Overview

overview

3

Static

static

1

persisted_...s.json

windows7-x64

3

persisted_...s.json

windows10-2004-x64

3

Analysis

  • max time kernel
    41s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2023, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    persisted_first_party_sets.json

  • Size

    2B

  • MD5

    99914b932bd37a50b983c5e7c90ae93b

  • SHA1

    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

  • SHA256

    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

  • SHA512

    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
    1⤵
    • Modifies registry class
    PID:1404
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
        3⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.0.1288668110\482413204" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08307b36-2b9b-4087-9c83-8e03a2b9e81f} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1972 18fc2805358 gpu
          4⤵
            PID:4704
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.1.1090956102\936712288" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d172854-0bec-41e7-bf9c-893a45c5e0a4} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2400 18fc14f3e58 socket
            4⤵
              PID:1260
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.2.909302620\286942634" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 3012 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe5f5630-b912-499d-ac9d-d21967331493} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3260 18fc58fb858 tab
              4⤵
                PID:3600
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.3.806655074\419741460" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bea37a1b-a37c-4f2a-9ab1-9b562be9c24c} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3584 18fb4d69058 tab
                4⤵
                  PID:1880
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.4.934916156\1384116999" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff2e7df5-1134-4bd8-a957-20e2ee7a4277} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5004 18fb4d5dc58 tab
                  4⤵
                    PID:5072
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.6.1930336033\738791122" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5048 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bbec190-1d71-4892-a82b-4aba0bb63556} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5276 18fc8122b58 tab
                    4⤵
                      PID:4952
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.5.1204490890\1418834998" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 4960 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1208 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea0e1c6-949a-4a10-a694-53d28e9250d8} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5048 18fc8121c58 tab
                      4⤵
                        PID:4376

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  157KB

                  MD5

                  ee1657a44bf314e377a0ac372c8989d0

                  SHA1

                  fd9af066cf14f6798d0e0343847cd5247f6f4779

                  SHA256

                  38b4fc690aa5374cc1db9255b2763b62b8c3fce1f701430981282f7cb7857a70

                  SHA512

                  36c11abeccad89e78602ba57f5e8524d3082301e20bc49801a11e74a9730804601aa1d2f26ea64675cc127de337536126b17c2c954a0a4d2877bf15415468205

                  Download Submit