Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://www.zhuoyue-...

windows7-x64

1

Resubmissions

13/03/2023, 07:14

230313-h21kjsba7s 8

13/03/2023, 07:12

230313-h11txsba6x 8

Analysis

  • max time kernel
    92s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2023, 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.zhuoyue-2.top/#[email protected]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.zhuoyue-2.top/#[email protected]
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.0.228897455\1490746767" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8773f44-fd0b-4c82-a61f-c5a6a7be2f68} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 1272 12b18758 gpu
        3⤵
          PID:1796
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.1.1512841840\2059117098" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e12aaed3-c5ba-43b8-8dbb-74fd44c9e17d} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 1488 e73b58 socket
          3⤵
            PID:1960
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.2.281699300\1282825326" -childID 1 -isForBrowser -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61872bad-7a58-4832-850f-0e6249a91b94} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 860 1a4dba58 tab
            3⤵
              PID:1072
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.3.1156161604\1758344988" -childID 2 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68cfa172-354b-41a7-81b0-8990a6fb789f} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 2796 1c552858 tab
              3⤵
                PID:980
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.4.1938121404\1436792135" -childID 3 -isForBrowser -prefsHandle 3404 -prefMapHandle 3408 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {513a3145-eb6e-436d-9cd4-beb8151e9074} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 3420 1dacc358 tab
                3⤵
                  PID:2284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.6.1595926509\1356376505" -childID 5 -isForBrowser -prefsHandle 3652 -prefMapHandle 3656 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dc0c5c4-7149-42e5-8fc9-3f192bffd064} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 3636 1de7e658 tab
                  3⤵
                    PID:2408
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1532.5.1116862142\466567261" -childID 4 -isForBrowser -prefsHandle 3584 -prefMapHandle 3588 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b56b04a-e3a7-4fd4-8c24-237bbc4adb50} 1532 "\\.\pipe\gecko-crash-server-pipe.1532" 3572 1de7dd58 tab
                    3⤵
                      PID:2380

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  162KB

                  MD5

                  2d4069453f14d968b8cb348b4bf456da

                  SHA1

                  201b8ae0c6ff305c3c2536d018bd0aa5c18772bd

                  SHA256

                  a3b795d1ac0901b6a04d37077b7d26a8ab63306f9c94bad9bbfb93e1f376f319

                  SHA512

                  7e0899a1f908fb8c8b7f96e203a5fda64f38ba0466928c3fc70a58ef6e54d6db4a84890e5a0693e82a3c760503b57e1969b67ff4f170077743326468472949b7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  024c6fe18df82522164511c697474338

                  SHA1

                  152f2037990159375f4846bec398c223ac5e6ba0

                  SHA256

                  2bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2

                  SHA512

                  071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  937B

                  MD5

                  0f4f86c8f7fb1172749175463c0b21c2

                  SHA1

                  6f6fd7513ec81a32000062ad77a66aed1d1e1c84

                  SHA256

                  28da8cda50921b7b62549f8ad44687d2145531c943e78e5938ee41e2ca83a645

                  SHA512

                  2c6d76dc30f1e0e20e92109e3f6c0942409a6cc71e28fbc8dd77d6646138c1057c5078af1d2d2400d1da2a6cf7a0afbfdb875b67d40204b49274b75f4622365a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  7ec31b0cf77ad91d89ba864b7e5e29ac

                  SHA1

                  b7a88594dcce7f0fe1cc9ae9362c58d1a16f1993

                  SHA256

                  38ce562826eb2c710ae62b9d0549e85da8b68bf11118b37d98df11a0696849d5

                  SHA512

                  6571d2a2d570d6e78e2b36667dbc20f53ff7b9f5f431f557aa1d1ec0bb7456e3c884b402a898ed69db94da0a8f70125ed15f30067d673e64e4dd46187b140983

                  Download Submit