e4c6a6af91ed5934481a869baf6013c9f58461de78eeb5dde54cec495b336ea5

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-04-2023 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

extension_3_12_16_0.crx
Size

1.0MB
MD5

4a48d26cecb835afcad7de5df28ead61
SHA1

79898598d614cde6de854b02685942df177c8827
SHA256

e4c6a6af91ed5934481a869baf6013c9f58461de78eeb5dde54cec495b336ea5
SHA512

dc87a644631330fb66a7553aaef84d7c9fa8b58b52ba3a04221438837a4f67d607b0823f960f719e442550af30810dc99b9ebdd229743352c4fabaeea64f84ea
SSDEEP

24576:QBYwuV+PrV0acR8q9kOsusPx8j26aySX8gCAXTWHm+YQPj8LJ4Jq:QdRZ6R1SJ8K6ayp+WHbF78iJq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.crx	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.crx\ = "crx_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\crx_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1164	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	firefox.exe
Token: SeDebugPrivilege	1848	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1848	firefox.exe
1848	firefox.exe
1848	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1164	1732	cmd.exe	29
PID 1732 wrote to memory of 1164	1732	cmd.exe	29
PID 1732 wrote to memory of 1164	1732	cmd.exe	29
PID 1164 wrote to memory of 1704	1164	rundll32.exe	30
PID 1164 wrote to memory of 1704	1164	rundll32.exe	30
PID 1164 wrote to memory of 1704	1164	rundll32.exe	30
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1704 wrote to memory of 1848	1704	firefox.exe	31
PID 1848 wrote to memory of 1500	1848	firefox.exe	33
PID 1848 wrote to memory of 1500	1848	firefox.exe	33
PID 1848 wrote to memory of 1500	1848	firefox.exe	33
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34
PID 1848 wrote to memory of 1036	1848	firefox.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\extension_3_12_16_0.crx
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\extension_3_12_16_0.crx
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\extension_3_12_16_0.crx"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\extension_3_12_16_0.crx
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.0.1916086290\858809260" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29177a48-9ada-4139-8933-483c4ed95b45} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 1260 13c0e858 gpu
        5⤵
        
        PID:1500
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.1.1205513258\1462135996" -parentBuildID 20221007134813 -prefsHandle 1452 -prefMapHandle 1448 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df28c4c0-2a3d-4e4d-9693-8205e2af3536} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 1464 3f1f958 socket
        5⤵
        
        PID:1036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.2.2142006830\774484475" -childID 1 -isForBrowser -prefsHandle 1908 -prefMapHandle 2056 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72898dfc-ec22-497f-b571-50b67da5f6ff} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 1752 1a2edc58 tab
        5⤵
        
        PID:1940
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.3.1786422812\1788217641" -childID 2 -isForBrowser -prefsHandle 2724 -prefMapHandle 2720 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b4d47b-0918-44c9-95b4-478646b2da7e} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 2736 e5b258 tab
        5⤵
        
        PID:1932
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.4.1834698700\188270812" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3728 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d1aa00-20ff-4da4-8151-641ce153785b} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3740 1e6bc758 tab
        5⤵
        
        PID:2388
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.5.947489493\1003141480" -childID 4 -isForBrowser -prefsHandle 3688 -prefMapHandle 2824 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fa67287-4d1a-4553-879f-780a8b135607} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3768 1b095358 tab
        5⤵
        
        PID:2408
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.6.1566489085\1875289315" -childID 5 -isForBrowser -prefsHandle 3892 -prefMapHandle 3884 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5acb1eb3-88d2-4eee-b11b-927a50407403} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3956 1e6bdf58 tab
        5⤵
        
        PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\81ei91hh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
158KB

MD5
ff0aea7043ef18e4e0f08e8c06cea8b9

SHA1
06f1874cae970f395ed485d26b74e735865773af

SHA256
ff5bdbf82dfa74f2478bf9b65434565d43b4a6829291b4964194475c70a4f383

SHA512
e20a8daa426ab16da5e23de8cfd7b11f516c8c68ddbcb5960b0910a745f08f4e930d0421a60b277fa5558d242e759f2ce44ab5b7d7190ea4db35eea5ff39fbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\prefs.js

Filesize
6KB

MD5
287079c0a70882ef8bb416820d8184ad

SHA1
67f9835b12c37eee8e6d0e00dbc303d8f7d9a772

SHA256
cdce500c9efcf5aaa92013a70429d0fb43331c7f28472a7186f8079e510b91b1

SHA512
05048711b5b6c658a6f7c522d33e0260b25f7ba970bd129adba232d68c82ca018fee195022a880972204f5d4566cbb89f2d4063741b0df1aafa8e8bf7d5795b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
945B

MD5
c73bea9e7c19d740e605a392a42838d6

SHA1
433190ac7bf74e308572b8a6a8c690a494af2cac

SHA256
dde345fc672f9f9155113f15ea5c1cb32d2f7506e035b81cede6ec45243db94d

SHA512
1595ecea4abdafb15f645a753ba6bc54413acbdcb46d551310567ff89af4ab8dbac7b82727fde6d93a492305d16b96aa3cc860eb3ec5c4319921820ad80e3167

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3c79a6bf52bcb538e3a037ea048ae653

SHA1
2ceaa5e113739a8a5766c499b929e20f9ff92a48

SHA256
c22d53abf64ce4942e516a1b6ffe1b3f7d24bd8056f2f76305742927ace45664

SHA512
6ea48bf7fe48c6c6232b3cdf70a0718828880ad30577a5ceacf7248db1c51622048cd8e3757035d515c05f76fffe3efdab920a30fe4358c97b9d36e00d93335b

Download Submit