Overview

overview

3

Static

static

1

persisted_...s.json

windows7-x64

3

persisted_...s.json

windows10-2004-x64

3

Resubmissions

09-05-2023 21:39

230509-1h2mlseb67 6

09-05-2023 21:36

230509-1gd5xsgb31 3

Analysis

  • max time kernel
    132s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2023 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    persisted_first_party_sets.json

  • Size

    2B

  • MD5

    99914b932bd37a50b983c5e7c90ae93b

  • SHA1

    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

  • SHA256

    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

  • SHA512

    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
    1⤵
    • Modifies registry class
    PID:4896
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.0.1857144849\529953306" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a2eecc7-3e89-4d4e-807e-77dcf05c7259} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 1932 20a449d9e58 gpu
          4⤵
            PID:2612
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.1.476933068\1181692760" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e11f3e-97d6-4a11-a076-c0e3a22bc81c} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 2356 20a37a6f858 socket
            4⤵
            • Checks processor information in registry
            PID:868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.2.2015096266\1963663312" -childID 1 -isForBrowser -prefsHandle 3352 -prefMapHandle 3180 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d16bc47c-2c4c-40d4-812a-239331811b19} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 3340 20a486f9658 tab
            4⤵
              PID:4084
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.3.1865252948\1978945024" -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b100d4-8f9f-4778-b083-b81f83c2aca9} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 3972 20a37a62b58 tab
              4⤵
                PID:2228
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.4.2142572575\1438648166" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27be775a-da58-416f-964d-2a77423c4204} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4616 20a4a9d1b58 tab
                4⤵
                  PID:4628
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.6.1800562048\1275094760" -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59f3a32b-e95e-437e-b2f6-0886aa06aa60} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 5140 20a4b1db258 tab
                  4⤵
                    PID:1920
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1632.5.172621220\2026529923" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98286fca-b58d-4af6-b4dd-c67f5e997196} 1632 "\\.\pipe\gecko-crash-server-pipe.1632" 4972 20a4b1baa58 tab
                    4⤵
                      PID:3596

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                149KB

                MD5

                184a218f4945dd579aa0efb360934b20

                SHA1

                865ac5656545032d7bd06258d762f1f0cf5fcfad

                SHA256

                5f3fb9cef47f394e296c9e47a67eca81573493310ce77d15d48ffc89fa702a8c

                SHA512

                ea2f23b7115fb21be2a6ae50eee14627b2f0c804e50054756a1e0dd2014c652eedfd14d866c73cbba95fa2dc792272dd864453ff5091afbc0a4c33cd6c471248

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                ed6fbd87b8e577e90f5a26006bae5ec3

                SHA1

                8530dab842f8865a82f21b4fe73af2a52b913d0f

                SHA256

                04ded608f8713a0ef9dca0cad1b2b7fb5ac35be33439ab944125a6bffead67ee

                SHA512

                b7d8eac1a88489c265412d61a5a3bf99d89f1b1c5a9a8b306805149bb153116e9571dbceb03fd66af01e70730116868616530246f55fd6fa85eb3dcc7d216916

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                9f00e4b6397fd570db3e70a9e1ffcf91

                SHA1

                0da567a8cda2d1c8f315fbdc1ff2da5f72ec317b

                SHA256

                4897bc16a1ae0bf1135ab61d743a591f1c38e56699207be48124e5076382a1d9

                SHA512

                0fa71f47387daa9e3d1a97044aa5e40ac13de8d9e580825ac1f59e22dbd11ad57aefd67320fe5bb2f5ebac0a7a7aef0f196ea8bb398f4245cfe5ecc859b25570

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                Filesize

                7KB

                MD5

                0d6559f58f6351ad0318051f51088c2f

                SHA1

                fbe0eb4d7cebc49b6e1dbee18df203107e995f0f

                SHA256

                e94c4210ccf31e49566649519816e0402d8880b3b11a9f4fecfdb3baa6708609

                SHA512

                8181799acb86707fb3163de1ac2140f45d346525f3a6b830b9666816d6c971361e075b83bcccb8ad88de2884d54fb53cf53cbbcd0ecc341502396f7db0d425e9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
                Filesize

                6KB

                MD5

                2ca68eec3c1fdbaa1ae996ee759fc3c8

                SHA1

                54363409a7393613ff528d0488d1cc16796ef2d8

                SHA256

                4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a

                SHA512

                e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp
                Filesize

                212B

                MD5

                29ce37dc02c78bbe2e5284d350fae004

                SHA1

                bab97d5908ea6592aef6b46cee1ded6f34693fa2

                SHA256

                1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

                SHA512

                53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
                Filesize

                1KB

                MD5

                7a1bfdbac79d4187d8c7ccfdca00fdb2

                SHA1

                68b15328f795c893cf8b792ab1f91d32697ceee6

                SHA256

                6653da42faceea464741dc09c533678c5accc8c347be941b26806fd607263373

                SHA512

                3d322a2128368a6d4a6354d4abd947086e435bed0fbbbb22ece29e8a705c1a6589e47a314e8f9fc93f71a6f3e68b4eaa054aa0c628a2b0c0582ca9ced5061bd6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore.jsonlz4
                Filesize

                940B

                MD5

                6dcf3e7ca2078c6c2ec47689d91f5632

                SHA1

                702bc9429fc9ce175dc2c814e3e9cd862ee2e4f5

                SHA256

                46044c18654286647be53b7ad835d58cb5e3c0492307841c50583c13f622bdc0

                SHA512

                9286b1d8597c2072e28cfd2c61632975e08f22dc5b53a6932ee56dac3dd3847ba11661fe300944c72d47678cbb1f2d290161d260583efe3192a8a30fc12d8f5d

                Download Submit