Overview

overview

1

Static

static

1

A.T.Lease ...).html

windows10-2004-x64

1

Resubmissions

17/07/2023, 09:28

230717-lfbababg6t 1

17/07/2023, 09:20

230717-la724aba82 1

17/07/2023, 09:15

230717-k8cheaba72 1

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2023, 09:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    A.T.Lease Invoice 10340793 (WIP#10206 Acc067036).html

  • Size

    77KB

  • MD5

    0f98dd6bc7c331479dbe71a6415e8b6a

  • SHA1

    97fe14dc2937b489957d30e9384c1097acb5d2e5

  • SHA256

    f3aebfccf43f76b04cf7c27c0d73ee642599520726f1bb5a100635cca8b4e541

  • SHA512

    928a063738afc16e32453bd3862d7a1da5bad627b02969d69f7a838d574567dbe7abd19777479f6b1a2fa3fce45bc7cda9bebfe12a8dadc38f1d70a13552ab20

  • SSDEEP

    1536:IuryjI06QpLk6sMZwug3mOzbXtwvh3FBswvoOAhyyb0C3iY:XCX9pLk6sMZwummOzwVBLhyz

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\A.T.Lease Invoice 10340793 (WIP#10206 Acc067036).html"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\A.T.Lease Invoice 10340793 (WIP#10206 Acc067036).html"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.0.474467131\11786386" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f69a74a-6236-4d43-90ef-5c7b909edc43} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2008 16b2cfed058 gpu
        3⤵
          PID:4824
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.1.89413604\260832041" -parentBuildID 20221007134813 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b780a647-794f-4048-9edf-db890df9487b} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2436 16b2cb45e58 socket
          3⤵
            PID:4412
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.2.263045133\129203063" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 2936 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4d10f2d-5dde-44a4-a502-a095bfc60a0a} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3112 16b2cf60c58 tab
            3⤵
              PID:3712
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.3.662281360\473154865" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a02dff-4fb2-410c-8e38-67dcfaa8f8ad} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3468 16b2faf4258 tab
              3⤵
                PID:2980
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.4.765075431\1702422990" -childID 3 -isForBrowser -prefsHandle 5008 -prefMapHandle 4816 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac46d15-045a-49b5-94b2-b72f5f70bae9} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 5016 16b33943858 tab
                3⤵
                  PID:2888
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.5.1400537609\1547233186" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de103f58-8942-4c86-8e95-ee159e14523c} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 5152 16b33943558 tab
                  3⤵
                    PID:1732
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.6.1335645251\2000731013" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c132398-3ca7-4f23-9af5-66ad03160895} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 5356 16b33944458 tab
                    3⤵
                      PID:4556
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.7.565942411\1649249067" -childID 6 -isForBrowser -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88e82b09-f24b-45f7-85aa-f3a36b3ca8a3} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2956 16b2f17b058 tab
                      3⤵
                        PID:416
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.8.1655797185\1795799808" -childID 7 -isForBrowser -prefsHandle 5776 -prefMapHandle 5720 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b726df06-a85e-458d-98eb-78b337f0139c} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 5948 16b35644658 tab
                        3⤵
                          PID:5420
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.9.908451345\574461718" -childID 8 -isForBrowser -prefsHandle 5784 -prefMapHandle 5872 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9279971f-1fa8-431a-84c7-d1d2d153b9d9} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 5428 16b3345de58 tab
                          3⤵
                            PID:5840

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              153KB

                              MD5

                              557de234344761072e9234bf4d19c454

                              SHA1

                              b9a6cbed520a68c96fa13015bae3ae2b96ac549b

                              SHA256

                              de57d50bfa753aab2bd7663052e7e8e380d1a8ae8275f88e38c88c5f91405854

                              SHA512

                              5f2cdb48ff835a57cc7f711edee09f38cf929ae46d5591e2e1c14767299d09985bba14016ff4ca188493151d71b084ec8d88308e63f34a5b5692b97736c816d7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cache2\entries\ED9826654AE8BD972BDE17A9E0A449D3F881E430
                              Filesize

                              14KB

                              MD5

                              d37647cadc889d561f04b9a4f3429cea

                              SHA1

                              9315d81b3d44e14eb6ed8c49b8c9ab6db906d3e0

                              SHA256

                              f8d3bceb825fc7f7deff14a25f6738dbc9798a954681c4ab90adc4aeb5ffbff5

                              SHA512

                              962ad3b953770cd6c8c3fbcd9bc9b92819fa8206ce65799c49b677ba72fb1a1c1ec3816990d66b5dd8739742547a8343a4051ead5a89041f943769f71decee2b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                              Filesize

                              442KB

                              MD5

                              85430baed3398695717b0263807cf97c

                              SHA1

                              fffbee923cea216f50fce5d54219a188a5100f41

                              SHA256

                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                              SHA512

                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                              Filesize

                              997KB

                              MD5

                              fe3355639648c417e8307c6d051e3e37

                              SHA1

                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                              SHA256

                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                              SHA512

