Analysis Overview
SHA256
0bdce4d960e8b9537fbdcb4a70838be86163f355ba9f4344fd4982536924f27e
Threat Level: Known bad
The file 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-12 18:24
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-12 18:24
Reported
2023-04-12 18:25
Platform
win10v2004-20230220-en
Max time kernel
73s
Max time network
71s
Command Line
Signatures
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.zip
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.0.2119453313\1361903585" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a1b16bc-3aaa-4a0d-b124-e60704ccc80b} 876 "\\.\pipe\gecko-crash-server-pipe.876" 1924 16749fe9258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.1.1793083868\936238061" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7794da8-cb02-4728-bbe0-e603bc6d8f7c} 876 "\\.\pipe\gecko-crash-server-pipe.876" 2316 1673cf71f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.2.791102617\186700369" -childID 1 -isForBrowser -prefsHandle 1656 -prefMapHandle 3004 -prefsLen 20996 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a6e614e-051d-4736-ac6c-29e1a4d53a1b} 876 "\\.\pipe\gecko-crash-server-pipe.876" 2988 1674dcdec58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.3.619577756\305326583" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3432 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2a4d253-9982-41c6-a190-5d042463946e} 876 "\\.\pipe\gecko-crash-server-pipe.876" 3528 1673cf6fb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.4.1217037145\830390275" -childID 3 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {436fa001-8411-4d5e-a17a-856c6cdef26b} 876 "\\.\pipe\gecko-crash-server-pipe.876" 3948 1673cf5be58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.7.240323050\496082457" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5228 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce49ef50-f01a-4454-ac5f-f2a4ab547979} 876 "\\.\pipe\gecko-crash-server-pipe.876" 5336 16750197858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.6.442823837\1451932613" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52bd5514-346f-4794-99db-1026b43a4811} 876 "\\.\pipe\gecko-crash-server-pipe.876" 5144 16750199958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="876.5.1169436901\1762566143" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dd6102a-d445-4903-8597-521bd12079af} 876 "\\.\pipe\gecko-crash-server-pipe.876" 4964 16750199358 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\SubmitApprove.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| FR | 2.21.35.121:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 121.35.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FR | 40.79.141.152:443 | tcp | |
| US | 8.8.8.8:53 | 5.233.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49767 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| N/A | 127.0.0.1:49774 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 44.241.53.229:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.9.241.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.53.241.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 37.158.120.34.in-addr.arpa | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
Files
memory/2188-133-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-134-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-135-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-139-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-140-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-141-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-142-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-143-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-145-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
memory/2188-144-0x000001D4825C0000-0x000001D4825C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js
| MD5 | 9971fa8fa89a208685d3e30835832fb5 |
| SHA1 | 5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300 |
| SHA256 | 13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084 |
| SHA512 | 02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | ea9d38814a8dc80c90eafd28376b221b |
| SHA1 | ab2615ccc72da3591fb666df4b3eb0aa21022a9d |
| SHA256 | 58a8d345ba6518189eb6260ec5e320f8b1b6404219dc06f1c81ffe094e8571a7 |
| SHA512 | cf00a180f28c0c18f7346c14ab7c9973eb07f1352ef33ecbaaf8bf7b509bdbd087798b052d7d51a9211d8aa8c203181b2bcba180bac9cd227e8d336264ce46e6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | a6b4681170bcf8bd2794a0b6c70d23bf |
| SHA1 | 3b03514eddd95b8ee43f15e9fa80c0df894a73f2 |
| SHA256 | 8c59d423e21f2f4ac28cc9909b5ed4f762f7b22dafa0785244461eb1bff3da27 |
| SHA512 | 85061ccaff7f2981cae921c428c97ebea59a55b911b96d1055216e4dc1bbeb7bc1268e610ba1a14bf26e3b12e71c019618abcd62ea542c220472e27287bda693 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | e498b053bcd005a2fcfbabd2af4917c2 |
| SHA1 | c6e00c72551a0c3d9218d3d34a707490c39da461 |
| SHA256 | 44efe4a41204964b2bbc5f7ae7318e39069165076a6a1d7c944cc2d3cdf5017d |
| SHA512 | 36009d5d141b261194ef5fa93d5e13b6673a7e83342b1e7554f3c6cc020cae9525d14d9513b5d3da07871e23322380745236588c1492f91cb2aa523d10d397e6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore.jsonlz4
| MD5 | 6f4b7183d5f3ef2f307b7288296573f8 |
| SHA1 | c66c58398faad35c1f4a7763475f7a5c024ac5e3 |
| SHA256 | fde9837f26b9291ab68137a8a0a80bae58b67a8b9265efdf8bfebba87c052593 |
| SHA512 | 207b62a2b6ab062e2d0d9bd3432a1682781aec3f4de3b328416ed74fdaf69cab3e5039485a4665c56b4c06ff95c1acbb146c879a3f54dd6ae814b299c8cc151b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionCheckpoints.json.tmp
| MD5 | e6c20f53d6714067f2b49d0e9ba8030e |
| SHA1 | f516dc1084cdd8302b3e7f7167b905e603b6f04f |
| SHA256 | 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092 |
| SHA512 | 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
| MD5 | e1dd5ca975fafb48c0a4181b48cb24ce |
| SHA1 | 30692ee61b1572f28b9986fbbbb83ace987a66cb |
| SHA256 | eaba474357d4cba7aca6399ef55c399d3b184535c0640657c0d2ae9497682247 |
| SHA512 | fbf51ed1f618a97e94beec1e966e6ae562a47a797bd891659edd493a0d2a6c6eb9e052dc485162b2c700908d47b2cb0be56d0d51b329d978f85819f289310f35 |