Analysis
-
max time kernel
143s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
16/10/2023, 15:26
General
-
Target
https://www.majorgeeks.com/mg/getmirror/win11_toggle_rounded_corners,1.html
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.majorgeeks.com/mg/getmirror/win11_toggle_rounded_corners,1.html"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.majorgeeks.com/mg/getmirror/win11_toggle_rounded_corners,1.html2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.0.672711627\1135483884" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b84b69f9-0195-4b51-8005-851da134c987} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1956 1f91cfd3558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.1.582069897\1858947766" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f12f9ef3-664b-40b0-a588-33232baf0ce8} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2384 1f91cefd558 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.2.1580512796\588054008" -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3360 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc192df0-6a9c-448c-b944-1625c2260266} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3392 1f920df4158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.3.527704897\936395247" -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c78c2a-b868-4e3a-9232-7d0ae0d6376d} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3872 1f91fcfce58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.4.670431943\1524608159" -childID 3 -isForBrowser -prefsHandle 4760 -prefMapHandle 4756 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03eb8ed9-b43e-4f69-ab2c-1b16c5cc75f3} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4772 1f923075758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.6.599304946\2067676142" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {855f2e1e-0e6e-4c4a-9307-d990ad3444ec} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4908 1f9231e8558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.5.105344243\214900413" -childID 4 -isForBrowser -prefsHandle 4788 -prefMapHandle 4792 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea3dd32d-c106-4f74-87ee-c2d38b098303} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4892 1f923076958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.7.1129184790\1412427262" -childID 6 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df29c1c7-d252-4d18-8b77-cd176c59797a} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 5940 1f924f3be58 tab3⤵
-
-
C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"C:\Users\Admin\Downloads\win11-toggle-rounded-corners.v1.1.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im explorer.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5de6d8722ed3468877d15e9c40af280ae
SHA1f9d48bd613738fe0fa7e8f3c143600f524892152
SHA256adcfc7124fa13a886f4a679e54b9814fbd181f79aedbf44a24b23a57977be09b
SHA5124a0ef89cf5a8d325455ed7954af21b08871f4aabbaa82be46cebc604bbcc91a7dbeddbffa183c48f3be42f4483095d29523bef1356d17671f73125f3b07280c4
-
Filesize
6KB
MD54e5e6166bac60249575e49219fec521a
SHA146005a1aa0b67c966f2748c89a3a80efd64f65a6
SHA256119a5395da9dc79f8638c780579c5e5ec9cae36ba9e1389bf63b67cf94989ed2
SHA5125132bdf3f72aa7a0320b085ffb0caa2416c0b28b04e0dd73c074416f75788119bc2731900e78ad4e1530badbf29419205e37aea2bc84d1f65fd54f61bbe995d6
-
Filesize
7KB
MD5d2b35251d5958a9b909aff7ecccbeb7b
SHA19f8729a982f7de797d2fc51d0a10faaefbd67d52
SHA2563bd6982e0c8d71f74cd835c3659c9a7ef3c346a3b87c274a65dc6c43cb4633ef
SHA512a57b90f434c68c3e3ce58790aa1f2ed3ba557b9142f067aa7dd67c4e391d34d40c70654059d03834a045d3290da9ac6c9197f964ac3630d4e0dca4b734c11bf6
-
Filesize
6KB
MD5b8255916369bf68c7a520d3bca1a9e1d
SHA1502c5845ec3ada089a8878fd7905f34bb3883522
SHA256b22bc2741895a8e990f0509e6b8bf429af63504da29fe08804a0eaa399b2eb34
SHA5128cf15f29b7f4dc436fd14e366a63af74c4496081c4e5bb2f9aab8978275e709ee614d86551c33a46afdf2462a354da90f5f7a49fbd73bad7ef0f947ab600c90a
-
Filesize
6KB
MD54b92e4095b182bf8d9623e4261fdf3aa
SHA1d8dada1db33e656138d06c43cb62e6021a45fb4e
SHA256443f81faadde6da3847d547635fde8d3375bb0ec8f09ae73c3a4c9c4ec00de8f
SHA5129ebef433568e3471f9e6880d31bb5f2a4aa6426e10273e81f69fd63bed6a7637d94a217047022565f3d6fbd935ca3032751cd35cd1121df287ba869b6f8c443b
-
Filesize
2KB
MD58902aedd3cedf86ea65a958c1ab8c7ea
SHA1aa2f1b211ec6f8821f890863e924c4a0390b6c81
SHA25636ddea8370d59f0487aa18787d6afda84bf3cb5cec8d68234e99a7d4e12112af
SHA5126775ba4d970607f755a6cfb0f24b0e4af35379b800ee5684def08a02547c5deb85314222062e7064a625f09f7c2880b44da200b5a3c183a6228504a155882de4
-
Filesize
2KB
MD5620262dad57de01129d4d6ec061683b7
SHA193e7665b6d7b3dc16ea942f4f6ea682c711c5f1a
SHA256c7e5a07440b66e467dc0d5fcd210525509efbb8f06652b32dccc8ab3e28c3788
SHA512756cb9a46837a50e327204fd4bf528a128c1d53f1339d66a5dc6cc67d4f9b88f8d209baf8420231c73f61cde8ecaee41ea91b9ef82c3b5889e558a7c49933a75
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935
-
Filesize
1.7MB
MD547e67a080f1e0f4b96689098dba31597
SHA12c7e094e58e963b8f4b887de2bb34552802a63bd
SHA2567c0cce8f4b8d13e9fcf15c24f3bcfb07c2f2c35d9dae7889efa535e335ba827a
SHA5122e65f3301c8c40aa2268d379d955f8a76ded0833910a7d5e3faf54984806b022eb56dee81f17144a83d2be7969bae82d4eb754f5ec44ded2be0bcce61d71a935