ef9ac0366e8037b509368403552760a5c715ac0a7fea925eb425b0dc3ccf7334

Analysis

max time kernel
132s
max time network
161s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Policy License Manager.exe
Size

11.9MB
MD5

787aec8ebd1491635f6316fe17121b59
SHA1

89cba7d346168d93b223f986858e632a15cd6884
SHA256

ef9ac0366e8037b509368403552760a5c715ac0a7fea925eb425b0dc3ccf7334
SHA512

e21ff3457bdf508c8377a09fbee64fa20da2027f80bc30c4f43494d3a84ed297e9d3a8a8c6c35ef035564271dd64249ad3c97dcb38844a4c8d1d8077a13adb65
SSDEEP

196608:XLzI5AG7LBMGSHg8/ppR8LLgllNp8I/2Fxh7xmIvfc48MYrZX8kx90SAZACwKMhj:7EAULBMjHV/pBLP8IebhHf78bZRx9tAM

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3736	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
628	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3732	firefox.exe
Token: SeDebugPrivilege	3732	firefox.exe
Token: SeShutdownPrivilege	2240	svchost.exe
Token: SeCreatePagefilePrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeDebugPrivilege	3992	taskmgr.exe
Token: SeSystemProfilePrivilege	3992	taskmgr.exe
Token: SeCreateGlobalPrivilege	3992	taskmgr.exe
Token: 33	3992	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3992	taskmgr.exe
Token: SeDebugPrivilege	3732	firefox.exe
Token: SeDebugPrivilege	3732	firefox.exe
Token: SeDebugPrivilege	3732	firefox.exe
Token: SeDebugPrivilege	3736	taskkill.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe
3732	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4960 wrote to memory of 3732	4960	firefox.exe	69
PID 4268 wrote to memory of 944	4268	Windows Policy License Manager.exe	70
PID 4268 wrote to memory of 944	4268	Windows Policy License Manager.exe	70
PID 3732 wrote to memory of 3456	3732	firefox.exe	71
PID 3732 wrote to memory of 3456	3732	firefox.exe	71
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 3688	3732	firefox.exe	72
PID 3732 wrote to memory of 4400	3732	firefox.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows Policy License Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Policy License Manager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E3F.tmp\6E40.tmp\6E51.bat "C:\Users\Admin\AppData\Local\Temp\Windows Policy License Manager.exe""
  2⤵
  PID:944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.0.2045296819\221501189" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bd277c3-8762-4fb9-9ee6-a289d15456b6} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 1732 1a2f7e2c558 gpu
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.1.1236663608\636794768" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17e2b76-cab2-43e7-81fe-2a9758b58757} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 2072 1a2f6138b58 socket
    3⤵
    PID:3688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.2.2075038216\1734020341" -childID 1 -isForBrowser -prefsHandle 2668 -prefMapHandle 2716 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb483597-c3ad-4d2a-9ab5-c5e24dda3489} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 2908 1a2fac4bf58 tab
    3⤵
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.3.723735721\990622713" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3480 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62f07d8c-0974-4fe8-8bea-0bb1398f28d3} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 3556 1a2fade6f58 tab
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.4.1599578864\995279207" -childID 3 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3da207df-90cb-4f74-8b90-c4dd6a8e91c5} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4160 1a2fc96dc58 tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.5.266355463\855358320" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55315378-4df1-4846-a90c-c161c654ad06} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4788 1a2fca8c258 tab
    3⤵
    PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.6.402218879\1554156945" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4972 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e3bcabb-e099-49cd-973f-29b9b63d9b9e} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4952 1a2fdca7558 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.7.1452944563\180761092" -childID 6 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2d84338-f818-45dc-a17f-51a6c49414da} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 5108 1a2fdcaa858 tab
    3⤵
    PID:96
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.8.871452250\148082067" -childID 7 -isForBrowser -prefsHandle 2564 -prefMapHandle 3980 -prefsLen 26622 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b5d14b1-da47-483d-8adc-f3b2925eac8f} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4632 1a2fc106e58 tab
    3⤵
    PID:508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3732.9.554383906\472885421" -childID 8 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27215 -prefMapSize 232645 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce78aa6-423b-456f-8970-d271b29a5247} 3732 "\\.\pipe\gecko-crash-server-pipe.3732" 4784 1a2f6fbd958 tab
    3⤵
    PID:1604

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:1600

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4948
- C:\Windows\System32\taskkill.exe
  taskkill /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp

Filesize
145KB

MD5
27cdefd85615c1b99efd8855120638f2

SHA1
dcc39664ab879b06b1f5f1d9f7e70b688978771b

SHA256
e980e90a3e2abd940ec93bb689b5faf14ba81e3a207871a8daae7a01a5ea2201

SHA512
2c7105fca7c490eac882d00f5c765ae7bf9895e43cb4ae3101e0c8828431bbec54918ff13166ab30c456da8b2f2cac77e2ca3af50631d5e6611e490f07b9fcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E3F.tmp\6E40.tmp\6E51.bat

Filesize
438B

MD5
d81b48c0e6b06001436869ffb2e65663

SHA1
67b34d74e5f1d0241e71849d3d08d85a286367b2

SHA256
d3d9f74b331173fe4544dc9daa6830078254adb2f88f68ac92d82727245039bb

SHA512
ed08e9386b3bdf7a8537cbf4071c617743227c152c233fc602e37173ba8f4658ecb2b7f085de95fbfb0eb14de45c7948365c5d8334858d8c321f8f8dd92a75b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js

Filesize
6KB

MD5
cdb5a91b7898f75f98e448e80b41dba6

SHA1
c749651f98e32a2320d2e52fd467fd6217660535

SHA256
ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

SHA512
b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5fbafa2d4af4806d80f1f1a63dfa786f

SHA1
4e9637bf7981862071e3331c9e0e1027adb5f453

SHA256
e5d9676080196e06a7d9003e00b76e76a2f10ecddfe5c800f9609cb4bcec399a

SHA512
46dcb43f51c9ca8f48004436366da775b839df425352dafcdd58d8476866610373e99fe9aaf248fd2dd377f8f16268b0c6f7bdd73b2600b3fa8ffe32df58bb6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
741eceac7a88a6f8d8f77c776874f724

SHA1
efb36aa296aefecc83554da572dfaf6334305b59

SHA256
d15d7ae3e4f69cb5f68f62ea21fdce68dbd92c1e3ea65557bb01bedbce65d7b5

SHA512
53479f0652393200c80486ffc1ccc21532a2e4a1bcfdc6cdc89b5d8830df2f66f5c873c67ce0c8e9b294499c5556444cd8b46ba51d3fc58c89903526d96b89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
bdeb075204e9fc219621b8de9e8d2a56

SHA1
88571b3073c9dbbceb4ecbb29a9600bfa264245d

SHA256
4ba399c68a3f9bfea37fa7d824050b31e0b6d1f44ba03486b5e828ba9e19fec0

SHA512
f1627bd89bd1b75323642586762c430655f9278700452b06a0ef81dd16a3325ed0ccb6b6a97bc02d8605caa1d02cd07bbef8752ae899f08a22fcec2a522f46cd

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
7976126e8a874f34cf95425309d1903a

SHA1
6744e862142030e81e5e4132c32fce6d62268ed0

SHA256
c77bce0deaba5531d1a053b126edd5d3ab723674f3e82c54b0d212cb5f118a5d

SHA512
439e7bcd305316eaad5a49949b41f56ad337002b8d298e5c16cf72d10b6c1e91d1947074198a1c76c579cd37e71346142dedbefe81e3883d10868ade85a0a003

Download Submit