2485d3628c7d8ed8804ef55dbfb67eff8d52136af13634d74167fb3ce459b7d7

Analysis

max time kernel
106s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sorted-Algorithm.py
Size

1KB
MD5

65d880c7f474720dafb84c1e93c51e11
SHA1

86072d208f6b2f20a890f54fe5acab5ee52f9ec4
SHA256

255392992bf103d218466399d670300453a69f24398b02f316a74826c1f95a82
SHA512

e701046c4b9dcd3718d0dca7d233bf5a9b9c344e86b60c0b2b6f355f6f794e11e716f13cd306befc2f989114bf55b22f3f1da711010b53e0431c217243665878

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 3 IoCs

Processes:

cmd.exeOpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4676 firefox.exe
Token: SeDebugPrivilege 4676 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4676 firefox.exe
4676 firefox.exe
4676 firefox.exe
4676 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4676 firefox.exe
4676 firefox.exe
4676 firefox.exe

description	pid	process
Token: SeDebugPrivilege	4676	firefox.exe
Token: SeDebugPrivilege	4676	firefox.exe

pid	process
4676	firefox.exe
4676	firefox.exe
4676	firefox.exe
4676	firefox.exe

pid	process
4676	firefox.exe
4676	firefox.exe
4676	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4688	OpenWith.exe
4676	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4688 wrote to memory of 100	4688	OpenWith.exe	firefox.exe
PID 4688 wrote to memory of 100	4688	OpenWith.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 100 wrote to memory of 4676	100	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4248	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4248	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 4764	4676	firefox.exe	firefox.exe
PID 4676 wrote to memory of 1528	4676	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Sorted-Algorithm.py
1⤵
- Modifies registry class
PID:5088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Sorted-Algorithm.py"
2⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Sorted-Algorithm.py
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.0.1497790308\39566247" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3130074c-3198-4de5-bdd2-d5dcf3342e3f} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 1980 22ef6ceae58 gpu
4⤵
PID:4248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.1.657437822\929604797" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed64caca-320e-4143-879e-33d436267f57} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 2404 22eea271f58 socket
4⤵
PID:4764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.2.1464277803\198303677" -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 3036 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34eaac7e-b853-422b-8d33-7bed07fb5072} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 3184 22efac25258 tab
4⤵
PID:1528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.3.1906815594\1697424799" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdde6e9d-e85a-4986-ae4a-4481dc9f0445} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 3624 22eea262858 tab
4⤵
PID:4392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.5.1162203327\776894841" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00789fe0-6100-41af-b437-d682cd07d847} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 5100 22efd19a158 tab
4⤵
PID:1016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.6.286439867\685615932" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f1e7e0d-560a-438d-8ea8-5034f9ac0d03} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 5296 22efd19a758 tab
4⤵
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4676.4.924237265\84914222" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4820 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bc0c402-2b94-412d-85ed-9a998deafbee} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" 4780 22efd0abb58 tab
4⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\cache2\entries\58A756A796A86993036E1F0F79183245EE2ABF58

Filesize
13KB

MD5
b16e5c892423e6f406396d23ca06477b

SHA1
3b36c958e2fb349d0e7189ee3b1bef22715ab9ed

SHA256
5be686cab82f500e4debbe147858e83504e561481028a7a3a7ad9aead96e6dc5

SHA512
f0c987f1375ba300c16b837366bdb8c584dd12d4b7e1167fe1e6692b924eba13597873ae632a9ce1739b5f697e09ca049c0054e62c4e35d762adaa1f964d210e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js

Filesize
7KB

MD5
1e44c7ca0c7d382e57218c62ff54f07b

SHA1
87ee0f161c59e9e278cad6ce56a51ffd630766fd

SHA256
09fd8a9b6ae71844cd38cc64bbec83c35c532751d3d4d4d42efd72a254be4b2b

SHA512
4b6e9fae6245eda94feaa75f86e05e78fb06c0618e5cbb02df48bb72b27ceefa90910a006be666c5c49a8721da8ad0c3baeeff8d7235e04508f9a66d87d42d5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js

Filesize
7KB

MD5
e95d00e608f0de513370d83c2d100d05

SHA1
07c3ea1594a1678d7a89a64d7c6ef18e967a9048

SHA256
f02ee0b7a95e846e58a6d7ec36436b54f7de51bbbcc5e74201655efda7c00856

SHA512
c1eb324ea29eb39f08778f1a48fb1a7879f1ae67d8a37168ff592500162e388075bc6d0333f63fb027cf4284eb546c6348a79c1a842668570aeac17bd43452cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js

Filesize
7KB

MD5
565af276bf2ebe09d7885e9708ec02b9

SHA1
07fff4f719811a9f06b9efc8c5c3da697636ef64

SHA256
d2dbd0f8c9552b2a670c20905512f42ca0c367e37aa3236808b3551d177f3a05

SHA512
4f84a6c092095415914f6061121be526331a08002fd1db47ffc06a724a502e4b09798b5636ec368ba85d8052d57fd4bca7924a696d4628e665e7d01586233785

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js

Filesize
6KB

MD5
b818e8ae0f65800e27b1289e058662f1

SHA1
377252aa7ef445d672a32bb1f2226aabacf91060

SHA256
b51cbee1ecd73918cdc20c879e2f9ef9e555c2cca92e8e5b2675d5051f70c6fc

SHA512
a09320a29c756329f85def3b1a1e6a92092e079bc6bb54b7afba57efc71a9c73eb183a9582a9938c26c394dfa550a56e77622cf462dc5912e1a63d0fb0a0a2e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs.js

Filesize
6KB

MD5
71b82fac84a03b4f1413fba9bbad2d6e

SHA1
26b6ea9b0345f6620bbefcd549cfb53d6cf151e8

SHA256
2a8ee90be12cfad80c4373d878ba704bd19037c605b23635c2954b326dd6bfc5

SHA512
5f0db4c7d83f971fe4fdbd0e40a7255fa29ab31a1c0aac49543cab2e875dec0c4806b89ed4f9fcf7eeaff80f8c23d8db3f41475b67fcdff66adb80c80501c7df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3c1c03e263a29288bf1645ec71dbcff8

SHA1
be7b78a086a8a7656a44d4fa3c35f0124f20bc4f

SHA256
0ac3b0fe3872568fe202aade4c56039789facc7a31e2217731381d76581738ec

SHA512
e12ce93149330062e4189fcc7e35c9efb19523394514a21c18fb3ab37e4a1d495beeea4fba36a30a1f68151563a54361b02aafde0a390d55edeefa7262209eba

Download Submit