61a538cfa94ecfb3be34ee4abe600229873ab5567c346b77c258e7a406ebc019

General

Target

Tsurugihime.zip
Size

76.3MB
MD5

76442c9918c6fcbc48abea8c4b82b596
SHA1

04561972f3c830b8a134d3567a3994a7e35d70b6
SHA256

61a538cfa94ecfb3be34ee4abe600229873ab5567c346b77c258e7a406ebc019
SHA512

a5aa75494b148701fc65d8c4239e158bb922d581ead03d69e6e54b862f589da13eb3d60b0ddca2df7d62e84d4163de1b529664988a1f9fee54f38971037c5e4c
SSDEEP

1572864:djI/tnIO8HzgR53AS6jb3tBaACsQ6EIdMxKwEN9WlrhfEdsrYvqfYJxYgIt:djIlnIO8Hzgz6fL4sQbQlNNslrhfEmMw

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4012 firefox.exe
Token: SeDebugPrivilege 4012 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4012 firefox.exe
4012 firefox.exe
4012 firefox.exe
4012 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4012 firefox.exe
4012 firefox.exe
4012 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4012 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4012	firefox.exe
Token: SeDebugPrivilege	4012	firefox.exe

pid	process
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe

pid	process
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe

pid	process
4012	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 3800 wrote to memory of 4012	3800	firefox.exe	firefox.exe
PID 4012 wrote to memory of 4772	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 4772	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 2640	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 4332	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 4332	4012	firefox.exe	firefox.exe
PID 4012 wrote to memory of 4332	4012	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Tsurugihime.zip
1⤵
PID:3240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.0.948457315\1701829590" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af674751-b8de-4fdd-871f-2c38f9a86497} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 1748 2168882e258 gpu
3⤵
PID:4772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.1.1144678315\1548759813" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2287671a-4986-4617-a3b5-5a00a8054aa2} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 2100 21688d12058 socket
3⤵
PID:2640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.2.456714622\2076661822" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2920 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e76b58d-8248-43ad-9381-eeed8c7fbce5} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 2764 2168b6b9d58 tab
3⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.3.932328059\1441202948" -childID 2 -isForBrowser -prefsHandle 1068 -prefMapHandle 1064 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d6ce7e-3104-45b8-9d94-821bc7d40527} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 3120 216f4c61c58 tab
3⤵
PID:4416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.4.817641561\403013604" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4384 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaa9b2ce-50d7-4d28-a02f-8c8278da55c4} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 4404 216f4c72558 tab
3⤵
PID:4940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.5.1336047908\1044704531" -childID 4 -isForBrowser -prefsHandle 2904 -prefMapHandle 4900 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54b9852c-34c8-40e5-a8c7-700594f919a4} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 4896 2168b7b9558 tab
3⤵
PID:1540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.7.1606305532\1674196970" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9a87f04-edcd-4adb-805d-d18750e83b34} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5232 2168e103258 tab
3⤵
PID:308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.6.347775100\2091671865" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ee54281-ed61-40dc-8374-589cbacdd856} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5064 2168dda3c58 tab
3⤵
PID:3512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.8.1882389305\1448444580" -childID 7 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26956 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b149c165-15f5-4e3b-af9f-48fdafe7f765} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5460 2168ddc7f58 tab
3⤵
PID:4220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.9.231394774\1770263123" -childID 8 -isForBrowser -prefsHandle 5104 -prefMapHandle 2856 -prefsLen 26973 -prefMapSize 232675 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1cbd392-9d0c-40c4-92cf-f4fc49634165} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5020 216ffd0f458 tab
3⤵
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize
148KB

MD5
f5d89c55950af50f66cef08562eb665d

SHA1
31026a1bf8bde174fe7cf3993193da121539f26a

SHA256
72cb4309065b116c1763db32347d5a762a077e7593b009ea5fa4ccca939d536e

SHA512
0cf50a2a7a533eb58c8bfed985b74f4466f4be4f1591565329d3d6f9c4e936fd4c7941a8f02e8fe1e3b2e6a3deea5d999263295d98611479d1cc5946f0bc0076

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
2299d50f3655955ad44c40b60f124a49

SHA1
6e092fa036e3cd88b0ad86980b8cf15c8c0b4bf6

SHA256
3c1cc274ce92cc69cbf37bb9b35c5b2352f7ed4a31beae518630c7607ff95eb1

SHA512
1b41755cfd12a4552f58aa3efa62ca56bdad890eccae51f6b5b1fbd48fe1a938ee89af917dcdb6f063534183a636494ec6b8a5ad33e922d7fd2f5c415c389725

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
51c8b1f76fd3d08af5cbb7f484d91c8a

SHA1
34eaa78c85aa3137442d2c1e175921a575644b0b

SHA256
ad9d564d2684607c7013f8946646ce7c3c4bd3711d30a7fe259eea10b2d7e222

SHA512
652cc8ad907c0faf227a32a77e7d7dd7d26e9fe55c6b02d268bac51fe45c44435ef6c0a7cbf68be7cb4c2505d4439ec935f59ebd6df70df73697c03d0a11e556

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
a5c110e4b98fdabdbd12a91a7b28d510

SHA1
b031bf2a4454b63bf9a131d38c7a5cfb6a412d5a

SHA256
0ff07ef9ac03c7a9fd71c5043b1af4beaed6b1849c2ad1edca0b5c727d478123

SHA512
338d1e97b5362388de87f7030dfe2347a045f1aace5f70ef3a33cc720ccb3f040aa2832d0db7afcc875d8b737dbc5029c9e50b4dfdc271cce3d4bbeda700617a

Download Submit

Analysis

Sharing