Resubmissions
22-01-2023 19:41
230122-yeeybshe98 1022-01-2023 19:30
230122-x716lahe43 822-01-2023 19:26
230122-x5qxvabd3t 6Analysis
-
max time kernel
696s -
max time network
686s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2023 19:30
Static task
static1
Behavioral task
behavioral1
Sample
phish_alert_sp2_2.0.0.0.eml
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
email-html-1.html
Resource
win10v2004-20221111-en
General
-
Target
phish_alert_sp2_2.0.0.0.eml
-
Size
12KB
-
MD5
a0a1d3029c6ef7f44fe7112bb59ea881
-
SHA1
b0bf8bf1de9209b87190a4dc2d267de72685bc27
-
SHA256
694adfef602d2ea796b3feac4cfe9ebdc0dbeb0daaee501b76df53ce0260ad6c
-
SHA512
f1fabfa69533b20ec65bf14a3048f63f6fbf13c85e1e153b26e7b74d1111a3e916ee832ed2e9ce4e4dc6b7ec9e2290322c818add3cb0aabb65e8ae6f918e3ec6
-
SSDEEP
192:ZIsmfIKrYS7R7j+Uvdb5fzJ5MVPFPDk28qldd5So7cbmflrhyF0KH:ismwKrYKRtvbfWDkYjd5Smcbmfl1C
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 3 IoCs
Processes:
cmd.exeOpenWith.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml:OECustomProperty cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 232 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3924 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4148 firefox.exe Token: SeDebugPrivilege 4148 firefox.exe Token: SeDebugPrivilege 4148 firefox.exe Token: SeDebugPrivilege 4148 firefox.exe Token: SeDebugPrivilege 4148 firefox.exe Token: SeDebugPrivilege 4148 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4148 firefox.exe 4148 firefox.exe 4148 firefox.exe 4148 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4148 firefox.exe 4148 firefox.exe 4148 firefox.exe -
Suspicious use of SetWindowsHookEx 63 IoCs
Processes:
OpenWith.exefirefox.exepid process 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 3924 OpenWith.exe 4148 firefox.exe 4148 firefox.exe 4148 firefox.exe 4148 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exefirefox.exefirefox.exedescription pid process target process PID 3924 wrote to memory of 2976 3924 OpenWith.exe firefox.exe PID 3924 wrote to memory of 2976 3924 OpenWith.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 2976 wrote to memory of 4148 2976 firefox.exe firefox.exe PID 4148 wrote to memory of 3180 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 3180 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 952 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe PID 4148 wrote to memory of 4900 4148 firefox.exe firefox.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml1⤵
- Modifies registry class
- NTFS ADS
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.0.1397110347\920369573" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 1780 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.3.187203630\1252029064" -childID 1 -isForBrowser -prefsHandle 2492 -prefMapHandle 2432 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 1552 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.13.410855962\1621168316" -childID 2 -isForBrowser -prefsHandle 3860 -prefMapHandle 3760 -prefsLen 1602 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 3740 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.20.124852530\1775011544" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 4080 -prefsLen 7599 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 4068 tab4⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.emlFilesize
12KB
MD5a0a1d3029c6ef7f44fe7112bb59ea881
SHA1b0bf8bf1de9209b87190a4dc2d267de72685bc27
SHA256694adfef602d2ea796b3feac4cfe9ebdc0dbeb0daaee501b76df53ce0260ad6c
SHA512f1fabfa69533b20ec65bf14a3048f63f6fbf13c85e1e153b26e7b74d1111a3e916ee832ed2e9ce4e4dc6b7ec9e2290322c818add3cb0aabb65e8ae6f918e3ec6