fd7fb266cc357a4a75f489331127b7a9833c46bfee24637369908e31b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD58c17ab9db9e674faa62c869af87f2cf0
SHA1c8c7f49fdeaec51f55d8598bd85092b1425a1065
SHA25612829794d7477b8cac9351d1dc9ef43c4f5b125f8bdf8903db7e482e42a1ab23
SHA5127c9f954cee6e306aee8416d945314273157587904e30bdf15e2c9dbe135eb4dcdd0dbd02afb670ebd37c6bee7edf6c649d88b49892bc2cdbfbe506391c749dc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\324f16ac-4761-4de5-a98a-a72d02563871
Filesize11KB
MD58002f65f0681e6903853a15609f928fb
SHA14767398b3d418b48d1717441dcfd7a36a6a1ef7b
SHA25662c1ae6a383c8f76a5ab94f3d92b04fb5ad6d4a3987bbd74d41d0325cf7de0b5
SHA512508dd78d64a27b03beb525612f03ed6d738036f5b10bd691417c4a9850bd1997c1ee697935bcb9824a196eb8c694971aadcffc3af9848632e5949f0dc90880fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\4834d4dc-f17e-4d51-9270-ba8b5007312e
Filesize745B
MD50e0736770c27d2cd6ec049e50c1464f5
SHA155eb78c0ce91f8aa8d9dcf2a4895c0aafa40e3c9
SHA25652b7cf326072d2a983eae673b7b86da2caaff9a8be82a54ea322dd53e6b0e4dd
SHA512f7ffac080ded124308675c84f336f60cab3dd670dfc4e6435e6ff0ea3eef83495cd3cbf4a6996a34f671d3157e704f7b61852657931e28f6af17f7f46c9ab4e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json
Filesize372B
MD56981f969f95b2a983547050ab1cb2a20
SHA1e81c6606465b5aefcbef6637e205e9af51312ef5
SHA25613b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665
SHA5129415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll
Filesize10.2MB
MD554dc5ae0659fabc263d83487ae1c03e4
SHA1c572526830da6a5a6478f54bc6edb178a4d641f4
SHA25643cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e
SHA5128e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig
Filesize1KB
MD5dea1586a0ebca332d265dc5eda3c1c19
SHA129e8a8962a3e934fd6a804f9f386173f1b2f9be4
SHA25698fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60
SHA5120e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6
-
Filesize
6KB
MD58debec3bc329de575aab0eb5f64b9add
SHA1faf85f5c65c7209133d9bfb99ae14726463869ce
SHA256c1f29f097d6f16645f9c3c50410a2c1cbe27fc041930e5d0175535423f9e4258
SHA5127929f4b92ec281594231605d8a299c17d3f3f16b1fc6a48dcd26ccc82b32f254460ada57e12748ff06f94cd6a408b023ad220f83713f5da726e99498cf77de76
-
Filesize
7KB
MD58560c3a00a8f034043bf16e4fb58c34a
SHA18897fcc53b57105252d421dc5ad84904f2a0bfc6
SHA256553e707a96c7b11360bcfecdd8139edeeee84ed75b58ae9491298e85bb9dcac4
SHA512a5c53d47fb74bc48f3dd3b27033c4dd18b64c35dd5261503f868ec6f1482e47b9bfdacdb3e40ed4a55b74b81181cc71b62f83edddb9756c7bccfe03182e995b6
-
Filesize
7KB
MD5103152afb73b96abe29746f99c1bab7c
SHA17b13d88e7c8395386533536a6c6a20642c1d0e6e
SHA2562cf5c48a4b1a048ffda7df7132856aeb049a43068cbe9ec293dab00686d4d70e
SHA512cad859d616651871c2f0b28fd29496e7a17121ea9ad4d0bea5a80424f2405d32a67f3dce63d656e6117a6ddd8e6e921c2e8f55c2d336b2c7e9c1b2c0fcb60410
-
Filesize
6KB
MD5e20f784ef2090dbc0f0cb926107b1084
SHA1c44f80030b1d935618124f6e8863170344628a62
SHA25668c3ce16807479c25cb3a1d5efa455e9bd59c85e3cdf41a68f681e9220e4e8a0
SHA512115c1555edb5e5bc33e8cc6fc32c8f9d006fbefabaffc089c4a4451e2e1e76cba1eff5735553a81c66e8d15d58d3fe5cb861a9c8d54be4972fffa7b1f29a5036
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5fe0fee4d0ff5695affb26f9e811b69e2
SHA1235c9f648300675e49043176101203c009b366e4
SHA256220cc9ab52bb8bf04f87969f0093c21d947f80730b5401b03d69f32a13c70983
SHA512db10186d0b6966b1a8b8fa6e9a4d9d492c897fc02225b68f92f2668ea95c704018c53528b8781c51c830ee2472da3c6515508e6dde36ab4d6f088be1319ffe57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5522eef3759478511a6797aab928a8e89
SHA17bc983b8836a3255cdfb800ca994c83bce11d1ab
SHA256edccaaf668a09b8a1eed938e32e660b14983323dac0d21df336b8aa704d84b38
SHA512dca0e76099f43c04a5734bc852db15f173220223021753c1c36a8e43ff5c56514258d5e63c37670d77792133376c57515247e945cdd2c4f37ce1799277b0c810