Overview

overview

10

Static

static

10

Plugins/32...ss.dll

windows11-21h2-x64

1

Plugins/32...in.dll

windows11-21h2-x64

1

Plugins/32...se.dll

windows11-21h2-x64

1

Plugins/32...ns.dll

windows11-21h2-x64

1

Plugins/32...in.dll

windows11-21h2-x64

1

Plugins/32...ng.dll

windows11-21h2-x64

1

Plugins/64...ss.dll

windows11-21h2-x64

1

Plugins/64...in.dll

windows11-21h2-x64

1

Plugins/64...se.dll

windows11-21h2-x64

1

Plugins/64...ns.dll

windows11-21h2-x64

1

Plugins/64...in.dll

windows11-21h2-x64

1

Plugins/64...ng.dll

windows11-21h2-x64

1

Skins/Poly...ay.exe

windows11-21h2-x64

1

Skins/Poly...gin.js

windows11-21h2-x64

1

Skins/Poly...ic.ps1

windows11-21h2-x64

1

Skins/Poly...ic.exe

windows11-21h2-x64

7

Skins/Poly...ss.exe

windows11-21h2-x64

1

Skins/Poly...ll.dll

windows11-21h2-x64

1

Skins/Poly...ns.dll

windows11-21h2-x64

1

Skins/Poly...ck.dll

windows11-21h2-x64

1

Skins/Poly...md.chm

windows11-21h2-x64

1

Skins/Poly...B4.exe

windows11-21h2-x64

1

Skins/Poly...ipt.js

windows11-21h2-x64

1

Skins/Poly...rd.exe

windows11-21h2-x64

1

Skins/Poly...or.exe

windows11-21h2-x64

1

Skins/Poly...er.exe

windows11-21h2-x64

1

Skins/Poly...rt.exe

windows11-21h2-x64

1

Skins/Poly...ns.exe

windows11-21h2-x64

1

Skins/Poly...md.exe

windows11-21h2-x64

9

Skins/Poly...or.dll

windows11-21h2-x64

1

Skins/Poly...ord.js

windows11-21h2-x64

1

Skins/Poly...ord.js

windows11-21h2-x64

1

Analysis

  • max time kernel
    72s
  • max time network
    61s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/12/2023, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Plugins/32bit/FrostedGlass.dll

  • Size

    8KB

  • MD5

    5643ef38f7e63ab78a140721e80ff01b

  • SHA1

    fb124f9ccb5270983828eecb812bba312ce3a60f

  • SHA256

    fb7ca760f6f148325c8ad54c52b8ff4c9943d55323068847818130762cf60d5b

  • SHA512

    9831edb15e550cdd2a695ed5d5a6cb69cf8bb0d8382b5a5ffa5ac94276e68d725dbfaa93a5b8fa0224c729e0acdfc850547031a47fbe1f891aebed9f1c2692e2

  • SSDEEP

    96:5QIL5eTe/N8Nrg+w4OfzFkSdWC0gLqvZ7OIoPKf6xoIr+5Xoul:5QcvYw4EkeWCvLqtObPKyo354I

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\32bit\FrostedGlass.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\32bit\FrostedGlass.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 832
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.0.1276449697\737874476" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20728 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9d7969a-5b07-4290-a2cc-fd30713ad927} 872 "\\.\pipe\gecko-crash-server-pipe.872" 1904 1e8de2d3f58 gpu
        3⤵
          PID:1644
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.1.13028316\569103481" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2256 -prefsLen 20764 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ecc4c7-0072-4383-97f8-aa988de5836f} 872 "\\.\pipe\gecko-crash-server-pipe.872" 2280 1e8d21e1058 socket
          3⤵
            PID:1348
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.2.143924341\981108476" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 3200 -prefsLen 20802 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb0a64d8-ab71-41c6-87c5-5ea5b9a3e6a3} 872 "\\.\pipe\gecko-crash-server-pipe.872" 3092 1e8e35a5b58 tab
            3⤵
              PID:2676
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.3.389623573\82291839" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26046 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15d8325b-49f6-4a05-b377-6daf8fc4fabd} 872 "\\.\pipe\gecko-crash-server-pipe.872" 3504 1e8e437e758 tab
              3⤵
                PID:2156
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.4.1890928052\631280033" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 26105 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c3cd96-0605-4bd1-a273-ecc857f41942} 872 "\\.\pipe\gecko-crash-server-pipe.872" 4044 1e8e4b22b58 tab
                3⤵
                  PID:5116
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.7.69639699\1525544879" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26105 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04eaf788-4d58-4833-9491-be5671476e31} 872 "\\.\pipe\gecko-crash-server-pipe.872" 5316 1e8e55c8c58 tab
                  3⤵
                    PID:2236
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.6.84735795\2120659782" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26105 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7859680f-9918-483f-81a8-09a53a0ddadc} 872 "\\.\pipe\gecko-crash-server-pipe.872" 5116 1e8e55c7d58 tab
                    3⤵
                      PID:5008
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.5.1113641264\45345185" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 1672 -prefsLen 26105 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6278ad7d-402e-4e41-90c8-bce6c54bcfff} 872 "\\.\pipe\gecko-crash-server-pipe.872" 4988 1e8e3a88358 tab
                      3⤵
                        PID:4404
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="872.8.805895444\839835489" -childID 7 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 26264 -prefMapSize 233414 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ce4e30d-f0c6-4f93-af1d-bfa1cba53244} 872 "\\.\pipe\gecko-crash-server-pipe.872" 5956 1e8e772ca58 tab
                        3⤵
                          PID:344
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:1284

