Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://liveupdate.sy...

windows10-2004-x64

1

Analysis

  • max time kernel
    210s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2023, 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://liveupdate.symantec.com/sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri.zip

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://liveupdate.symantec.com/sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4936
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3032
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri.zip\liveupdt.grd"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Temp1_sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri.zip\liveupdt.grd
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.0.1611627521\1563369211" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7394e029-881a-4d2b-9903-cab7cc220805} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 1940 286e79fae58 gpu
            4⤵
              PID:2724
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.1.1286825354\1474473309" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c43047-374d-44d9-a6f7-ce6ecde4f460} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 2356 286daa77b58 socket
              4⤵
                PID:2756
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.2.1855471617\827777673" -childID 1 -isForBrowser -prefsHandle 3344 -prefMapHandle 3352 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250d8020-22af-4d5a-aa48-0e6061ae99bb} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 3312 286eb636e58 tab
                4⤵
                  PID:5080
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.3.1763181004\287807165" -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9df2dc6-c634-44e1-9b68-e7c7a1782483} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 3844 286ebc21d58 tab
                  4⤵
                    PID:2036
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.4.195255739\1461422273" -childID 3 -isForBrowser -prefsHandle 4572 -prefMapHandle 4704 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a4eed9a-5777-4c92-9498-796877c683a6} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 4716 286daa61458 tab
                    4⤵
                      PID:3056
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.5.1164265103\1479659816" -childID 4 -isForBrowser -prefsHandle 4924 -prefMapHandle 4680 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {188ff5d0-87e6-4a13-a996-51d9d82ae87b} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 4836 286ed314a58 tab
                      4⤵
                        PID:4764
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4848.6.2142344310\1128569460" -childID 5 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb9023b9-ec6c-4588-bf34-f1f57afc5bb2} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" 4888 286ee4a8558 tab
                        4⤵
                          PID:1452

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri[1].zip
                    Filesize

                    3KB

                    MD5

                    978963239c23d5c5fafb05dccf81dcfd

                    SHA1

                    d64ecd278dd0fdb721fff7f8652e468a0bd36b27

                    SHA256

                    f153cd327980c0b18f9d6dc6cc9ab15464d0674c314fd4905b1520d474953ff4

                    SHA512

                    f8a63bc3c77ba07f7f06f76b73d694371dbd8a227fdb9c86b67ab94fb36aba75904b86e8d4d4b7032c79b01131e57af056a5877f98c158c3ecc275e218446789

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\sepc$20iron$20settings$2014.3$20ru3_microdefsb.curdefs_symalllanguages_livetri.zip.s33n89l.partial
                    Filesize

                    3KB

                    MD5

                    978963239c23d5c5fafb05dccf81dcfd

                    SHA1

                    d64ecd278dd0fdb721fff7f8652e468a0bd36b27

                    SHA256

                    f153cd327980c0b18f9d6dc6cc9ab15464d0674c314fd4905b1520d474953ff4

                    SHA512

                    f8a63bc3c77ba07f7f06f76b73d694371dbd8a227fdb9c86b67ab94fb36aba75904b86e8d4d4b7032c79b01131e57af056a5877f98c158c3ecc275e218446789

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    4ebb100f56f97d0283e63ec5a8660186

                    SHA1

                    0f20d9beb4b31c975f15f312fa58f4792c0a28b6

                    SHA256

                    044c2e2f42d1208c96895f7ea92f6865002b003f1bfcb7d5ef9982a0cef64a0b

                    SHA512

                    b75fb719aab24c69d39f622c6f9bee1043513c7b18f55da2b9dab1fa7fe1fcab910df9f5210f4c067507ec61a8a432bd46b86c0259708c41d05095119648aa7d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    c38cb18a7648baa2f9c6149e414a4241

                    SHA1

                    1d3df190fc2d9c559a219b6c500a3cec65033355

                    SHA256

                    948688c91fdb6250703ca2e01fab447df5ca65404662d122af9973d3ec837b1b

                    SHA512

                    100aad8d7e6f8aa52cb81a8f96465a04cf620e71b59cb27d4e1d8e22feb856b8906e8c6e1269d84f6c4475630dd38854216cb0015d4b27a210286c405e50aac2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    7eb761b585a567bf6618a62c2cd18663

                    SHA1

                    3ff290e000ecce4d42feaa8a4a1f0cfd5b440a8e

                    SHA256

                    3590edc81d1b2e232e815a1661830b8a6c2a163565669815df17c90ee36ecc6c

                    SHA512

                    53f404e5aef685297088f6fb1380c70c0daa59d643fa1ef1333b97649cd1e9c2499d8b5fa663487f52aae2ec3308429f99e19115034599101a2ca53395ae008e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    0689a806a1990a3168edea238119ae69

                    SHA1

                    84d13516618d0cfbd975949a084f1972ddf1242f

                    SHA256

                    7ed62481bf40829f5273206b75865699ba423a9bfe53636f711fe8df6e822f20

                    SHA512

                    02ca36717cc39782ae30f7d92f453f39caf39e7544136ede09b3d717f404ce44fc429f8a625018540ed221a431158ff0b92917cda511b703ec32a8b12b4cb481

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    2b5ff9d62888a5c0b4dc37a7cd7b326c

                    SHA1

                    42bf7a98e1ffb628f516444083347ee1668c7751

                    SHA256

                    353c0bf144ca9ec815202bf50d7e6eb8db9da86eb93a2f95b4cc5658dba646da

                    SHA512

                    988accfeaf71cab72ed4cf44695c44ee6d1c400d719bd045e9209c262ffa9a7ce8992b99406a63e5fe2fe5da62c942291428bfec1d5fe91f9cf0ad7393a78cdc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    2be0d1e5549e5ac393a2aa0091a1fe4f

                    SHA1

                    b16a30ebe9457e1d184c93cac08dc128dd3504f8

                    SHA256

                    a44f4dcf831ccf1a00ecd9c59ad6ca49923bf3c79d961a7964820336e56855bf

                    SHA512

                    b323a2d5367435bcdee4b498e0db660856ea9f809f7cfe48776ee53cf50e347ce495d6d9c8ecbee413d8654d750f5f6d71af46df3b9ad6509a4abfda9592d1aa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    1984b45f201f1fd79d2154406648433b

                    SHA1

                    42f082dc6d4d43333688690bf4dfa7c7f8b618ab

                    SHA256

                    000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

                    SHA512

                    e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    4892e847751c3c44f3f424df3325c9ae

                    SHA1

                    335a31f849cd734b4924e7351c982faa707fe63e

                    SHA256

                    746bf5959c95151e5ab326f5ff4a7642095a00668e89f59bccffcbea91dedac8

                    SHA512

                    47fe06d73fd3a2cfe6d143e40dd0c0225c8a034ca2176ec99f3b0ec1744968d7390a810b15e209c5435af322458aa9c1fec1cd8e609fe5a86dd8c7f66818ba12

                    Download Submit