bde1e449eaaab9d9edb719d8eb4c915f57e2576abe4a227bcdfd9f8c1312437a

Resubmissions

16-05-2023 16:19

230516-ts1dzabe96 3

16-05-2023 13:14

230516-qgxl6aaa21 3

16-05-2023 13:08

230516-qdfjgahh9x 3

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-05-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bleu.exe
Size

6.2MB
MD5

8d9304e583f4e09bc979a4329e1725f3
SHA1

03e07b90c49d3121f0cf321fcb702d852584220d
SHA256

bde1e449eaaab9d9edb719d8eb4c915f57e2576abe4a227bcdfd9f8c1312437a
SHA512

a03b496d5d43221051a52b960188a35cce1b6bb38535ceff9ff5ad414fd3a42c35cbcb23397c693608379e1e8b11c1a89835f5524b04716ee4760b5b171f1550
SSDEEP

196608:c1iUw7KYRI8FIIIWNSiU6+bQiyNzDbbB:c1i5HFIIp9Qh+zF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Bleu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Bleu.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 5900000001000000160000005200530041002f0053004800410032003500360000001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da65c00000001000000040000008001000019000000010000001000000070d4f0bec2078234214bd651643b02400f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be04000000010000001000000029f1c1b26d92e893b6e6852ab708cce11400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba9723795030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a532000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Bleu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Bleu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bleu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bleu.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Bleu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Bleu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	Bleu.exe
Token: SeDebugPrivilege	4532	firefox.exe
Token: SeDebugPrivilege	4532	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4532	firefox.exe
4532	firefox.exe
4532	firefox.exe
4532	firefox.exe
4116	Bleu.exe
4116	Bleu.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4532	firefox.exe
4532	firefox.exe
4532	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4116	Bleu.exe
4116	Bleu.exe
4532	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4696 wrote to memory of 4532	4696	firefox.exe	68
PID 4532 wrote to memory of 4724	4532	firefox.exe	69
PID 4532 wrote to memory of 4724	4532	firefox.exe	69
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 5060	4532	firefox.exe	70
PID 4532 wrote to memory of 3916	4532	firefox.exe	71
PID 4532 wrote to memory of 3916	4532	firefox.exe	71
PID 4532 wrote to memory of 3916	4532	firefox.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bleu.exe
"C:\Users\Admin\AppData\Local\Temp\Bleu.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.0.627443117\1949731829" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1656 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd198ad8-3ec4-4044-93aa-5727fac5cf24} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 1748 25b0aa16b58 gpu
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.1.10080228\623446801" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ff0d1d8-9a7b-4b3e-955d-d9b93d8375e5} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 2104 25b0980e258 socket
    3⤵
    PID:5060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.2.180599844\38460615" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1354b47f-48b8-473f-b3e2-6e82a589b456} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3096 25b0d8f1f58 tab
    3⤵
    PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.3.688761158\7425314" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d100a3-fed2-453c-ab1f-2b3c99724000} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 3564 25b0e967e58 tab
    3⤵
    PID:844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.4.187779660\1824667770" -childID 3 -isForBrowser -prefsHandle 4308 -prefMapHandle 4320 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea33beca-8cc4-4855-9a8b-35149348814d} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 4272 25b0fb8c558 tab
    3⤵
    PID:656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.5.2092394621\849344944" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4844 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8576c1-350e-4475-a2ff-5fc1604230e7} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 4912 25b0aa16258 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.7.916538688\99402125" -childID 6 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79a4c0d4-d34c-467f-b6c1-72508bc6e0ca} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 5240 25b76c2f958 tab
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.6.640448087\373358195" -childID 5 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dddfad1-f8b5-49b8-92d1-8147bbe6b3e0} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 4932 25b105d2558 tab
    3⤵
    PID:4208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4532.8.1490414504\1308156685" -childID 7 -isForBrowser -prefsHandle 2812 -prefMapHandle 2816 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a924d95b-69fc-487e-aaca-dc824e7db71d} 4532 "\\.\pipe\gecko-crash-server-pipe.4532" 5584 25b0dde4658 tab
    3⤵
    PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp

Filesize
146KB

MD5
8c0b9f5028a4a8ede21c48a990d71d92

SHA1
544cddde12d41635d3199b04e2887d848813abf3

SHA256
1fc0fefba081bc3a393ec0c01e440c533418536815a476a5c41f33d408db4cd8

SHA512
e3526116d9a11b084c6068b8b0c42f9ae44c5411dc2ded762219232d749b266f33b7e73ce4ad6b9153804da1a4b260372ccd6e112134f05165fcd6b05bac4019

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js

Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
41ff4038909f130ca00e649e61f2de2e

SHA1
a1efb026bcf9ed0ee18196884de3dc7b23a0478b

SHA256
a0d26417b9e8fb26565e14bcceaf13f06e215ceb3c6390c305ef408b1f22c54c

SHA512
5e8a3b973cd66fc9750667bc70f77ff1ea2811a512cb4732bd554ae7c3d104c00c624216b587c69122a273056f2b2e0b6ad7dccdbb0fb5a6bf94e99d092d54c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a2614477e6b615ebdc4b27dfde625c77

SHA1
ccea312f10ea46061a8911a9991dfa9e92462741

SHA256
e07d5252d04eac13d1cc93f9d905cbee42f0ca9c4349d97ef788c59c9153d912

SHA512
5d09e51600dfd5319f410e3e20a6a49eb5e75358592b67d15836ecac0c51a83f8fc5299cb46eba76bccae37df048de2965daf9754ccdfb9e3a54a7428c209517

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
250f2d051eace5dc531f87e49b181545

SHA1
148f6044b7f2d6cb873278ebebaf9a2cd199f547

SHA256
55b2991605678f848733d69a6bfacf5ce8d3668311b0393bad567078a19495df

SHA512
d3a0be475e31eefc08b81241e880417d62325b338a596159defab09071095c60a3bdc89ddc8574eb75c5ee51152c69df42ad7f2c7487d8d59644df5b23f67d42

Download Submit
memory/4116-124-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-126-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-127-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-130-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-131-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-132-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-133-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-125-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/4116-120-0x0000000000CD0000-0x0000000001310000-memory.dmp

Filesize
6.2MB

Download
memory/4116-123-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/4116-122-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/4116-121-0x00000000061C0000-0x00000000066BE000-memory.dmp

Filesize
5.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads