44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

persisted_first_party_sets.json
Size

2B
MD5

99914b932bd37a50b983c5e7c90ae93b
SHA1

bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256

44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512

27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1000	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	firefox.exe
Token: SeDebugPrivilege	4604	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4604	firefox.exe
4604	firefox.exe
4604	firefox.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
1000	OpenWith.exe
4604	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4588	1000	OpenWith.exe	96
PID 1000 wrote to memory of 4588	1000	OpenWith.exe	96
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4588 wrote to memory of 4604	4588	firefox.exe	98
PID 4604 wrote to memory of 3816	4604	firefox.exe	99
PID 4604 wrote to memory of 3816	4604	firefox.exe	99
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 872	4604	firefox.exe	100
PID 4604 wrote to memory of 4848	4604	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
1⤵
- Modifies registry class
PID:5068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.1511564054\319355729" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e0f378-bd1f-4b51-a740-02ebd737ba99} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2004 150302f5b58 gpu
      4⤵
      PID:3816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.700051704\1643584580" -parentBuildID 20221007134813 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2c682ef-70de-4094-b3e8-20aa613b1194} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2432 1502fde6858 socket
      4⤵
      Checks processor information in registry
      PID:872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.1614392683\167793031" -childID 1 -isForBrowser -prefsHandle 1620 -prefMapHandle 3160 -prefsLen 21714 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b54ca83c-d4fb-479f-b332-dcfb549e3bea} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3220 15033be3d58 tab
      4⤵
      PID:4848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.888207963\214411876" -childID 2 -isForBrowser -prefsHandle 2576 -prefMapHandle 3340 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fb9019c-bd8d-4ddc-8eaf-0689a2b91a47} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3304 15023661c58 tab
      4⤵
      PID:3576
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.689137430\750401039" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5096 -prefsLen 26593 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c17996-42c3-4078-8e0a-d5261bb8a69f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4952 15036609858 tab
      4⤵
      PID:4480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.711646883\73139692" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26593 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3162e7-c877-444f-bb78-ce517ee80759} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5264 1503660ad58 tab
      4⤵
      PID:2744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.6.2012776969\818495973" -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 4916 -prefsLen 26593 -prefMapSize 232645 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {162ba435-84a4-4c4c-bd0c-de386684f60b} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5164 1503660cb58 tab
      4⤵
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
2a1cf41587048382db042153db6ccd4e

SHA1
474cc5b4eadc2a1c91577ef663f66a590d852451

SHA256
4427751fccd9e257cf4238723b39f362964f151673bd70a98b2a1f2af5bb85a4

SHA512
bdd5a654f0d65286c4002c2b5f27b4e72ab09826d2d288cb446974382c7ffd4f192de53a31527514308ab2e9b0734dffc7ff9696094ba8dc6905d38e407cce40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
481cb9cc30b434bd55bd7af53ccd7939

SHA1
78509d1ff66ca7c63165cf68dff1f02e91a13d53

SHA256
df308ef3adc26a44949b7d4c14f48374f5740d88c8a9132bd559db35d8de9c6b

SHA512
2ec8322e62c1ae03514de2159652e0f6639f7b124e37a2e094e53311c330cd919863556d6c60e7b58d0571a50dfe8df7c84dadd3eee8e9496a04dda5fd650ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

Filesize
6KB

MD5
63f5ec698a185ba6b86a91a463b07459

SHA1
cfac6dc14b74850783c727ebdeeec97e6f31eebe

SHA256
c0fdda0a4f25ea5e952ef3a887af73387bb7e0c6cd6bfee40b1f4fbffae701b4

SHA512
29ce90d416e41fa3c312fe738b6c0f6c5393eaad79e98767f5def7b9a20f36c26be459978dc93c333d68b58810903c626bb76e498ffb6230250b38398283e9e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4

Filesize
932B

MD5
4747a1514afb0d325f16e098ee91153c

SHA1
bca404bc4565681a177adead72eea7fccaf5776d

SHA256
a8c031cd54519bb97b713fdc3018111bdff2ce0d45c5e01770f8b833682c00b6

SHA512
1ef04c16851a8915cd506cb27ce2eabd826617d0002a005050cd3e98adb4e8b100a9293cdeb147812e5be23c375d6da0f9efe419f5f6919d26a0c5748c8e339f

Download Submit