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        22KB

                        MD5

                        7cd74ee9ea676959639a063e59f37292

                        SHA1

                        c1ea4e0a35bd47209fb7de05b1b46672f2049c60

                        SHA256

                        da62a55a2a16128218b4f4d6ca9478aecba1c9895ac312387a2a85758199d471

                        SHA512

                        3ca63eeceb05628c6e5581111939dc7cc26502aa6b857b54e98b36907720815b1edf5f383e9245a150ed0722d4b4ec7c9806eb3bef51bb0064d1c33a7953aec5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        60ae11add616c71d58e2b32bde70dedb

                        SHA1

                        7c62854c6bf444a2fe479398c95440d548c5acf0

                        SHA256

                        a616d62f862a210fc2d9cdb431e67678550455244ad2f55f6ce45b207d2a4bea

                        SHA512

                        142b410f61a5dcc966912769d8000f423946ad5c534077f8065faa47b14fd2d3658c430d9527a671d739da0162a3bb11c569fe2e73f6727873762936788f2a91

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\datareporting\glean\pending_pings\091bf4ba-abfe-476f-bde7-90e7ea1eda03
                        Filesize

                        746B

                        MD5

                        c3adf151895bf946cccb43c554097d1e

                        SHA1

                        75e0af551617cd8347eba309d4fa53151080d4a0

                        SHA256

                        141b8dd39b8b531f05fa216b88eb45e3f6d6e3c1b96a3578258e128217359cb8

                        SHA512

                        04fc948efb51ace7aef7f58dbe69dfe53dec8b45f972a3f00040ac4fd6980da55de9625f5bd0061c1021c2747f60f8ebe9aa3bd70fb4fc403ce537f05d3d9499

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\datareporting\glean\pending_pings\cd310f66-d372-4515-886a-62caa9837820
                        Filesize

                        11KB

                        MD5

                        b523ba76b889131690c206d7bab85821

                        SHA1

                        4c472aa1c4d23cd8add8a1ab79a130333f98b771

                        SHA256

                        61075b9ac98f2998c676854a327809cfca6a319d1493a7c5c61d1d051d09a5d3

                        SHA512

                        15ffc4150ab54337e2c0b394862ff1f652d09ac4120be4407e6a4af4d46fcd5ecd56d0be9c24de0f1c59d549187a12cf3b2aab27329a6323158219642dcda207

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        2ea532b7827ff9df861ec8042da3009b

                        SHA1

                        ef8626b0f9fe0f180e1504195adb3b09f99b1911

                        SHA256

                        7722b08e401c26e2ca03f3f38ec95d73bab2806e7c4c5d7caf08ad2fe73f2d2f

                        SHA512

                        4b18fb87af2e3213f2d37dd903d99473a87bff4daf12ea3fec4cf5672c4d73e605c9eff146ab502222539fbb05d65c0113dfb7b1e46937a8569cd8395f0c6fb9

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        e637741acec1a3e1270c58f45fd7c73c

                        SHA1

                        6a1ca8558b6bbfdc61b34ee0d064bc1378fa241d

                        SHA256

                        0ae7d0557505ba8194ea62920d9e507fd71bd29f3b9a15f2fd855788b4726b2b

                        SHA512

                        079c3bf18f80aba9fd6f8ed43672aa7cc69ba2462b2ec7bcedefc30ee187a81c32c4ed33d0fd863270f262cdf06fac47679660a361d9728000f44009bf48caf1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\prefs.js
                        Filesize

                        5KB

                        MD5

                        c9c01b452f36d35610462ccd4d5f8b82

                        SHA1

                        f73d113fb50957a192d39e123cc57ad14052c886

                        SHA256

                        588ba7fbebea4a64efb5b6d0d5c13c65f2164908ae4a871ec75bbd19b6b7bd72

                        SHA512

                        f8864d57737f4de6bca50eca428fac576ed21ad55e73b782cdb9b3afdd2794471f993372b946b44622683939a015c54101542665fbb0b5701af536f07de0bd0b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        64d70f383f12122afee9118c4cb5939d

                        SHA1

                        899870ab1dd35abec0fbf4c4c8e2f22f351270c4

                        SHA256

                        6abd8e6065e104bdd5ed34428eec5e15ef348ff9e3d88e4465188f7718e879bf

                        SHA512

                        fa31933ec9c696c295d8864ec88f864288d28ba0f0278769f1467ba62097fd66914fc35a1720152493e0f37472dc446ec2b6b988b2c40d27ad2cbeefd8a87e95

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n3n9wgn.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        05d31257afe42ac7a5883bc817b14f31

                        SHA1

                        a1f87c78907ceb4ed80992223bba1e99ea67ca23

                        SHA256

                        16c8925bb6a2be9ce611fb8a55ec030f852988484317d6f3e52795d9dc6a7a7a

                        SHA512

                        cd7bc1be905c0d4035509e80c9d0be56692559664d45f6f1bf572552258a35fd6c3197fa4772d01abf47e5d278af01d59a41775332a4dd28c4cbc9aa39fb65b8

                        Download Submit

                      • memory/1244-9-0x0000000074780000-0x0000000074D31000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/1244-2-0x0000000074780000-0x0000000074D31000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/1244-1-0x0000000074780000-0x0000000074D31000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/1244-0-0x0000000002D60000-0x0000000002D70000-memory.dmp

                        Filesize

                        64KB

                        Download