Analysis
-
max time kernel
232s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-05-2023 11:10
Errors
General
-
Target
redirect.html
-
Size
6KB
-
MD5
694680408a881a5e0fcf0566cd84beb8
-
SHA1
44c7381994767a7ce19ac500a06a331a0c74717e
-
SHA256
372d7d8bd828ed7faa303ad829256b4c7934559c602437e5ae2658f2719fb287
-
SHA512
0053d7292766c32ce6ce6fd0452941286a65ca5079f71ec5e94eb635da7bd3d92e09602d91e8937ed2a863273a071a64232ab68bfd756dc7bde14ba43024f563
-
SSDEEP
192:dVHLxX7777/77QF7U0LCARd4BYjsIIgwOGXJE:dVr5HYW0FjsIdwOGXi
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\redirect.html1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\redirect.html2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.0.610599899\867296567" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b623b4b-a27f-41df-ad54-92562a3e5b6a} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 1916 239e93eb058 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.1.714254547\1349033459" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14478bed-2619-4cbd-a58b-957f60563478} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 2416 239dc474958 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.2.1096250305\1306258709" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 21711 -prefMapSize 232645 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1cc8b37-0a57-4046-b2fa-380b1a797596} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 3304 239ed1d9e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.3.489588877\567759121" -childID 2 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf5f3e02-4ac0-4542-bbcd-38f6dcbaf40a} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 4104 239ee84c258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.4.1617625113\716554996" -childID 3 -isForBrowser -prefsHandle 4904 -prefMapHandle 4892 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5cbd650-3a37-4d84-913f-4b84e45e6487} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 4628 239ef893858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.5.2092242668\2045196245" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa1e1bf-cc56-4080-b4ec-6786e2a6f3fa} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 4888 239ef893b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4356.6.830102113\1306141544" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 4888 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a293c53-8ee8-465a-8031-d8d5d4e52a4a} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" 5300 239ef894d58 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
-
C:\odt\office2016setup.exe"C:\odt\office2016setup.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\NoEscape.exe"C:\Users\Admin\Desktop\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a8055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5f6a697b80e9d1aa1b0f58ffbdbd27ba5
SHA19f85d3faf02b59a95f2a30027df52e708de46359
SHA2562111cd5555c7864024793e4115cf62d3c7ec10502ff4849fbd7ec25efefb4eb0
SHA5126e9d92ea044d6b14e9b1e10663451f0fdf2c927d5c4fdd2dc374768dcba2e521ffa913aa6fcd2ea53721062af5f5b6a9cd64138bc2875402803f347b20550ec4
-
Filesize
6KB
MD5a1fa8163006ef70936565f7f16b592f9
SHA1f0177f33b86fad08b6142a22c4a20cd726774231
SHA2567f0209c6ab505aa68bd419c3fbbe1b759fa21a4191b13f2d2570cb8082f74a1b
SHA512c3ece8a624be39238a865da673a4ca58c089dd289c330721bea8a6cde162f82c804020790d5ba7b24b76983c8f157fa9226109f58b760cb6348da0211c4abf92
-
Filesize
7KB
MD50af885eb342d727f2a1e4713c5a871d4
SHA12e2892b4d3b2579142f599d5fa21d252de65c18a
SHA256791620cf52391438babd55706abb7c40ac59e128737ce59d0aabf47026b13826
