Overview

overview

3

Static

static

1

0-255.pbf

windows10-2004-x64

3

Resubmissions

03/05/2023, 09:20

230503-la2kbaga2t 3

03/05/2023, 09:16

230503-k8lq3seb52 3

Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2023, 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0-255.pbf

  • Size

    73KB

  • MD5

    2b5e5142ea2c9322aeb61fd5dbd7c969

  • SHA1

    b58544d7fa81ad0c026f5b5e49ac56ddfa228c02

  • SHA256

    a79452d99a609ea5b21c084672e13fd726c329dfa1d29d07a4288c9d9ad554bc

  • SHA512

    6944dea0008535ec8f7a0c3cb1e14327453d704607a741e4b8dbd9f6e387c39282707f795f9428bef2ff814fac055d5bfc8cb4c43f15a2968c60c4153ab4dc73

  • SSDEEP

    1536:iTNjO5pO66eLfQ/qVezMOJAiCMDfAzCVE:cjSpOko/tMH/

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\0-255.pbf
    1⤵
    • Modifies registry class
    PID:1724
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\0-255.pbf
      2⤵
        PID:2764
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.0.1267816387\1673960511" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfba82d-c52a-4424-be4f-ba355846e2b0} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 1916 28934d16b58 gpu
          3⤵
            PID:4332
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.1.1515946477\851095420" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {115deaf5-3e9e-4030-9910-e51a608b1143} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 2316 28926d72b58 socket
            3⤵
              PID:1804
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.2.1374008313\1758615111" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 2968 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3f304e6-dd89-4b0d-93a7-d946769b0e35} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 3008 28933c8e458 tab
              3⤵
                PID:4972
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.3.1707052307\1650087763" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3512 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f29da5e-8781-4495-95af-8737de7682f1} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 3444 28936617e58 tab
                3⤵
                  PID:2024
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.4.986564802\1902824023" -childID 3 -isForBrowser -prefsHandle 2348 -prefMapHandle 3900 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {855e4fa7-3a49-4b9e-9187-f4c15773a1e9} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 3912 28938bddc58 tab
                  3⤵
                    PID:1812
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.7.1329966554\2126944698" -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8bf1091-aa46-48e1-b968-969463dfe47a} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 5392 2893a1b6258 tab
                    3⤵
                      PID:4828
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.6.1819320679\860605799" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63901590-32fc-44bc-b850-751735dac767} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 5192 28939c7ff58 tab
                      3⤵
                        PID:1372
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4824.5.638508933\1560436572" -childID 4 -isForBrowser -prefsHandle 5016 -prefMapHandle 5032 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab28477b-5d85-482e-b025-bcab8d7e8c8b} 4824 "\\.\pipe\gecko-crash-server-pipe.4824" 5040 28937779558 tab
                        3⤵
                          PID:1160

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      156KB

                      MD5

                      46a1eb4f842256ad911982bc83f76cbe

                      SHA1

                      e34a56492422528f2ee2753c0fde5c5fbcee865a

                      SHA256

                      3125f7033c54a0248a6600cbb7a17ba0a53cad5e7dcccb3dfe4be9d97a2c4dbd

                      SHA512

                      d954d6a461a28004e66db9c9f0f78b23e3d945595875e9ff3a8caccaf8712600bdf40860b80f0273278199a4aac6767a034c4c17de918bfb83ff43b8b2d06917

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      da4a3276ca184d1233d31415b2251a6a

                      SHA1

                      1ca943cf7e122dc186512725422932ed72feeebb

                      SHA256

                      a55eb241c76c3b7615000d95e7ea0de1524d61a1e594b8dc7c05902a7cbb3bd5

                      SHA512

                      1ace862235610f20af65f4f21d0ba6876fc4325e1090ef2a8be5b031ccf4a6f5fb1e404ab92e0f049c0823d8e38eb4d35b41d2324795de78a4e628f1909b6fbd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      108b97b1ff7efbdb1aecce96d55ff2e5

                      SHA1

                      bb72b2e0c3d859fe5e821632307a32df331b55e1

                      SHA256

                      c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

                      SHA512

                      e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      3191b5e4f69ba64b7253304f3c99f48d

                      SHA1

                      7b972d7d74c0658a08b6af48f87f92b27046bed6

                      SHA256

                      458333ccfbd9af523d52d4941f234f5b8eaa857e37ecb97053b514d7032f5494

                      SHA512

                      bd71d676432793bc09fa0f8389d8bad7362dca3b26f4f46162f7d29db589ed6e1dece3347b79190504729b0b399911a4ad2604e53fc9b728f366c5f6ef5aed31

                      Download Submit