Overview

overview

3

Static

static

1

persisted_...s.json

windows7-x64

3

persisted_...s.json

windows10-2004-x64

3

Analysis

  • max time kernel
    49s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2023 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    persisted_first_party_sets.json

  • Size

    2B

  • MD5

    99914b932bd37a50b983c5e7c90ae93b

  • SHA1

    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

  • SHA256

    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

  • SHA512

    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
          4⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.0.1519193711\1170099159" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {125f810a-7f68-40ea-ac6b-12d20cfd62ef} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1308 103db058 gpu
            5⤵
              PID:1108
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.1.1027459994\307239527" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3bd4da-6aee-4a52-a203-35a72b397b27} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 1524 f5ec758 socket
              5⤵
                PID:2788
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.2.1447992871\1187523032" -childID 1 -isForBrowser -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ba4310-679f-4fa1-8fa5-ffea67edb9e5} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 2340 191ae458 tab
                5⤵
                  PID:1716
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.3.34254266\1960996129" -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2596 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0def7361-c15c-4a91-aafa-42f225a0c223} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 2712 1b968258 tab
                  5⤵
                    PID:800
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.4.999793349\306722099" -childID 3 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {035b2697-ee59-4294-acb5-4e2d0611629b} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3576 e63b58 tab
                    5⤵
                      PID:2224
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.5.1171412666\1211200517" -childID 4 -isForBrowser -prefsHandle 3724 -prefMapHandle 3716 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {603ba853-a4a9-4396-ac83-17fb1d852aef} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3736 1e593c58 tab
                      5⤵
                        PID:2124
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1492.6.1431759143\1134381162" -childID 5 -isForBrowser -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f171684-1ce8-404e-812f-97c84aca1ff9} 1492 "\\.\pipe\gecko-crash-server-pipe.1492" 3772 1e592458 tab
                        5⤵
                          PID:2100

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g1epp91b.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  157KB

                  MD5

                  32aaf08d581e7189774ceba08dcf058b

                  SHA1

                  efec1d9c03ac14f700efab617dc4259349b8f0c3

                  SHA256

                  d42b80ef620173e2337b6f2b361387a37e9748b59d9797b97d44527942053c1e

                  SHA512

                  9dee99a62be8730aa5fb6f86ad9b0f894d753be51cb1a4e830e093b6fb829f94e87ee022aaa20b0c4a03129e7821d660cdf9b2c734f54dfcc73d7d0eba84a315

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  1a198dbb039ba32cb8bdba8db7de6fa3

                  SHA1

                  e4b47094f026359b3ef8727af8320edf7a99b0a1

                  SHA256

                  3f407c48e71cf614b056557ffa38bd6bc6668b29fae2552b1c313449cdecf41d

                  SHA512

                  c6c32e55b19d45a9e8486060df4b911ef99a85e7e642391bd0e9b71fa3c730987eb49bbfc02898b3323c0f375a020799ef7b1c7261abb55f9198044fa7d14700

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  7608d8b2f1666f0d7e059e5dfec71d4c

                  SHA1

                  043b886627e9dd4e2763c6b1d0da834771f11bfe

                  SHA256

                  a773c215dddde5b16cb158d8f63175c1f07e7b98799247d37ffbd0f11be397fa

                  SHA512

                  94c8e11675f1cd3b7e07350a563e881d8508c4997359663393e74742e2bfe0c79c77e333043a4052aa9008a4e1b605e199905120baef63133b93802b61b25a05

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  1a6057d79c44d236a88de3d337568bd0

                  SHA1

                  d7b32a8a001bf662e029c11a1cfb24e00ab3b90b

                  SHA256

                  45c1350cd1a2f6f57f1e0caae04277e34453a56c8feb307c24c7d956d64d4527

                  SHA512

                  944dcd36b1581900c71aaab5ea3e73119cef54e74d330da3aade4160f7c1fbd20677f5d8fff4c1b4f563c8b7fb36609e212af52bdef9b702a0554fc437819d93

                  Download Submit