Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30-06-2024 03:24
General
-
Target
WindowsFormsApp1_protected.exe
-
Size
4.6MB
-
MD5
ec9dd2a53fcbf71ff64b2e10eba30598
-
SHA1
751e31b275f57e0f4c8e9c66d035fdbad8139679
-
SHA256
cad88795d87cb584074e90572ea83e0c870a98128eb2d5f12af130d76ee20772
-
SHA512
dffd6899ac2082522308a5e23df5d883a4b59f6ef87ddfea621684f390e66ce6c19d70d1465a4885723884d8367fcec72db1c8832ea0c974813bcaa95788bf07
-
SSDEEP
98304:vtvJmh+/u/pY/PAcd7CYoGmnZDQQcx+E5xc6W:ah4YpABF3mnZ1mDW
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1_protected.exe"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.0.1245393446\40774482" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a73f52c-0d48-4038-a65d-b8af89b2dd81} 208 "\\.\pipe\gecko-crash-server-pipe.208" 1792 16da56ec758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.1.1769746130\1631743809" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bb3fb1d-6957-4b95-9a3b-9549523a4bb8} 208 "\\.\pipe\gecko-crash-server-pipe.208" 2184 16d9a5e2c58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.2.358623893\136231716" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2732 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2c65a3-a99c-4f85-a365-3b127e02df2f} 208 "\\.\pipe\gecko-crash-server-pipe.208" 2720 16da97dd558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.3.2126487931\983204771" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78550fff-d967-436e-8802-fcb3cad95565} 208 "\\.\pipe\gecko-crash-server-pipe.208" 3492 16daa4c0858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.4.436760888\1267882855" -childID 3 -isForBrowser -prefsHandle 2800 -prefMapHandle 3008 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffdb4399-d480-4868-bc2a-cd5fe2dc77f7} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4544 16dabbd4b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.5.458569110\589223169" -childID 4 -isForBrowser -prefsHandle 4704 -prefMapHandle 4648 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {278665d9-dbc8-4772-9832-677a98f716f3} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4692 16daa962858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.6.1433884196\1482564589" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09018279-cf21-4f63-80ad-2a16cc97f291} 208 "\\.\pipe\gecko-crash-server-pipe.208" 4964 16dabbd4858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="208.7.1906652415\1462162736" -childID 6 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {600b34be-a13a-4262-8b19-e9970f772f5b} 208 "\\.\pipe\gecko-crash-server-pipe.208" 5160 16dabeb6258 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1AFilesize
13KB
MD53bb879910e125ebfc00d0669ad579238
SHA14b96bf0b30dcf91edfcc6114eda71278c639f393
SHA256e3e8e9e4e8829e66ed760cfe2da31730955465e5b5995d932b2f15784bb2004d
SHA5123ba295530363e6a3374095bfda2dc76bff79d3eee77802e5da3dc5c52e2d293bc3c70d8dfa2afb308685d27ab64fcea6ccb388731107940633b31625e203c51e
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.binFilesize
9KB
MD5e590e90c44c06d6704c59dffc34e708a
SHA1fb71cba96e76c325a7a2a8b42b971a8bbfd14f11
SHA256639bf0c3a60748a395340a5bb834461e1afc9258e3e6baac18872d09fc13128f
SHA512c4ed2b5a349323d26e1813d85c9e8893eb20fe40d7c979cc885ff5bdbb610061696f3accb277434506fff5bc659aef7fc1fb8d77d59a64e67b1f50c5c82ba40f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\ffc50418-8e04-42b8-a478-a192aa681324Filesize
734B
MD5ee081492442dab76291c7b11ec7c5cb5
SHA1f332319bd6f54453fac69438a197af43a2e3be21
SHA2569e2cff893109a014bfd856b2db0ad07bf2d5a3f2c66b6148459806d70ba5e161
SHA51272aca3eb7d59aa44186ca1958e8a8ae217ba1680bda9f227a54fe5716fd5fbe452f8b6ff0104a7cb3ae4d27dd33721eeeeb37ae1fed68cbfce2161ed9c8565cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.jsFilesize
