ffc4536dc8b66bc8c67db8db7e0cc4da87e80280e078b75b831c46d4cf95992c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.py
Size

593B
MD5

ccfb39e5784e375943db8e6f34580152
SHA1

c6f7f35640ddeb63e473a3a227e0ae93c5feacbe
SHA256

ffc4536dc8b66bc8c67db8db7e0cc4da87e80280e078b75b831c46d4cf95992c
SHA512

0dae379804644357a694fabf7742063b924bea2f7733fde85c6d895baffa3802759fc8e24f4dff2d2d8311c174aaad3f6cb36dbf802de194e9cff657f526944d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.py	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\py_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\py_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\帒ᦋ☀耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\帒ᦋ☀耀\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\py_auto_file\shell	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4864	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	firefox.exe
Token: SeDebugPrivilege	3080	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3080	firefox.exe
3080	firefox.exe
3080	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
3080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4772	4864	OpenWith.exe	96
PID 4864 wrote to memory of 4772	4864	OpenWith.exe	96
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 4772 wrote to memory of 3080	4772	firefox.exe	98
PID 3080 wrote to memory of 4032	3080	firefox.exe	99
PID 3080 wrote to memory of 4032	3080	firefox.exe	99
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 2196	3080	firefox.exe	101
PID 3080 wrote to memory of 1464	3080	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.py
1⤵
- Modifies registry class
PID:4964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\main.py"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\main.py
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.0.808661765\1932711740" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29b52aab-b5a8-4129-a69c-dcb91a970284} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 1944 2b9689d9158 gpu
      4⤵
      PID:4032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.1.982553383\1837169283" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b659b636-4365-4e3c-ab26-f08bd5f8a25e} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 2368 2b9688fc058 socket
      4⤵
      Checks processor information in registry
      PID:2196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.2.1511407003\1740505306" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2932 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc954bec-1799-4ea4-b35e-46e22dd123f4} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 3140 2b968963a58 tab
      4⤵
      PID:1464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.3.386611596\1661277938" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4beaec16-8368-4666-bbe4-6b032d86c184} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 3624 2b96b34a358 tab
      4⤵
      PID:4644
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.4.1116370273\1281036341" -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 4800 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a26f9ad-72f3-4389-a5d2-a0598e532ea2} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4864 2b96eebb258 tab
      4⤵
      PID:2836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.6.874528463\949496546" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {535cdd49-140b-4172-8d41-bb6d23466ac2} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 5168 2b96f45be58 tab
      4⤵
      PID:2124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3080.5.2084461166\2077813425" -childID 4 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c738b17-59c4-4d8e-8ba6-0a6b74f5148a} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" 4984 2b96f45a958 tab
      4⤵
      PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
f22df2ba66b19a7cfc398c3f127db12e

SHA1
2d94044584b49bd62f4e835696149f6f39842376

SHA256
07eee21a9c4394fcdf661dfa8535b397487b0a456a333737f142f8c4fe7075fe

SHA512
6e33568a547db83fb6ff53c4d1dafcd4bf2ca0fd909a3be99ff7dd64f94d8c7c9510386fe52f126b547ce0f8fc5f1cee7baed5f5f05988d1bcd0630049a08969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js

Filesize
6KB

MD5
9ec653c3ecb00d64e1d7b5a65a82cfed

SHA1
9dc5e79f6d42114930897f089f52cc96bd389e88

SHA256
666d3b9abf54a8645c242d41b84c86393945425663c4eb3da4ff271ef6074aad

SHA512
92b929a4a5e00566f655660cd985635043f18ce129928d1b4943683089f52859d183b849fd1a4f4d3121311bc9f264767024be2f21bc580793ee971e1500fe18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js

Filesize
6KB

MD5
3c79d85b2879b181f501d4631f6c3889

SHA1
1a21eba601c65d62693dfcc51560dcd942355aa9

SHA256
0da5eccb13aedb0ef1118fe5bb21006524f2c933dcce1899a5ac1626f7a02546

SHA512
ae65c579a45722eda0259e1d7756a8d5737009f81b3da479fab1bc7531c267a54b418eb398a5a578e7dfd81b93fffe1a8c51fde3902e0cf5793d493904a4e16e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
288e046075986d6739b5607ceba21626

SHA1
41b9b512e191405dc5d0beadf9adb1656ae579c7

SHA256
27c4958f2e821cd2b951e70eb9a28ee9f7e21e3dc3fa2fee4c6ff5970567697c

SHA512
02fb135f74522dcd6e30d13a059cd4c00402ce7ddc9df61390bed140abbaf4a34e11d43275e2ca6a938a576033d639487acde952e80a01d796ff6b997e3f0670

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore.jsonlz4

Filesize
924B

MD5
a254db56a5ae744d67cdc5cd394e15b0

SHA1
5be737138f0a9ab3fed5c90c0b0f9b23b6c78f09

SHA256
887170da8a28397f12d4113fc6d18c89ac4e7ddeb0ddcb73ab639be18a6647c0

SHA512
6a09a16add8addbb19bb39aec8a4140cd67e3e3cd2e2fd1f6701d369d488db2588b119d3f6389fd11959fcd19fa3c45bb25c7a2935625dc5f28d57c0aeb85fe0

Download Submit