Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://stngroup.com

windows7-x64

1

http://stngroup.com

windows10-2004-x64

1

Analysis

  • max time kernel
    256s
  • max time network
    277s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2024 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://stngroup.com

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://stngroup.com
    1⤵
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.0.1462295505\319790074" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13c05873-e880-42ef-820d-abd006725385} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 1944 1867e0da458 gpu
      2⤵
        PID:4620
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.1.1549089892\100556974" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21487 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20495046-7b59-47a4-b5c2-29956d651cdf} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 2368 1867dff1958 socket
        2⤵
          PID:4028
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.2.1317934863\412036972" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 2972 -prefsLen 21590 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76c9da49-23ae-4cf9-b06c-40789377ffbe} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 3028 186026e1058 tab
          2⤵
            PID:4084
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.3.1457645011\1376113752" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66858d6b-af65-41d5-bcbd-802e7ae80175} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 3620 18603747858 tab
            2⤵
              PID:2924
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.6.1838847505\651748656" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5400 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70a9ab14-338e-4d32-adb1-a666c78150da} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5432 1867182d258 tab
              2⤵
                PID:4616
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.5.1168700351\160132326" -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b874540d-011c-4613-8cf1-0a3db000ad45} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5188 1860499f958 tab
                2⤵
                  PID:816
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.4.424512189\1783268384" -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b281022e-6d14-47e5-9256-13455ace11fc} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5060 18602de6958 tab
                  2⤵
                    PID:2480
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.8.125463120\432190537" -childID 7 -isForBrowser -prefsHandle 3164 -prefMapHandle 5704 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eba5213-e06f-471d-8f9e-64343bc9e434} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 3124 18605a98558 tab
                    2⤵
                      PID:3232
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.7.1364597966\656338555" -childID 6 -isForBrowser -prefsHandle 5432 -prefMapHandle 5416 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20fecf78-7237-4fbb-a30c-3cb9c4f1403f} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 2940 18605a98258 tab
                      2⤵
                        PID:4272
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.9.1139755270\600513571" -childID 8 -isForBrowser -prefsHandle 5340 -prefMapHandle 5208 -prefsLen 27337 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6796df-4bdd-46f8-b76e-581807b23929} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 5328 18605915658 tab
                        2⤵
                          PID:4808
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.10.732927775\1376208038" -childID 9 -isForBrowser -prefsHandle 1552 -prefMapHandle 3212 -prefsLen 27650 -prefMapSize 233414 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5443e501-c0ca-46ac-9d44-bbf41635c444} 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 1700 18605efa458 tab
                          2⤵
                            PID:2892
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://stngroup.com"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2320
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1884
                        • C:\Windows\system32\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                          1⤵
                            PID:3776

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                            Filesize

                            11KB

                            MD5

                            ec4f0d90c6c849a024186afd45129201

                            SHA1

                            d3a79cf476b4f5975875e4b74ca2298afef6ff40

                            SHA256

                            83db33be9282e71e7a59f93047c48d1b0d34259fa320bd9e78cdd42524f7db07

                            SHA512

                            26b172cae1cc8acbdf37e234a298e67596d8db33ef2d3b9a1b6b52ebd5a09e4ed360401fd4354e937700f434d5116731d5b7590d787479661ad1ea6f15811d3a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                            Filesize

                            9KB

                            MD5

                            a707c53928da4f7823e2b2604fcb3e13

                            SHA1

                            12e842c3dece5ac7cb50ccc5228a885dea23c3c5

                            SHA256

                            01230d46eed8e7a191927d4f39e023fee9cc6678d24f199da8328889728a78ae

                            SHA512

                            0fc6dfac58c489ecf87805c94847ab9dd538e2d13fc9ec6847d6e6fe585894f59906ff6079a54672db5b25610e14fd10ae45fb6995b555571a29b92755f4bcef

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\addonStartup.json.lz4
                            Filesize

                            5KB

                            MD5

                            240ba8559eb2129c9de23ef68fb49e6d

                            SHA1

                            bc37cc5e3dbe368918d503e4304aa90006fd99d7

                            SHA256

                            b3fd0ee397e7e3214cf9076f4fc07e22ac7c89c1f15e3dbf2fdfb4f9e697b1ec

                            SHA512

                            ca97992adceb23b333c4c8fa57c28177fafe69a2472a774907a2119111c906f2b97552308c572e78abace3e1f7a61cf402f46010d8664f68b3554b2792aac7ab