7KB
MD55a9c03fec8dd9a10d01dec89873b8625
SHA1e221a92a5521c5207889e6532eea1415e2c9e568
SHA25636cb0931db7e5145fee5e4d48f1a94521b5866c7f48512ad0077c2892389c905
SHA5127ade096ef4cc7b27c03a938ea45039ae6663514449f5642682a65d09c6826db01bbae642fc8eadf2495ca075f7d85516d951b50b6e9bc70b8f6d63f0a241ad4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.jsFilesize
6KB
MD5f011785412c528d6f73bb8ad76b91595
SHA128f3d5cecad5682e50f0c95a58c737c601e545ce
SHA25689946a10ec5d20fb70794207124d28b931381677e22cb7d56d0333b04e77cd76
SHA5127e03faa9c105161be2541cff4e4b677886c68fce46602bf0b715779dd23f89a530e651f171f3bf00d1d5bc1ac310f78a9e1e0329d3e9c860f02b1d6b43dfeb18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.jsFilesize
6KB
MD5371af43dcac4b30bcbda13b80ed9aed5
SHA16a568a6f5b235353c9075ffe11b2f4aa16af03e9
SHA2565a072181fc55058300a1def75fa08109d57d72c6977449e2cbd13e630da0f0be
SHA512dd13aac8ef83dfb6e9654fc62dff45daf121c28ef8155b7ec5bfbbc536981e46c42adb32bc837595176c078850d00cb2c5d8aeed5af8bb1a2cd44bc471646cd9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.jsFilesize
6KB
MD5025ee5eb12d2a543cee4b828fe1bf16d
SHA1866335e7a68b7903aa453c2d06c47f9c73d974b4
SHA256e2463bf27e901146d38faccf9695069596f3b71c5f6a5fba3d33c6b7a7a23a04
SHA51265c5b6fb40c7f12f1b5cdc4ea858eeea08bb6b96a8208de8e631a4cfcbb8017c1773ffbb545e1581e08e5f1d73d24c31320456ea696fd138ee5ab6ddd1dfb5df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD50dc764ebcca7b141b68a6769914577dd
SHA16a3def414af3bda8e01ef75833ab4691f8bd9b1f
SHA2566f16bdadc966ad83e9c218e38e34baac3acd25d9d2f5cf6652e3f206dd4d3a67
SHA512ba740b3f949e86e8a6c8767f27e831dc564953a27e7ca3c093a2527fcd8cdc2241c2d66687dcb81c4e7eab13477dad881965301c93933f3f95e4f77c687665e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5ee1e0800a9c00dde47c263f22d676dd2
SHA10559ce07635ddc3776cd77aca90c722e2c80d771
SHA25659a6c7a5e342d700fe7a9771a52dafbebea33a6dee666fb4191c1495c3ef4ef7
SHA5121e557151954103c1e38e1a9d48f90de88ca506f65a26d7d72e26542bc626e642a176f6fbe732c9ceeaedbb375d93a7eb947eca57296d4f49f10ec60296f899b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD50d0013d9708d9fef539adc917f5b87f6
SHA15e071e6b4d8abf007c8bb78ee948caf5bb0439e1
SHA256f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b
SHA512851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
7.9MB
MD5589fdb9439873168b15e81c8643d7db6
SHA14a9afe7416d35b799133bb9a3e31ad9ba93949b0
SHA2568fb36c38189e704acace97f64cadaaa75b9bb2dea4cf6ffe91dae312c74b4fdd
SHA512954955b8ea05cd48a05d206c7a138a9c282f1af65659985b883bf22f2a28b355bf74de7e4b799fb51f9404294b2cddf4355abcfd4e0b80f716099c712f2e1266
-
memory/2428-110-0x0000000140000000-0x0000000140C3A000-memory.dmpFilesize
12.2MB
-
memory/2428-0-0x0000000140000000-0x0000000140C3A000-memory.dmpFilesize
12.2MB
-
memory/2428-99-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-104-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-103-0x0000000140000000-0x0000000140C3A000-memory.dmpFilesize
12.2MB
-
memory/2428-101-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-100-0x00007FF825CE1000-0x00007FF825CE2000-memory.dmpFilesize
4KB
-
memory/2428-97-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-96-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-111-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-86-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-84-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-83-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-102-0x0000000140000000-0x0000000140C3A000-memory.dmpFilesize
12.2MB
-
memory/2428-65-0x00007FF825C80000-0x00007FF825EC9000-memory.dmpFilesize
2.3MB
-
memory/2428-9-0x00007FF825CE1000-0x00007FF825CE2000-memory.dmpFilesize
4KB
-
memory/2428-98-0x0000000140000000-0x0000000140C3A000-memory.dmpFilesize
12.2MB