Overview

overview

5

Static

static

1

AR_Aging_s...t.htm_

windows10-2004-x64

5

Analysis

  • max time kernel
    28s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2023 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AR_Aging_statement.htm_

  • Size

    3KB

  • MD5

    78549ff4c7a9f7e02cfec1e29233712d

  • SHA1

    0185bae8b5c345d754c96f4b590954785ff9f279

  • SHA256

    4eb8ffa0f5a8e82f122f67d15f1c7c44398d97f88391b9ffaff1b496bbffadbf

  • SHA512

    5a5b30b58f02fcaf3328604a6ecaaa2e8f7fcd5f3f5fb08dfd59e0250c621444a0eabb1d2ebd86613326d88cd7f794aefc363a7a7cb56de495dfd154c78bdd43

Score
5/10
microsoftphishing

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\AR_Aging_statement.htm_
    1⤵
    • Modifies registry class
    PID:4004
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AR_Aging_statement.htm_"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\AR_Aging_statement.htm_
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.0.233462483\125199469" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83622a04-e9ca-46b8-bd58-b019b0caa6b0} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 1916 2300d1ecb58 gpu
          4⤵
            PID:3192
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.1.178571246\1874160835" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59aa565-a103-43ae-a4a4-d1b2204aa6f1} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2340 2300026fe58 socket
            4⤵
              PID:2384
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.2.1011560062\1043488146" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfe9c4c5-05bf-44bf-b4ec-f25a62b25135} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3092 2300d164958 tab
              4⤵
                PID:4184
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.3.2017421117\102654138" -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f72971b-6f5b-409b-9415-123bb0f562d8} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3968 2300026a558 tab
                4⤵
                  PID:1460
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.4.273580729\2095936003" -childID 3 -isForBrowser -prefsHandle 4912 -prefMapHandle 4940 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3839c17e-a7d1-4281-9cf8-62c9a980cebf} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4876 23013115358 tab
                  4⤵
                    PID:2896
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.5.2102369159\1273397902" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67c83e64-3ee4-4748-b527-ca8b5216a033} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4956 23013113e58 tab
                    4⤵
                      PID:3496
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.6.1134887487\310671380" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d443de6-c49a-4459-9833-7f8c019d10c5} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5264 23014389458 tab
                      4⤵
                        PID:3500
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.7.802613022\250382832" -childID 6 -isForBrowser -prefsHandle 4784 -prefMapHandle 5884 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ccfda73-9e2b-43ff-bfbf-1af3dd9f3198} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5920 230114d2b58 tab
                        4⤵
                          PID:5664
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.9.1518486800\414553128" -childID 8 -isForBrowser -prefsHandle 5556 -prefMapHandle 6044 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50df5503-fb48-4b68-bf02-a877c5ba0eaf} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5056 230142fbb58 tab
                          4⤵
                            PID:6076
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.8.607927121\398178116" -childID 7 -isForBrowser -prefsHandle 4956 -prefMapHandle 2940 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bb4b5e1-5da7-480c-83ce-3b73b36d633f} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4336 2300025b258 tab
                            4⤵
                              PID:6068
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.11.392498378\1531802707" -childID 10 -isForBrowser -prefsHandle 5332 -prefMapHandle 5340 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cc5b1ac-9053-4f1f-acef-672e5a1438c3} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5364 2300fb5ca58 tab
                              4⤵
                                PID:5636
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.10.1795589552\845407545" -childID 9 -isForBrowser -prefsHandle 5912 -prefMapHandle 2920 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12ce74b-2c1f-48e1-9134-c67fc88316bd} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 6060 2300fb42458 tab
                                4⤵
                                  PID:5628

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            151KB

                            MD5

                            def1cb9d25c774d4f63747a3d7db93d4

                            SHA1

                            8cac19b1affa6de1ab092802b4c704a6a999848c

                            SHA256

                            9356ba4323dc3e2d997de4ab59c2fb95068279145278791e59b9ffa898669982

                            SHA512

                            ec554b929a21097f5f00ab4474903e6ee8005e319b0307a71d228c30df377a77c496e0856ccbbad72c932111a7dfa56a61b3578474bb78f68b41acac68e1d2bd

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            75980d805d8527ad8fbff58918b21d38

                            SHA1

                            020114b151d713b98873fc60d8469656783a1935

                            SHA256

                            c9d4cdecc7c0b530d1722cef0973fab84e65d09822ace3d2bbc2f29e71dc610d

                            SHA512

                            d399bcee890f69f03ac02f2051877b0fecdda4c4bfdcb70f28601bcd360afe917bb2dfa7a7302eb654da822909e4f5debd2de85c6ea5589b438968f6b25b2100

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            56b87db47b78de36974961cd139fff0e

                            SHA1

                            17d995a5bf9a73a3415d9c5ec02d091536bf9ded

                            SHA256

                            15a1bd2c7d188b9d19d85248a33479a7256d4122a2a60d87533dec9401f4394d

                            SHA512

                            f439ee7dddc070c32ca6836781a335b1203abb17e5768bfcea3723c145aee4c0cc84a67ed769cc0b2e7bdada87268bf59fb6186953d72b0f4f3242a81ba98a0f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            f73e52d124620d05267ba934f3b312d3

                            SHA1

                            34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

                            SHA256

                            fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

                            SHA512

                            4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            d414364e7e55696c1af40a1b8b375dcf

                            SHA1

                            b6ae388b6c88879f1ea4800bb587b0f7ca02ee6d

                            SHA256

                            d3603b5dbdb42036bc8c313c62095a19deb79b590a1cd2d83a4e45cea540bd59

                            SHA512

                            341bd9af2d56607e1681ff0370663fc6a361d6236a1eef76cf23ab137b7c2101ec95b803081782ec8ebb3f8f36bf6304417f485f4e72c814595bce334c4c3a9c

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\default\https+++www.office.com\cache\morgue\8\{4b3b86f0-aa11-4f37-b385-16daf34f6108}.final
                            Filesize

                            76KB

                            MD5

                            f49ea52713c600e473f202ea04dfecb7

                            SHA1

                            293533d40eff9a649d0ab3bc5b924617834e4cd8

                            SHA256

                            7e2fdfa0586e5d1ceba204c5e88194e469b5ee17ef3d88e7c3cc5a6eca449353

                            SHA512

                            9b2774882ac35c0e1804dbf9d8295d025c1aa4de7e84984e154368889ef0e9b3e16a94a1b147fb262f2d4e3ae44e05847a63bde9c9078603ba6f29470bdf0821

                            Download Submit