                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                              Filesize

                              116B

                              MD5

                              3d33cdc0b3d281e67dd52e14435dd04f

                              SHA1

                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                              SHA256

                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                              SHA512

                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js
                              Filesize

                              8KB

                              MD5

                              c997eb1fb6eb7695391934282e5005f3

                              SHA1

                              f036b16e42b44fb93691f15a6c22e14448234f41

                              SHA256

                              7fe66cfcfd0161da7930d5a372b44b41bc3bb5ac5155842f84d8fb4b1a26aefa

                              SHA512

                              4e52ea6a92c996175205e1ebcabe5b6586aad01644cf1df44fe434c9b0844204a523fd73670cf834c9e0c7f1546603913fbe7885993c910e12920d68c409324f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              e8eb6354524d8900db7e74efada9e921

                              SHA1

                              36378805f8087aaf8e7e91aa77528f880e54104a

                              SHA256

                              784da699aeeac9f7169e9c63875e2f7e16009b49cfceefdbf8ed20fd115898e9

                              SHA512

                              fe28cb36ab8a1694036c3906945e076b0ca48ae0760c6f0338f2dd7fff39f470bbdb036708b2811eb7cfedca2918c26fcf4b0e71527caec530f03ded8f338c9b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js
                              Filesize

                              7KB

                              MD5

                              ae1b4837f7b5eef6a029ac579cb2c924

                              SHA1

                              a48af4eeb47009623d9440e2694f637656857001

                              SHA256

                              3c1e83865c3ae7013ed078b7de8c128c6751ff114176fc7613236051685ac0f3

                              SHA512

                              30d0342000e13fdaa637e18ab9abad6fe79d5f54593716510132da8c719429d29ef803e412a11a1f1c35481cb3e1922c05aaddbb0e626a3e6d791a266440b7e8

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              e749f28b6350b6120691580d8b9ff625

                              SHA1

                              1a2ef3b414fe10f6c0298a3850dbbde897ee72e1

                              SHA256

                              e5458425d63faf9c7d80e2592f9a4e5b2c17bda85fe909fb6cffa612dd119d04

                              SHA512

                              45078f9a979f7b8d0c18318d08c843bc41a8a5a7a6bb23197a7f4e23a50d3d6c8ac32deef808bc24623d974e49020255e528da849ec35e72eb528d2d12028f36

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              d9f08a9b8069ff983e91319ceded1c85

                              SHA1

                              50aaad468907f849fdf85f3a908d80ba24f0afe0

                              SHA256

                              cf866746e0aff6661853331a8196ae840ac638b36e402e07e22b1ac32dcc7f21

                              SHA512

                              129a89020cf252c9465ac6f343ba8581a5b29bf814d834352c899fb873047886818fd25a8a9b4452ce635358fc5f384f19000c92c689487cda8045de11d29e20

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              3KB

                              MD5

                              a8bb4ffed7bcf78b95688d063c892ab9

                              SHA1

                              65854b3271e21dd90d6c841bf90b85e9c34f5d77

                              SHA256

                              ef5c3d3c37d2ab57a633997514ad9a3bd96aea5c7e5c4c4b0f869a067e877544

                              SHA512

                              78e098ca1d8e89d3ab08293af32f23dcac9a5d00a649788276731e7fb04cff4d0a5a489fa0880f1ef10eaa37bbcc656adcc0537113a29900a062759d989a34d1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              d73651ef6b492951fd680016ab0db48f

                              SHA1

                              7c8acff3830b5c82685819a35b2edf573a61a511

                              SHA256

                              b482e1362c237e0345510765f09b90f6b1baae2d771ba43ff7ccdd790da86388

                              SHA512

                              eb4abdbc8584a43ea8b2505c5c54edf609739f5e9b1911f096741a4285364ee51fdae7e4a80b49340ed614cc600f24d19df515c377d938777e2687ea7aa4f475

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              3KB

                              MD5

                              9d12180c892ef9054d8b15d151d4003e

                              SHA1

                              b89ad0205c9147f6b4124d890ac07ccea829ca8a

                              SHA256

                              74ca99aee80ea4c4342d528aacf1dbf0a4b024ae912234d08c047ad5ec309769

                              SHA512

                              fdbab0f72c017e8c5becbb507b9251562d50a791d70687eab63dbf007a97ab777b5c774baeaee6dbad76a29e81ee63364133b63a728e4363343caf7c83922e87

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                              Filesize

                              1.3MB

                              MD5

                              966ad6ab56c330cdec68c02ff1a80604

                              SHA1

                              6bab06255db6e94e8f67b344a1581f7cccf0a3ab

                              SHA256

                              4510a8f5ad1407c7a3b125797dc331818b2e2142b7aff7531ce5a8a44ca962ac

                              SHA512

                              85c46b1e3e2fcb4d4f5aa781903cba60fab488f910d41bb901ea9c57a58c515168dcbcc2b957e7b402054496a70aa26faf8e61274d5593ccd29fe7b9eb8244e8

                              Download Submit