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\bookmarkbackups\bookmarks-2024-01-08_11_HGkDeNPZ7ms6hvqU18dtVQ==.jsonlz4
                            Filesize

                            945B

                            MD5

                            f9c96b966a3aa35c98bdbd141a842599

                            SHA1

                            17b1f854a2ef00d83fe90c1bb9150be185f56a8d

                            SHA256

                            ea85ab415441c4038f02b9aed18ce111587a05d6430a11318915e99ed42ab652

                            SHA512

                            92249689257f7924344a81a88a3d2e2f44e143d40be1d3a4c0150038e0d202b6322c6143e77e3b0d52cd70f0daee982bed0d55c57b9d08b6a02cdbf1aba5b26f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\broadcast-listeners.json
                            Filesize

                            204B

                            MD5

                            72c95709e1a3b27919e13d28bbe8e8a2

                            SHA1

                            00892decbee63d627057730bfc0c6a4f13099ee4

                            SHA256

                            9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                            SHA512

                            613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            64004d18518590fc96367290cae7a30a

                            SHA1

                            aaad4c75f864a635272c0f9f97b09ac28fb9ceae

                            SHA256

                            b4991d7c31078c15a9449138b53103627763cc59fc2b27fb3f864446ccc80891

                            SHA512

                            f85c833abada844872ad31e3189d39adc8d2f88e92069ea48377015609240ea93c0e0af19516d9e61c2eb1fa633e8a30b4c1536fce40fb61fd2b063144711e09

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionCheckpoints.json
                            Filesize

                            90B

                            MD5

                            c4ab2ee59ca41b6d6a6ea911f35bdc00

                            SHA1

                            5942cd6505fc8a9daba403b082067e1cdefdfbc4

                            SHA256

                            00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                            SHA512

                            71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            47871fd48fd1fc42d4a9f7dfe339ff8f

                            SHA1

                            0fca60b774dd71bcba74c5d5c6fb1dcb76d03bcc

                            SHA256

                            8fcefc1e768c8cd62e9dbd41f78088cb331a71b76d6fe2538b5232aa4b1dc9cd

                            SHA512

                            cdde1f0c53a5ab7a483357c4c185528db78a4224662e8f4480206c351e9bccb149ca49a5ed506af78aec3ffd0dfb389b87a2dc09da625e4bd04728651700193a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            351148c35b8f35f9f2b18982a88a8033

                            SHA1

                            939546f00fe9cb585c5e3ec121efb80a519a4beb

                            SHA256

                            fb72c79c4c592eaacfde7281cca26d16b9e0b096797873a2575916bc7f33d37d

                            SHA512

                            f7f991029bd4901c99342a04f34820acf0b696d72031148c9b3fac6e2264b63e97899e3a2d83b6d7cc7dcb640452fe01c51a68758815c353da95633527eb4f12

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            8875714fbe1b8274285d9c4cb1e25c3f

                            SHA1

                            f2556c706383cdbc24f697ab66a63506fe903df5

                            SHA256

                            2f14de135ff33f5c9b6cf3209cf6ec291f61c6b29abde0855c555a09495c2dfb

                            SHA512

                            0795f32b1e294d046da5c03b05b9245bde3f42e22f71dac06726b91c2da06eb2eaefa24407ec6ff390a4df40623393cf85a9bd26f73b1412a2270b22b1c1b96e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\targeting.snapshot.json
                            Filesize

                            3KB

                            MD5

                            0dcb0b0705f77b6084d2437d170c9c53

                            SHA1

                            d8b98b107cd31e8c1ae10c2826bb43485afa2736

                            SHA256

                            830a5e1ffaa2902b3ea227e721417a7b294812102f162cf3fc8009ba97156cb2

                            SHA512

                            68a947c6354834f5f1f06e05f3c15aa8604b987995783408e9d2af601820ca846ca45fe38deb0fb2a8360d6e58fb123f65af6b949f1eede911df2b93edaad7c4

                            Download Submit

                          • memory/1884-332-0x0000017BB9DE0000-0x0000017BB9DE1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1884-296-0x0000017BB1840000-0x0000017BB1850000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1884-328-0x0000017BB9CA0000-0x0000017BB9CA1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1884-330-0x0000017BB9CD0000-0x0000017BB9CD1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1884-331-0x0000017BB9CD0000-0x0000017BB9CD1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1884-312-0x0000017BB1940000-0x0000017BB1950000-memory.dmp

                            Filesize

                            64KB

                            Download