9d74be4b5c98814c3a9729c891a8e902445cae0d3a061d4adaa13a65e22ad6f4

Resubmissions

26/10/2023, 13:47

231026-q3q2hacb8z 10

26/10/2023, 13:47

231026-q3jbnadg82 10

Analysis

max time kernel
1737s
max time network
1750s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2023, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CELEX LEAKED.zip
Size

94KB
MD5

cbcff1034cbb80575ad07004ccf4f286
SHA1

b83ce7bdca39e27ca8e0a5960c74b803c17291d8
SHA256

9d74be4b5c98814c3a9729c891a8e902445cae0d3a061d4adaa13a65e22ad6f4
SHA512

c3eb8f8d6daece2143d653c5b06fca961b24ea833e2a0814ba6a16e02bbacc64a370bb47a017de7068cb47ef2af046d5cee17d80f10c5fa3d07e19a9e103c174
SSDEEP

1536:inZlxKCV2qw59IF+uyznvm9W0gH03naoSFFW5dPXDrjQQDZtCjtNPrd1MnlvtDzf:ihKCVY5c+nqn3Vcs5dvf8QfcPrd1SlB7

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	596	firefox.exe
Token: SeDebugPrivilege	732	taskmgr.exe
Token: SeSystemProfilePrivilege	732	taskmgr.exe
Token: SeCreateGlobalPrivilege	732	taskmgr.exe
Token: 33	732	taskmgr.exe
Token: SeIncBasePriorityPrivilege	732	taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
596	firefox.exe
596	firefox.exe
596	firefox.exe
596	firefox.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
596	firefox.exe
596	firefox.exe
596	firefox.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe
732	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 4736 wrote to memory of 596	4736	firefox.exe	91
PID 596 wrote to memory of 4688	596	firefox.exe	92
PID 596 wrote to memory of 4688	596	firefox.exe	92
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 3992	596	firefox.exe	93
PID 596 wrote to memory of 4624	596	firefox.exe	94
PID 596 wrote to memory of 4624	596	firefox.exe	94
PID 596 wrote to memory of 4624	596	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CELEX LEAKED.zip"
1⤵
PID:4716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.0.632223821\1601674802" -parentBuildID 20221007134813 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74cb90d4-8a91-4da1-bf4a-a74c6a717f25} 596 "\\.\pipe\gecko-crash-server-pipe.596" 2024 24fa5adb658 gpu
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.1.1053008720\698730007" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2240 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01f0340-d7fa-4d7c-a351-4c3383f3a837} 596 "\\.\pipe\gecko-crash-server-pipe.596" 2416 24fa59fd658 socket
    3⤵
    - Checks processor information in registry
    PID:3992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.2.1608944669\1076089955" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 3236 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {387a185d-ac45-44e4-ad34-326f512ce8e5} 596 "\\.\pipe\gecko-crash-server-pipe.596" 2932 24fa9cae358 tab
    3⤵
    PID:4624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.3.920161810\1493242912" -childID 2 -isForBrowser -prefsHandle 3036 -prefMapHandle 3064 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f5a6ad2-13ad-4b41-9078-3149787325e4} 596 "\\.\pipe\gecko-crash-server-pipe.596" 3024 24fa9123458 tab
    3⤵
    PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.4.921969955\2145660044" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dbce21d-31f0-4050-979e-8050ae53277a} 596 "\\.\pipe\gecko-crash-server-pipe.596" 3872 24faad25558 tab
    3⤵
    PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.5.1655939591\133946821" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8a78df-a8db-4642-a827-b8552abcdbbb} 596 "\\.\pipe\gecko-crash-server-pipe.596" 5084 24f9932f658 tab
    3⤵
    PID:3756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.6.43677565\1097436766" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e74826-692b-463d-aeff-fc73fb135600} 596 "\\.\pipe\gecko-crash-server-pipe.596" 5176 24fab9d5d58 tab
    3⤵
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="596.7.1417935074\266986548" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8941dec0-162d-4015-9d5b-19c9b914eb6e} 596 "\\.\pipe\gecko-crash-server-pipe.596" 5364 24fab9d7558 tab
    3⤵
    PID:876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
03d2a12647f54850be4b8f3e5816e9a9

SHA1
0ecbfde50e447a5e50f2c0c25dc0925bd0d30e96

SHA256
ca5c697a9e3f274e98193c12b04548f572098692d543c42b9621638ecc04adf0

SHA512
7ac1867d8847a8b525ba9ad1636c758d2b78c4c10c17033e3536f1e259e1abdacecb0f0d62a694246b48d7e83b37792502fcc81345114a0740457d2fff566b33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\prefs-1.js

Filesize
6KB

MD5
dbca287b383bf2fb1548b3a4a1e0f97c

SHA1
cbaa1fa3d4c2668a29796a8a9803197f429ccb16

SHA256
36d5826c8fbf2cc16cc0556563b49c17a340ef2ebb2af4aa964f083b4793a1e8

SHA512
9e4d08106ceccffcf43b2ff78ab8c114402dc512c915e28f5ddb964838fd5b75a1aa4db42e927e3cd0812815e3b1c9d37a987bc079984fc92748e2dfdd391016

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ef295760095e79f19f6dca5584471134

SHA1
23d96fc5568e7833d7605ade1ecc231661542799

SHA256
ddfe118f5bdd3d807edc98dbcc89c08e47c76d0353e6ba20db18a9f8278ce2ce

SHA512
f21ea92d2cefe83d325279a14a15b90145f3335c0894dc93997d1865a9ed89aedec8e99c05e3c5ee8fd95a3693d78ac6e326978c4b3a3a96c4b820ebe54b22bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2vpmaw3i.default-release\sessionstore.jsonlz4

Filesize
895B

MD5
bffb1d2d63dab0782fb8ea108deaf189

SHA1
5f359b500b95999b58b92140fdf28fa8f159a2c8

SHA256
c9563b7a30154c4dab3450e449f2a0697df2ba392d484ae1740ec166ef97110b

SHA512
5cbff88efdf5ec190fe512887d63a5c91ce196b2d24f54937335373226ac89b926c8113a2f4b63d05f884d972895af5e19cf3c1f2323194a929dbc1ae4bbd6b2

Download Submit
memory/732-37-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-25-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-36-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-35-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-31-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-34-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-33-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-32-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-26-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download
memory/732-27-0x000002A9CD1B0000-0x000002A9CD1B1000-memory.dmp

Filesize
4KB

Download