c296a5b5e49fcde27cbdf97b7d97360dc3b8d3184bd8c78ea60d0dd5d42b992d

Analysis

max time kernel
84s
max time network
85s
platform
windows7_x64
resource
win7-20230621-es
resource tags

arch:x64arch:x86image:win7-20230621-eslocale:es-esos:windows7-x64systemwindows
submitted
29-06-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UWPHook.exe.config
Size

5KB
MD5

47ae5816d4cfcd0a59ea00235859884c
SHA1

20d4abe0ebf9b0b59b376f53281ab757984d2002
SHA256

c296a5b5e49fcde27cbdf97b7d97360dc3b8d3184bd8c78ea60d0dd5d42b992d
SHA512

f594dd7525d41298960962d32b0f32c2191cfce2ebb69f0c622a85600f74290579cfb5449eed63add71803ef9be19e14507963a3543af57bec055a4b019c50ca
SSDEEP

96:br71Y7KtrzkAnUKntAnvwt4GD9An6nNgKggg7gkg1sWkr:br7u7Orzbcrj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1636	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	firefox.exe
Token: SeDebugPrivilege	1472	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1408	1636	cmd.exe	27
PID 1636 wrote to memory of 1408	1636	cmd.exe	27
PID 1636 wrote to memory of 1408	1636	cmd.exe	27
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1408 wrote to memory of 1472	1408	firefox.exe	28
PID 1472 wrote to memory of 1516	1472	firefox.exe	29
PID 1472 wrote to memory of 1516	1472	firefox.exe	29
PID 1472 wrote to memory of 1516	1472	firefox.exe	29
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 1944	1472	firefox.exe	30
PID 1472 wrote to memory of 280	1472	firefox.exe	31
PID 1472 wrote to memory of 280	1472	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UWPHook.exe.config
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\UWPHook.exe.config"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\UWPHook.exe.config
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.0.373492501\1507278337" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {418ff480-7b3a-46c6-a58a-92949b6d4d78} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1272 14419858 gpu
      4⤵
      PID:1516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.1.1526627245\1779705031" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b6896ca-b19b-49a8-a2c8-2de0f2cc5651} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1476 e70858 socket
      4⤵
      PID:1944
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.2.870920777\1183056258" -childID 1 -isForBrowser -prefsHandle 2024 -prefMapHandle 2020 -prefsLen 21899 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7d0ce2-05ac-4d73-9cd5-def002b35faa} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2036 19eeef58 tab
      4⤵
      PID:280
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.3.1413175266\2105531452" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 2820 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60adc11-42e2-4067-84e3-2adfd0440389} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2832 e63858 tab
      4⤵
      PID:1512
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.4.923296630\1992174137" -childID 3 -isForBrowser -prefsHandle 3460 -prefMapHandle 3464 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {025deaa2-474c-479f-8ff6-4c281c310bec} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3492 1bb9d758 tab
      4⤵
      PID:2288
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.5.59942511\1739316127" -childID 4 -isForBrowser -prefsHandle 2752 -prefMapHandle 3476 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79e2ab14-bf80-4b71-8f8d-9f170595c421} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3496 1c976e58 tab
      4⤵
      PID:2300
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.6.816286480\1104897904" -childID 5 -isForBrowser -prefsHandle 3504 -prefMapHandle 3512 -prefsLen 26879 -prefMapSize 232675 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e808db-5b48-4440-b237-80f12b63c7a6} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3628 1c979e58 tab
      4⤵
      PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mvrvv3sd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
160KB

MD5
caf23424b94c60ffbdc90ee16b13465e

SHA1
86f5616924ba3e1e74f2bbbfb6eb75154b79c7c8

SHA256
21228608159ae2ae509a0949ad2abd1d82fe6ddadbe9eca07622f80c13c96c62

SHA512
a4f0b1d7f111209011cfa12eb8ebb47248cbb7271365cbc28fd216f9822c7c4948e36b1185d2fce9e999784aea43f7f9336400b64390a1c078b8ca2198ed5d53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mvrvv3sd.default-release\prefs.js

Filesize
6KB

MD5
2374cdf93400a190751302ca14f5f190

SHA1
d44856954df36e4210469db5bc9f7cec9b579b49

SHA256
89d3ee3d925170b9491b0bf3d49436babecff8506cb59bb69025ebad54a50093

SHA512
6602edb6a2281e815fe8c78dddeb1ad286a5a4e4938e680c09a21ddc401bc7fc318d79636376ae1e31eb8ef693f5c2f065af9b351a6e032cd4c16342b5c545bd

Download Submit