96f67cb49145ebe297a08eeb8420945454e3f4d215a80280719756af2881aefb

Resubmissions

27/01/2024, 09:54

240127-lxen3ahgf7 3

27/01/2024, 09:46

240127-lr1dkshfg4 9

27/01/2024, 09:41

240127-lnrl9shfa2 3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USFL_Latency 1.2.exe
Size

355KB
MD5

5b7ffba8071fa76d51d2f1047b069265
SHA1

b3f83521739b1ec14836d0345de4ef4a4a63dc99
SHA256

96f67cb49145ebe297a08eeb8420945454e3f4d215a80280719756af2881aefb
SHA512

c7e1a98b6e05c814ddfd1fdfca296e355e5e53a26148425e84b36295da987a3b1055abcedbf132cba5e738c23fc0b20572eaddb0ebce9a14833b3f48d14ebc4b
SSDEEP

1536:37fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf/wMuA1hvOf:r7DhdC6kzWypvaQ0FxyNTBf/VuAjA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1996	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2992	NOTEPAD.EXE
4496	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	firefox.exe
Token: SeDebugPrivilege	4472	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4472	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 760	2372	USFL_Latency 1.2.exe	112
PID 2372 wrote to memory of 760	2372	USFL_Latency 1.2.exe	112
PID 760 wrote to memory of 4928	760	cmd.exe	113
PID 760 wrote to memory of 4928	760	cmd.exe	113
PID 760 wrote to memory of 2568	760	cmd.exe	114
PID 760 wrote to memory of 2568	760	cmd.exe	114
PID 760 wrote to memory of 1996	760	cmd.exe	115
PID 760 wrote to memory of 1996	760	cmd.exe	115
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 1068 wrote to memory of 4472	1068	firefox.exe	119
PID 4472 wrote to memory of 4680	4472	firefox.exe	120
PID 4472 wrote to memory of 4680	4472	firefox.exe	120
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121
PID 4472 wrote to memory of 2020	4472	firefox.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe"
1⤵
PID:2324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe"
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1D0.tmp\1D1.tmp\1D2.bat "C:\Users\Admin\AppData\Local\Temp\USFL_Latency 1.2.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\system32\mode.com
    Mode 70,27
    3⤵
    PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2568
- - C:\Windows\system32\reg.exe
    reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1996

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1D0.tmp\1D1.tmp\1D2.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2992

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1D0.tmp\1D1.tmp\1D2.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.0.1496656947\1204994063" -parentBuildID 20221007134813 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6146da-ac05-4009-bced-3b51eb7fecd0} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 2024 270cc7ddb58 gpu
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.1.732302972\1789485478" -parentBuildID 20221007134813 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa0dc68e-f5ef-492f-ae41-d5d2e5e91a27} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 2424 270cbf30858 socket
    3⤵
    PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.2.1372807856\641086964" -childID 1 -isForBrowser -prefsHandle 3408 -prefMapHandle 3404 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {325e9185-b5c3-4936-9baf-6ea00e4584bb} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 3416 270d03ca558 tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.3.1953818142\1657749492" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec1a67c7-716d-4da0-a882-533d1f403abb} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 3048 270d03cb158 tab
    3⤵
    PID:1012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.4.1924965723\126903206" -childID 3 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0090e64-2a9a-426d-ad63-58da07bde6b1} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 4072 270d1214458 tab
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.7.1009888293\309238673" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d045c170-c8db-46c1-bab4-3a5d08b10d60} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 5388 270d2678558 tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.6.694627553\617140172" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08fa8549-d3b9-4153-9203-cf5bac9ca3bc} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 5196 270d2677c58 tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.5.2048212801\2061261656" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5068 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ba59eb-3cfe-476f-9202-d95b1967851d} 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 5080 270d2676a58 tab
    3⤵
    PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D0.tmp\1D1.tmp\1D2.bat

Filesize
4KB

MD5
5be823c245d6d7a365022b87c3f10b91

SHA1
c8bb46a969cce78052b2babd05c274b1f2d1f3bd

SHA256
df60b7d61eb12373326eec30cd90cfc876afcb3f42219ab0dd3cfad5cf2c3683

SHA512
5786220d16886badc59df673610092e974975c86ff0c3d2e80d6b4051d81a689ca66851b5323d28f12b44c3655261b4f1dda8026ddc80e55a6920dece67c23b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
79a6d4babafa4542596a487f810681e2

SHA1
6844d52673943caba60aa4fcd8f4fd56dd828b18

SHA256
17fc7a90f60fd8d21ba5db444d181e0a6363af64d12b38e154a2a83b7f1807a3

SHA512
c3cb9c44650315c3785c5d9d935381345a619087c4000ba8ca852c6e046a5b9e59bf690c238eff7c0a7f59dc5a33fe9d98a6a428198d735508d28fe125f1a3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\pending_pings\6bf8ffe8-c5be-4b74-b8c1-7914b37815fe

Filesize
10KB

MD5
65ea31a4e94d4205106986318635ee97

SHA1
1ff60325bfc14f98d104b5349d4b77218ec2a436

SHA256
5d50b0ce9bb764837b890410991db52291eec441eb1bf98d20d40b4b839d50c4

SHA512
4242754d527f29109bb8ff1cffd28559f3bbfdecb98f0555486c88cf4b92de6bc83063413567a9060f8c996577233c45fb9cc74369cbbec38567683b82d5c500

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\datareporting\glean\pending_pings\79bec2ae-2e9e-44dd-9642-fd56cc2a40c7

Filesize
746B

MD5
24318d595994122ac452a6dc90bc0482

SHA1
76d962ce086e44a666135309b8613639eb1f7130

SHA256
9838a6cc41ed379b1b144a157d6717855d2e3953a6f325aa3f4da04ccf90d109

SHA512
2dfaad3eca003b381a2a6278e924248899b5f5270130b6a466625641564b5713b1ed321e6c6342d0d1c4b8890457a7e001654d6e87e57882958db3dee6f234fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\prefs-1.js

Filesize
6KB

MD5
f0c75efe3082b6fab0ab1045c7213765

SHA1
7e9fbf5ce69d1891b021d67cc552eb92d86ce78e

SHA256
a961896048e109bc9a3a360e0b837cba7d316c58b05531a79d702572c6e82ec9

SHA512
9bc61da52b0f2f1ff4320b11a3c6c73fa9c390a959236acdedfbf42696c131acf72a96ed6464c54616b0b18fe15ed62b990e98d40c71bb07dd569cfc23080e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\prefs.js

Filesize
6KB

MD5
f4b7721db7f48463dc938ff215b51e21

SHA1
c776057703d7289b3a933432c2a0401e8a106455

SHA256
9ea1178d320592e8d0d4512fbb18703d3247b09bf95febbf6fcb813a1c47a161

SHA512
0f920b39e0fbd5bd74b12bd9c22b0845cd937cdcb9c0d8962a43bb117595a003900435281e7cabf8e27d3cd05c4242c761c819e9278e9a81493f3c18500c076b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3024359e6845086c6ee951c4cce15e2c

SHA1
2158b7c7eed56d7faf835987c429b71ae91f471c

SHA256
0f6071680b5ae73da8aea24fecb3bcb3b8a06f47354bd502b6eaaeab199f0677

SHA512
83aba62ecc9df4eab8ba9389dd820f3b7a9710b7257a6c5cbc5facef64ea2716218f8d83e27a74f59d4ce78a3c03a23c236a0087a7779bdf4b64677f3c232743

Download Submit