Overview

overview

3

Static

static

1

fighter.jpg

windows10-2004-x64

3

Resubmissions

19-04-2023 17:47

230419-wddmrsec7s 1

18-04-2023 16:13

230418-tn47csec9x 8

18-04-2023 16:12

230418-tnnvdaec9t 1

27-03-2023 18:25

230327-w2w41sgg51 8

27-03-2023 18:23

230327-w1yw8agg5x 3

27-03-2023 18:21

230327-wzrfragg4z 6

27-03-2023 18:21

230327-wzgljsef96 1

27-03-2023 18:20

230327-wy9wpsef95 1

27-03-2023 18:12

230327-wtb4wagg2w 1

Analysis

  • max time kernel
    83s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fighter.jpg

  • Size

    7KB

  • MD5

    b4ab5bbc090eb4ff916fbb48dc9d3a40

  • SHA1

    b2c8e91298fd8ac51cab4228617db1b469641ab7

  • SHA256

    43f43bc1cabe913c58d9dc83503b4711eef4c7028098db545ea3e95849801eaa

  • SHA512

    edbd4475c6ccfbfe476727511e2546d41b7d039c133df200009c58cd6d350c0eff69d4f4db66f36011e3e9206e55a7e41919fd6342f639f48427dba08ecb791d

  • SSDEEP

    192:uAkBa3UqVX8M08LcJYUaxm3ENPY3h9vY6MDiHbt:rkBa341haxmIY3DY6M2p

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\fighter.jpg
    1⤵
      PID:2996
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.0.1596647528\1789452624" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51f52e5e-a310-4a64-aa88-d2d9a6a32f50} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 1900 14effeeb658 gpu
          3⤵
            PID:1372
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.1.1725227101\556336979" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5aab50-bf22-433b-a199-bf5218f8c5fd} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 2300 14e8b32b258 socket
            3⤵
              PID:4228
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.2.1735928858\541503722" -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 3104 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c23c82a-01e4-4cc0-8d7d-bde41850e7a1} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 3120 14e8daba458 tab
              3⤵
                PID:3372
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.3.1771087241\670053336" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3420 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b1bfcce-814b-4d8c-a69c-37c1d82fd93e} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 2464 14e8c7f7858 tab
                3⤵
                  PID:484
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.4.1042830513\674795627" -childID 3 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {171c1e03-35c1-452f-839d-c581c33f6cb9} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 3844 14e8ed44258 tab
                  3⤵
                    PID:3128
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.5.1763959002\1647988369" -childID 4 -isForBrowser -prefsHandle 4628 -prefMapHandle 4528 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fec8ea0-6bb5-4111-9bb7-cf255a37778b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 4868 14e8fc15e58 tab
                    3⤵
                      PID:3604
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.7.880705043\1704714698" -childID 6 -isForBrowser -prefsHandle 5016 -prefMapHandle 5024 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {514aded0-92ad-4545-8d99-0ae6d31a281f} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5144 14e8da78e58 tab
                      3⤵
                        PID:4196
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.6.918629334\891982530" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9492bb73-755b-4762-8f03-08cbfc28e42a} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5020 14e8da7a358 tab
                        3⤵
                          PID:4180
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.8.802816009\979644091" -childID 7 -isForBrowser -prefsHandle 5116 -prefMapHandle 5440 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46389c0d-bbee-4df1-b722-a6bd2bc9a2c2} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 2880 14efcc6cd58 tab
                          3⤵
                            PID:5392
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.9.1922874464\1621874344" -childID 8 -isForBrowser -prefsHandle 6008 -prefMapHandle 3548 -prefsLen 26596 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6898da2-4322-4f9c-b402-8161c0f4d08e} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 3576 14e91a62858 tab
                            3⤵
                              PID:5984
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.10.1879384991\1526004241" -parentBuildID 20221007134813 -prefsHandle 6108 -prefMapHandle 6104 -prefsLen 26771 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31966a6c-9cc2-47e9-a03d-4c8a2e896312} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5840 14e8ea37958 rdd
                              3⤵
                                PID:4692
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.11.810444002\635889183" -childID 9 -isForBrowser -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 26771 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64a04218-a835-44c7-a883-cb0dc878e671} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 6244 14e91922d58 tab
                                3⤵
                                  PID:4532
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.12.930570868\835139054" -childID 10 -isForBrowser -prefsHandle 5372 -prefMapHandle 6396 -prefsLen 27036 -prefMapSize 232645 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed560250-f6e3-44be-9d2c-85c72e7ea411} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5256 14e9019cf58 tab
                                  3⤵
                                    PID:2196

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Persistence

                              Privilege Escalation

                              Defense Evasion

                              Credential Access

                              Discovery

                              System Information Discovery

                              2
                              T1082

                              Query Registry

                              2
                              T1012

                              Lateral Movement

                              Collection

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                162KB

                                MD5

                                367d6e8f46a206cb8aba482ed5ae738a

                                SHA1

                                7eb0f75b096e45e7a367012a81560b1e542bc178

                                SHA256

                                1209032e26e87d58a3b0ffe97b0975e2552173001ba30823adbe428998d1e235

                                SHA512

                                416b18f5bcfc8a303ad021a223985ccbe578fbede0fcd0a3174dc0907315f7f7a34f47955cc3b690b3f58f0374def4b33fdeec51c77811703a3474bf76eaf2da

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\18319
                                Filesize

