Overview

overview

1

Static

static

1

triage.txt

windows7-x64

1

triage.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    triage.txt

  • Size

    20B

  • MD5

    d3f96ece8ebfb3b8181408455599c93a

  • SHA1

    0a115f8ade952e84e66d6cbd8157df2e0e2a9f7d

  • SHA256

    1f105aaa36317bf43dbf89558a581739ea6c249eec27c43376561bbaf914d715

  • SHA512

    e5b3f500b0091ad1be096524922baa8ad438dd502a2c26d0e1f88f585fbd06481a16861ed4b72dd79bfd7495b18eb4b4b0fd8441b3a7ca81ede365393916a777

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\triage.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:4600
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.0.2092429441\817182877" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9478538-b759-4fd0-a222-64513a78e598} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 1976 205f67bdb58 gpu
        3⤵
          PID:2976
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.1.1093355136\401807492" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8b66505-5b76-40cf-bf46-05516a44bed4} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 2364 205e9d6f858 socket
          3⤵
            PID:3652
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.2.1070587653\347715901" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 2988 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a7d5cc-69b8-46f3-a360-d15933f3e6cc} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 3176 205fa791358 tab
            3⤵
              PID:4276
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.3.1217147403\725620199" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {666a2af4-6518-4233-976a-095faecf2ae0} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 1084 205e9d5e258 tab
              3⤵
                PID:5036
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.4.605208474\944994014" -childID 3 -isForBrowser -prefsHandle 4252 -prefMapHandle 4244 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0633320e-7ae0-4283-ba76-9277b6dda2f6} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 1792 205fb6d4b58 tab
                3⤵
                  PID:4088
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.7.1897538961\466574631" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e333834f-b5d8-4612-9884-019a697dff57} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5596 205fc8e3658 tab
                  3⤵
                    PID:4572
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.6.1561075392\203255957" -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {186d63b9-be05-4cf4-88fa-c9be73330556} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5324 205fc8e3958 tab
                    3⤵
                      PID:4680
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5012.5.360232230\350886927" -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee7d12de-39b9-40e4-bfcb-0a8a5e21add5} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 5168 205fc8e3058 tab
                      3⤵
                        PID:3804

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    04728443623df40988013fe5b238d11c

                    SHA1

                    b2d2d3809b41a4b271a8b828796410f5631400bd

                    SHA256

                    198f2f6e2f98269e8850263039379d110e89943c0b991036455d0ce4ab60cde9

                    SHA512

                    40f92547e609cedf5a229e6195f38cdd693c64819f63bc333e6a4f0fedb10d09e62e3c3cf52d4cd9eb03da09cc41e7cf77d8bfee165fc9159543163446e7b0db

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\29c683d0-a38c-4f0f-9c63-6df5a5773fab
                    Filesize

                    11KB

                    MD5

                    e2ef0019a45e160ee113a009f5eac87b

                    SHA1

                    a792cfb13b1cd51bed7ddcb4495bdac2e1fad44b

                    SHA256

                    824dfbf9a9e3d923f56bd842646ed87b11bc550b03813eeff54501a17ecee0ef

                    SHA512

                    b851a8ef4ea2abdfe8eb750a7a4ed6667d0d4ad960ddac194fd4e6795f642e4d517ee300b29c2e6d54cc38112d5741bd8b644c6a098b8bfef6aa264ba9651e92

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\a513c12c-9ce4-4ce7-9ce1-a2f98cb606af
                    Filesize

                    746B

                    MD5

                    6e511ca80638e549470c48091041eb90

                    SHA1

                    d8bb319bb7c12205f89b10d45c89fdbd8723996e

                    SHA256

                    ddcb340d09da6e5d86f94a1e3c29ef63c55a04893883ab3d00eca76dfec27066

                    SHA512

                    9c99dd6222e4494033d8997438c106b8969e2f2ace7583addeb29c1c05a70a7348c4af585fdb1bae70f06105e1d2f37b50ff4ed218609019a294de8d161a4101

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    9dcf877b426f6d94ed5ab0cee6e24a23

                    SHA1

                    b5268f97312448b0a1dfdc6d6e5e6589fcf9663b

                    SHA256

                    7179e139bc23c7d570b635e20688b1d5adb1de30254d0207af36e5904e0e4be4

                    SHA512

                    1dab6a874719cd95db65af5252e668af2f7c74e8d66fc5680a3cc39046b9a7c91f87d11dccba9e19c940b589533d36eea7e75881ea6ca091c7debf88ae5889d8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    e16cde6fc48737911cf2124085900208

                    SHA1

                    9d6be8c3b85ab8ec0afab9dde81bf1d13f2b18f8

                    SHA256

                    5e05031e169c9873f516fe78f369f05a2ba1e0ebf1b4fd1c9a52fbf2a336bf09

                    SHA512

                    ca9eeae406fb374676b566a7a121683ed2d8b014d3a5dcbf7522670ebc2303edd277ced37b6dc4b4590543a98882d52294831ae5b8346ee1dad85a105f7915a5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    9deb33a325260bf56f55e6c46078733e

                    SHA1

                    8e403071006cf0d1ac390ec1b80392441ee84bd7

                    SHA256

                    08e9208fb96508afdad7ac1816e093fcc4f50260a3ba781b29d8d8f23d1f2a87

                    SHA512

                    bd67237312bf8c4a027fa72a7e6c5ff43a31780e93bd247b2de79de3031fb32fd9ac56eb49e867d2af4e6acc6b515d9ea253e1b8a21893b6c3c860f26f1b9f3d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    c0e018b15fa7fcbc9f66ee6461da9cbb

                    SHA1

                    50bcfbaf64c5cf6e1a49d709577004410f35b746

                    SHA256

                    fc17a185bdf616fb3f51c36510e7f41770610b094021efcdc09be00af26394a7

                    SHA512

                    750b6ac97b4273647b35d15d4fae1cfe4a49d65c236231f9af622515f8af3ab26a7892efa6e4a4314d52f0cbb9e8a00b618ca466636f557371f0671ce2142911

                    Download Submit