fe01f8605ab26cef2b2af2feebf6e40cede6b99ee69c5194cebf37001def696b

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/04/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsDefenderApplicationGuard.wim
Size

24.3MB
MD5

77fea5dd7c12ebeb6a9d0a3fd0ebdca5
SHA1

391f21c9ea7f57e79f2b938bbac0b0e76c21c72b
SHA256

f090c6a3a7d0ddc7b567856bab227e6a01ef2078be93cf30e0c2b3f9c56b9451
SHA512

aa0d125a253e550e7f5f4ecaea2ef40c21e87fe26c856ad365bb4802f450286de975143c80426708721f627ed41d9ee8226fd47c32b003abfac8dde11183d399
SSDEEP

786432:i9A4sTomjSaYetu1dhM9O1wemMCdHJVIexjPAI:i9AbTrjSanG64VmMCdoelPAI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.wim	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.wim\ = "wim_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\wim_auto_file	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	firefox.exe
Token: SeDebugPrivilege	552	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
552	firefox.exe
552	firefox.exe
552	firefox.exe
552	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
552	firefox.exe
552	firefox.exe
552	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1544	1968	cmd.exe	28
PID 1968 wrote to memory of 1544	1968	cmd.exe	28
PID 1968 wrote to memory of 1544	1968	cmd.exe	28
PID 1544 wrote to memory of 1084	1544	rundll32.exe	29
PID 1544 wrote to memory of 1084	1544	rundll32.exe	29
PID 1544 wrote to memory of 1084	1544	rundll32.exe	29
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 1084 wrote to memory of 552	1084	firefox.exe	31
PID 552 wrote to memory of 1848	552	firefox.exe	32
PID 552 wrote to memory of 1848	552	firefox.exe	32
PID 552 wrote to memory of 1848	552	firefox.exe	32
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33
PID 552 wrote to memory of 1616	552	firefox.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WindowsDefenderApplicationGuard.wim
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\WindowsDefenderApplicationGuard.wim
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\WindowsDefenderApplicationGuard.wim"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\WindowsDefenderApplicationGuard.wim
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.0.798120469\226665301" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5b09272-73df-4319-aaf2-065936928720} 552 "\\.\pipe\gecko-crash-server-pipe.552" 1260 115a7b58 gpu
        5⤵
        
        PID:1848
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.1.1012774033\388874323" -parentBuildID 20221007134813 -prefsHandle 1452 -prefMapHandle 1448 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9ff1bc8-7a11-43f0-a126-7f5d0e5b5880} 552 "\\.\pipe\gecko-crash-server-pipe.552" 1464 d73b58 socket
        5⤵
        
        PID:1616
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.2.2008487643\1013857081" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 1776 -prefsLen 21899 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f62200-2705-4178-8f35-b2a6b635e991} 552 "\\.\pipe\gecko-crash-server-pipe.552" 2032 d65758 tab
        5⤵
        
        PID:1972
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.3.89273622\865798827" -childID 2 -isForBrowser -prefsHandle 2472 -prefMapHandle 2456 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52be0aec-10e7-4671-bcef-2ead5b5f3b46} 552 "\\.\pipe\gecko-crash-server-pipe.552" 2576 1bc3c758 tab
        5⤵
        
        PID:672
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.4.304727299\143730558" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3652 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3137115b-0372-4482-954b-b55063b5f40c} 552 "\\.\pipe\gecko-crash-server-pipe.552" 3736 1b6cb158 tab
        5⤵
        
        PID:2400
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.6.1024505170\1611561989" -childID 5 -isForBrowser -prefsHandle 3728 -prefMapHandle 3472 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a93e3dd2-d576-4853-920e-ca377e945cda} 552 "\\.\pipe\gecko-crash-server-pipe.552" 3832 1ca34b58 tab
        5⤵
        
        PID:2416
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.5.1524922480\1936386172" -childID 4 -isForBrowser -prefsHandle 1064 -prefMapHandle 1060 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8d5fb17-7286-4dbb-ac84-3f39f2ffd2e5} 552 "\\.\pipe\gecko-crash-server-pipe.552" 3748 1c5fcf58 tab
        5⤵
        
        PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
140KB

MD5
55525b7f079dde9a7e1d71dc17d1f88b

SHA1
b27ffa29c97d889aaf57846252c8603753cbe351

SHA256
d42785223eee21c2c7317069fbed33c4c7d73b749d5b886c0823563a1590e25c

SHA512
f660044708055a45b78f9d2d5ce70a593b2e778c280173028e57f7c54aa96da98aed665c055a960caf24cc08efc6f6fbf8e896e438f36a87d2bb27bd56f65399

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js

Filesize
6KB

MD5
580aaebcc2926902dc1a82b71a1c70e5

SHA1
844e9d6832ad15e30e1f1e02b2fc1978c3955cf4

SHA256
2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd

SHA512
6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
942B

MD5
90dc200283a0e19c03d4ad3e41c02e09

SHA1
7c44bc7eb85072f3bae0c02ba48edc2c402c68e2

SHA256
f4ac1475f5f7aa3a031474ab5f9690fbc141fab416606ed6bd6ff842d369bc74

SHA512
d8a15268c150e20aee5abad19575f164ba2b4fed6f0329558c326935849f4f5e7f0913d932e3285e5f795a632840621edff074b58e436bd9076deb6936514366

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
fa18452616c4715fee518613232f3be2

SHA1
90d5eb2470c929d5dc0619810f8a128186f1eaa3

SHA256
cae34971955c4df7f88d6c5b31c06dba3df8f007df380021c82a4de0d79f0f98

SHA512
aeae30c663a8194dab14fb866f78b7cdb2324b637ebe01fa7ce6848f2ebe151d51da547d28e283f4140c5b9da5d9b3013c2e725f420cfdbc1d96ef6ac149f750

Download Submit