Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://www.dropbox....

windows11-21h2-x64

6

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/01/2024, 22:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.dropbox.com/scl/fi/cv80ib3shee71zxj1j87w/Citat_MXO_01_2024243068419451878.zip?rlkey=orgk489izh5tha05nwxpbj41s&dl=1

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.dropbox.com/scl/fi/cv80ib3shee71zxj1j87w/Citat_MXO_01_2024243068419451878.zip?rlkey=orgk489izh5tha05nwxpbj41s&dl=1"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.dropbox.com/scl/fi/cv80ib3shee71zxj1j87w/Citat_MXO_01_2024243068419451878.zip?rlkey=orgk489izh5tha05nwxpbj41s&dl=1
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.0.49122256\1953427308" -parentBuildID 20221007134813 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb4d5f4-ff13-42da-b73b-425ad877ef49} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 1896 1d4415d9e58 gpu
        3⤵
          PID:4860
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.1.845720202\722104152" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfac0c20-aca4-4db1-88df-bd5f6443d324} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 2296 1d4412eec58 socket
          3⤵
            PID:4624
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.2.1532283417\668414426" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2804 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82946548-718b-4586-8f0e-d0f5f87cfc60} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 2868 1d4465de058 tab
            3⤵
              PID:4188
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.3.851676616\1066803954" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b4a335c-ad11-40c6-8eb7-a6b336891563} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 3528 1d43546cb58 tab
              3⤵
                PID:1084
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.6.900721279\900731495" -childID 5 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08765692-fd1d-4ea6-8945-25a3bbcdb6ea} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5340 1d448a4ce58 tab
                3⤵
                  PID:544
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.5.236423100\1074531708" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3a1edad-b6ad-4a1d-8665-63725c82b814} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5148 1d448a4cb58 tab
                  3⤵
                    PID:3464
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2904.4.1400971389\470290621" -childID 3 -isForBrowser -prefsHandle 5016 -prefMapHandle 5012 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a6b8eb-00c5-4142-8e8e-cc9fda888ea6} 2904 "\\.\pipe\gecko-crash-server-pipe.2904" 5028 1d4468e2558 tab
                    3⤵
                      PID:1844

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\cache2\doomed\970
                        Filesize

                        51KB

                        MD5

                        96772c00169f2cb5805b9b44dfdc3c2b

                        SHA1

                        17388a2dfa6b0d355b02ef0959f72fbb9b679dfa

                        SHA256

                        cf1cdcec33cf81f14644ec8a1a55401c9058794925d00ac72a3c8f7189048e0e

                        SHA512

                        6f67cf6390f7fddf068c66758304a03713be2202c8a564aa54529c32abac2f756b72432f62e7e9a88997c8cf53295109d4d58490c4184e38342e868a549ea584

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                        Filesize

                        82KB

                        MD5

                        af980c3470b44946ca9a0145c258c6ec

                        SHA1

                        68161cf98e7fd4bc62a004093a1d552b44bc155a

                        SHA256

                        368d857b2d930faa46ca7532503f171c810f45424eb28a5ff322b1512d033a24

                        SHA512

                        83e3828ac233b6e3270bde6d2c645b31a802584de3047d8b7d4129352e12f990f60e2dc5e9d11dac0f313161e16d273fdae72fae79089cfa895802b61aef5405

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                        Filesize

                        4.6MB

                        MD5

                        5ad31ce1f01f6257e644a63ac78737a7

                        SHA1

                        5e18981687cf11c9cf45ea1596a52702d06d96dc

                        SHA256

                        49986b65b8ad66fd61b5de8b5bdc4a9ba476c6adf5b5193f73bc6a9d7d4b8f46

                        SHA512

                        98bbe949f0b7431240e05ab9883847557fc2dfac557c42cf5e00cb205489896d04f95b25f68254c5c3dc06ff82bd86db4db4953663e6e83bf4ac17703c3d3f9e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        aa9116b730e66d511ce6b7cba393b2db

                        SHA1

                        f096b41bfd08c318b68d95e3dbf03eaa1f4de246

                        SHA256

                        5beab386469745b879e2d4e018080c589aa6550286bd94cad923399393ae2bfb

                        SHA512

                        1dbaaf1f1f338734c15ced63f8d66904a63acec45372b8af675d4954da275d05beca76c336770cfe73d47729141137559212484dad0c4a6a2d319d3da02730ef

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\datareporting\glean\pending_pings\19993aea-4c31-4562-bda5-10bfde8d462a
                        Filesize

                        11KB

                        MD5

                        7b6786e989679e5838cb61595930a993

                        SHA1

                        fa3cc5064b318dbd0d96ba7be4c81e2dcf61967b

                        SHA256

                        83012e13649c37aad088680552b48c6ac3c6fa986e22cd0bb030b02428ae3cd3

                        SHA512

                        8fc9e337b968c7a7a8f951e83ac2fd5e32369445e1cf053a9c9d8554b09a07d030b08beddeceba14c975808c7325293d7b5669cfc0342eed53f4cb1bf11d5b8c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\datareporting\glean\pending_pings\dfeae2cd-398e-4eb6-820f-b0c0d43d3a72
                        Filesize