                                15KB

                                MD5

                                975e55678711e4d7d39c674cf2d42306

                                SHA1

                                2b29b33804c9971b68c64c9ee95acc72e8086b6a

                                SHA256

                                2b44e13e1fb1a61ad4e30526417934c33bb3dc6d0e3276dc41751577c0709ad7

                                SHA512

                                66b4af548e9c05b178561c56ddf18e6d0462feec6b854154f2d1196c2aee8100bcbd1a5ca506cbfd9437e341190e0d8b95f0aa316abdba9690db6fb573a118f6

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\23213
                                Filesize

                                15KB

                                MD5

                                89d333b01c8b346b5b247a48bfda1cef

                                SHA1

                                0f510edc6b110c739f942e6e94a233af4ba70de1

                                SHA256

                                77db2dc14c45d2097329240bb746a16e07d1685f2b0735c9fe22f0e7d4c701ac

                                SHA512

                                3b4ac341db591dedbb562371df5d1aa32932b9847c2de6bc30cd0f8644afbeb51a10eb451e8ebd4831736ccd95716dbeb2c0534ef7b8bcecdddd0f64f39fd9af

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\32503
                                Filesize

                                15KB

                                MD5

                                c43192b4c300794fd074679d829598b0

                                SHA1

                                181b0097205eb96c0678d5a7114225acf8963096

                                SHA256

                                1e71833d086be8133cf032aaa7d5f09de603d659d6e5be0f96d48e702d3dc283

                                SHA512

                                5d6e34319c3dae44ccf7c5178faa4ec5bc051f0960bd81d2daf4bbe2ef80e82c41ae6a1ba63ea606e798e6627f394b1559bc0c4c2f95d565d6454c34c5c04f38

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                157529e15bda08001a6c0166026215e6

                                SHA1

                                329da3c683d7f8f968eefd596884336950e80161

                                SHA256

                                346246c2fa3d861997bb0a3a957daefefe4416616d9829e88d1840f96f5b9dec

                                SHA512

                                f402d1f48d2dce383ac78e29f27ca0aeaca2dc03bf667d8a6ca9c632aa4dd88682a1db97f06403eb282e5e2910f9184d03e87ce0e38e55834ee2d5a551f74855

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                1ddd433d8ef2ef4fdc075139b01b1e41

                                SHA1

                                707bb9855021ae0b22d6c0e757352ef10602295e

                                SHA256

                                7cdc029492f3b3a80fb179b74477fbc469c24ebe0022bdeb7ce15b9cd738158e

                                SHA512

                                a1ff9abe8ba9affe80850bd02a59d4fdf05be8d19e8bb5a049d934bdad64a1a7581d03c6f2ce291503eaee4b39d439786b2c2c1c5d9282b162dc85550a117c15

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                0000c1a77192e94d82e18a0e32c81e5f

                                SHA1

                                aec87e475d37276675a6b97fbe6b1e28be68a253

                                SHA256

                                07c91e5c637a047a8649a3fb9f0abe222216fe7e6c019ab9a576058c46c77908

                                SHA512

                                584f77bf5301d3563493b1ac9279b8deddc03fe290ac7171963cafdfd6210a74a30e6e7a274451781bb8bd674c53b189948b458fc853da158669a33a16f7f33b

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                3dff58ef4b09396eda6854ef9b490729

                                SHA1

                                bcdabc72285e22764a450bfea7c3d64203bf0b53

                                SHA256

                                37d68ed70da6238c5ddec3e8a622b24cdeeded0c05fddf0be612721e16fd6353

                                SHA512

                                4b7fd92b6e3efbe5008dddeff923d68fbc09307c79fb80fa36e0b0b8d788e03ee8797d1e52bb6e3a493716cdcaae1ce62bae8b0f80f2ddb301cfcee77d8fd5d8

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                                Filesize

                                7KB

                                MD5

                                8c3a211c007d6b6f92d76961949c2d9e

                                SHA1

                                abc1f87f3c6c2c1ebbbb5e60eeeabd7c9ce6773c

                                SHA256

                                75ac77d4b425f37fcd931ef25131b88b47763009afdb0cecef6b81aac1626284

                                SHA512

                                5ee74955031a333c6864dd9dae431ab115032f1cea35c91cef548e60621c4879378384b42e44c3f48b184051146a9003bcaf19ec7ea4fc3812b2f613bc57794f

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                9971fa8fa89a208685d3e30835832fb5

                                SHA1

                                5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

                                SHA256

                                13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

                                SHA512

                                02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                6f3b9c566cebd7c97846b88c670da59f

                                SHA1

                                f9c8df73e367e367468db7c0c1ae7992602e5bc9

                                SHA256

                                95ad57b615ff366260b70fa19f37d2286e9ac7ead4b2dc8f4f4bc6d90d3167f7

                                SHA512

                                39f552cce64267ae4cfe97dfb1372709a36c916f0812e3077efbe4814ffbecbf9ad6872951031705c8219accbb92fb991fae2a87651d804733dd746243df7ae8

                                Download Submit
                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                13KB

                                MD5

                                ec15ebe073c95b3da2d60f5eb9c7cf24

                                SHA1

                                9a9918b17f39c18c56cf2fa18742a5691c6b791c

                                SHA256

                                1216ffd74c69c397208a906291cfc235d8ac24c987b8286e902146aeabc81452

                                SHA512

                                5158cb629f5b335d0e1546962a541133db273cb63b45f2edae4a466701c4a38689fe320968c3f63b0e77a7149a3cf9d09b8849f141df0a7f49aa82eb5b8ca7b4

                                Download Submit