SHA5129a9f4cebe4dcc00ca9967e81d3cf45e66e192131ea7a203ccb62f6b55a5f1defdebca64a62818eaf3b4f7b199578b93e01595625a1a80e7b2ed62bd5ac370e88
-
Filesize
6KB
MD5ba64714e894c214683ac3b69dee13b41
SHA1d308d3ab4642f8416b98032b22073c4f5d67790f
SHA25650aa10330fba58779aee5d224a4a8a10512a6fdae8dd2a6575c633a015076146
SHA512e7fe53ac7d6e9a8455eef371589d2472b9c8d07e64a9a3a74f188fbbb2e654cd7a72a37115adc5316cf553438d37f01bd48273f206c0394a0ab96df80bcc549e
-
Filesize
6KB
MD50171151ba5e3d326fc379e16e3756b18
SHA187a9c894b087711eed52e08fb78cb3e4d55ac9e5
SHA2560df4f9b0c33b9619d6d8d034986afdaadc032f7ff6f5edb3d2b00debb80f90f4
SHA512c5e560d5c85284dab3cf4615dfa24b226ccba285578ce5e8f65c79e8bce0b2f2eaf9d80e523b5720d160056f1617186cd1eb7b724e583052e45b14deb22b8821
-
Filesize
6KB
MD5a325590660ca8c2ef1957827f8ba3fc2
SHA1da1d3f8c4fc62bc4dd39e0d93ef735c168758c39
SHA256e295fde4a8a99e122271a0173a75efd0ac2b7c31172912a700ebf1c101ddd243
SHA512b7d68131514881970d31735cd55bd991db2e719cc8ec9339a567742a14431e5116b0d95f981bc120059ac9659301c10022fce1e2acca436fa374820627a73ff6
-
Filesize
6KB
MD583a0b7c072389262c043eaabc1a9a1a3
SHA17af315613f92d43891a4365b1b38a389620cc4ca
SHA2567e4b7a414802f575f26da57ea3f9e07c49d3c0f15a12be9ea47434cb8cb36d5a
SHA512565cdcdaad8eefae321eef21b1b660b9604194848aaf8fddda0361adc124db9aadb50bdb587bd32cb601c07afa037eca57230cf351fbdd5e738fe07d9e7062bd
-
Filesize
7KB
MD5e5104fd0c2f8b821b22f0a19391fb232
SHA199bcf08f2efb9861c6c9712a8473afddcd38d745
SHA25673a6932ee774d0db799793df11a8a99d9baf84a8f5a997eac60a089283170c49
SHA51290bf834926384dcdd2547e78be87895ab1cc2c4199dbf085e3a8c36fb1a9edafe91666575898d8976d0bfac0e13b8402d6eb7b1841d2a87e40aa5861b7492e16
-
Filesize
7KB
MD5d47cded9b90ea0aff29eb54516ade2e7
SHA1be1287a032a5419166f6b5737890c2485b5d4f66
SHA256e87a69a75a111354e2de5d5fdf284d244b846977d4550c76449e20368f839e28
SHA5127171edc590ddfcecc72c3ec982159d534b1b70019e241960d5aa3b28faa6ad806f13b0e66891f366089d71fcda783980f5964b49c4928b4460ea1e41a263db85
-
Filesize
6KB
MD59971fa8fa89a208685d3e30835832fb5
SHA15d9972a3bdbd4c18b3648597d2fd9f9fd6e30300
SHA25613417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084
SHA51202b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f
-
Filesize
181B
MD52d87ba02e79c11351c1d478b06ca9b29
SHA14b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA25616b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185
-
Filesize
5KB
MD5dd6bf74e639bdf60e572fc09a42a9dac
SHA1a807b07f3282150ff58af6778498788e69e610ca
SHA256374c646fcfaeb1ecacb040c89806ee729597fb12d4a68968564eff0efbfb5b8a
SHA512e7870b1c7a200fde6da0e1a115dc3ec1c15a48d5ec37f2e2602b9248b21772747855b5f8e948beafcc8250ff6a22ca79d7dca117488835e09af4f8c86e80c1bd
-
Filesize
5KB
MD50bb70b58c87a393823e16a38721b72e9
SHA14a36efae7e6a363c9b5829ee7cc9edc742c7c872
SHA256205f73ecc34396be75b5a9f1a05dcaf2da4e1bd468f7eeed49698bd9a9e0a43c
SHA51230d9c08cc8dc9ac9be30f3733d169d38c5571757061e1b88edd93431e5fb992fb2b08491d19a7eeb781b51f2eccf50535cc06a1b2b11238c4f924008c047e420
-
Filesize
4KB
MD5bebd310f8e53f18e248f495d0c066285
SHA1a04c0dad5c4d3944643c8bff58870087db1dc60c
SHA25645c9ceb69d8860bc5b1c5de06b83b5f133e1d0c954f966f16ae32e657e00da61
SHA512fa49838e9d38d97933b944e8b9c6faa64f55c4084aca72d7041dae14b0767c7abf5044041bd4ae962e995542b181907499c2ca42e73f0a878bd190aa1bf8ac30
-
Filesize
616KB
MD5ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA19431227836440c78f12bfb2cb3247d59f4d4640b
SHA25647f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA5126f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
Filesize
1.8MB
-
Filesize
1.8MB