                        746B

                        MD5

                        e1b5025921f5e8c56f2c4aacf3ea5014

                        SHA1

                        0923de5cff3d51988bafb0de12e1b19d9720565a

                        SHA256

                        3ed2115fb2ccc4111b2ba2dc003d20770dc0c3a29ae4578537ac00ed5102038e

                        SHA512

                        c4110d1cda11c8444a3ca02075fc8f822a5c64f68f3248d8ee08edd132716eb26bfeea79f62a99cba8d53ea53aa925e930c283673fb28b9c088ea6899f638466

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                        Filesize

                        997KB

                        MD5

                        fe3355639648c417e8307c6d051e3e37

                        SHA1

                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                        SHA256

                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                        SHA512

                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                        Filesize

                        116B

                        MD5

                        3d33cdc0b3d281e67dd52e14435dd04f

                        SHA1

                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                        SHA256

                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                        SHA512

                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                        Filesize

                        479B

                        MD5

                        49ddb419d96dceb9069018535fb2e2fc

                        SHA1

                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                        SHA256

                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                        SHA512

                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                        Filesize

                        372B

                        MD5

                        8be33af717bb1b67fbd61c3f4b807e9e

                        SHA1

                        7cf17656d174d951957ff36810e874a134dd49e0

                        SHA256

                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                        SHA512

                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                        Filesize

                        5.3MB

                        MD5

                        0c17bbaf6d8e2ab80df7f08f0a2adbc8

                        SHA1

                        3f18ae40b5b10e3fb9f06c1b6d75ca1c60be31c1

                        SHA256

                        fac5720e679a5e80388417ba657aecbfc366d9f97248dcbe880fd053d7505196

                        SHA512

                        80def3d80951f6352d9123ccb670f22573bee092ad43abf6ed2f2c836d201138efa8591038b67012054e63b086cbc70dd38ae1f02391144730349a67bfca44fd

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                        Filesize

                        1KB

                        MD5

                        688bed3676d2104e7f17ae1cd2c59404

                        SHA1

                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                        SHA256

                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                        SHA512

                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                        Filesize

                        1KB

                        MD5

                        937326fead5fd401f6cca9118bd9ade9

                        SHA1

                        4526a57d4ae14ed29b37632c72aef3c408189d91

                        SHA256

                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                        SHA512

                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        376adacf0ebc10dcfe65dbee1b3fd2d1

                        SHA1

                        5c76ea5eb1ad020c3c774f96ba0f5ca2eaad82a9

                        SHA256

                        0454c47f3770554b37d121c80cf30ca5ab5472b663b20c2c94dc8851f838dbb8

                        SHA512

                        d5afd81ce3b8378a6b177d281c28578c21ed403358ca1d289c29e687831f0039a573e71cfb93be0a9e9d18789d247d60747156fe7e89b93a6b13149274292a0e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        d1bb49fae23da76713b8069aae80569c

                        SHA1

                        641044ccfcc3d75a1e975c66556f420fbc559f9f

                        SHA256

                        2b49da218a729203938c64a6165eb2e5f229ad8ec278364950e5cc525287a2ad

                        SHA512

                        f1137bbea7034b94fa20b83531f21b8c7434840298fd60af7b224eb59013563db89e97d7a064b38fbe43fec8bcf448c575f4bdbac117e8685d30b6032a1df9aa

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        54d9620a7159823daeae9a3fe74e6932

                        SHA1

                        fff80410d7bcf383b57a7b4c9ba09197d1ee0a63

                        SHA256

                        739ead6ad4054ed8333d8c643e4da7b0735f1631bfbfe9ec28b79040943edae6

                        SHA512

                        82e53fe5592c67a5121cc07894cd7f5fea309e66916fcbef1209372c28c9c92b1c98044210c5b0e69c4064f2c95090cfde52428296854ce8f2194c0596efe72d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        9a1662b9a9bf3e3f5d29e47bafbbdfcf

                        SHA1

                        c86e5faf79267a514b4733c4427a52476b2c7ea4

                        SHA256

                        b6b19e538becffbe9443d8d97defebfe4341962b4e2bdb73f131cc6c0426be62

                        SHA512

                        343142bd80d40a2beb8b25763ea6eb7bf02829b80a4fb62df7fa340c5651d7343b3374479b41523376ecb4a975e981968f94f09b8ec9c42da524ae9d055fb37f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        e359a801daae546da1edc9f4b09b493f

                        SHA1

                        910185b761677a16807d096566cb705ca52df4a1

                        SHA256

                        42e24a4698def34569c702371c1eb0dd378307804770a9d6168c30a629fc72db

                        SHA512

                        0c89c01b5fa99521e297395970c676a92696b3e6d66dc14cdd2a784591bd2b7041652a4852ea417a88adf49f67a762acdd387fe4098b431281217cdf4e658a9f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xy5ssfbw.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        9512961e6ac1dfa8daf2943e6c83cf4a

                        SHA1

                        f0e1b1f80ec014ceb511975a0f745e4bc5fdc69d

                        SHA256

                        0ed6e8aff8663e8223da3355579652b6061d767525da478e83d8f3db628ac086

                        SHA512

                        af3e34cfa2905268d7e60dc78b48ab2b9434bc669ab87646da53970de3317e30216930c6b95e6d584ac40a05a9c795cfbd2896fd7468ca1243e4d974d97abfc4

                        Download Submit