d336b2a845b492526620586520357b9170397ba68cb9cac952880c3ccfc8b6aa

Analysis

max time kernel
16s
max time network
51s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
13-02-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

link.txt
Size

259B
MD5

899d6b60cc700404ab76ff983f144143
SHA1

51b9f18767efa907b13e7fe8269748799897aa90
SHA256

d336b2a845b492526620586520357b9170397ba68cb9cac952880c3ccfc8b6aa
SHA512

f59a995093b92606b8d25aac1969e961119ec0e4c44514a253d11960e9a1364facd5b4956e7b4c9904edee9efcddb346d8d5a999ae38a9e77a36458bf5051fda

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3536	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74
PID 2808 wrote to memory of 2988	2808	firefox.exe	74

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\link.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
PID:2988
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.0.881326192\1593220070" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {847abf46-b6c8-4824-8d38-91da59d6bbfc} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 1780 26ab37d7958 gpu
  2⤵
  PID:3972
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.1.482583993\703993652" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bacd6cfc-57dc-46d1-abaa-f2948cf4409c} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2136 26aa1271958 socket
  2⤵
  PID:4364
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.2.434499969\73313765" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2860 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e7b2222-fd07-4d81-ada4-beafedcf4a0a} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2732 26ab375ab58 tab
  2⤵
  PID:668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.3.1979056306\725977663" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3192 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dcb90ef-6458-488c-9501-4342145001e5} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 3368 26aa1262558 tab
  2⤵
  PID:4392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.4.2062766157\890374006" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4300 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0312d16f-bfcd-4b29-9890-13a54b5e37df} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 4312 26ab8d5d658 tab
  2⤵
  PID:4696
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.7.2107319604\1412202610" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf73099e-972d-4f88-ae06-0b0f01429305} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 5196 26ab9ea9b58 tab
  2⤵
  PID:932
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.6.1071285668\1326181227" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2b248a-7873-481d-93b0-1a7ba5824dfe} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 5028 26ab9ea9858 tab
  2⤵
  PID:1828
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.5.2080663188\1990497711" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53115c39-a785-406b-9511-254d01164e5a} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 4900 26aa125fb58 tab
  2⤵
  PID:4080
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.8.749307213\1707014135" -childID 7 -isForBrowser -prefsHandle 3140 -prefMapHandle 5232 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dd17a4e-6c39-41f0-8703-70c560a5b3c6} 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 5512 26ab5ac6258 tab
  2⤵
  PID:4672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\28jjyjhp.default-release\cache2\entries\2E52747CA0BFF4DA9B184EAAE0532CB41789E507

Filesize
56KB

MD5
e3b75adde24510a486c9b7d52c135ace

SHA1
5cf8f060f6e08e948d1251e006f3f8564e34f26d

SHA256
091eafb05eeb9967fad13ee3d912e6737a2401521c1e62c5efaa8c1d59dcc7b6

SHA512
22be46ed3cedf1bb496ea4c767a1a322087128d10dd016970e8750ad72129317affddedac551162194b55cca97b5ed8188b5df96f6a7750c3603c5a5254157ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
dbb07f1600c18b3c098ab2fafe6b5559

SHA1
777bc48c5c585ad6b591e5cf4a5575a91bce3c89

SHA256
3da12f95d3e7122e3c9e9dff9d6cea7aa2aaade1ea855861559f6557edd30f4f

SHA512
c9decacad71e6bb1f3fc9a6794c0863b5d5be2a9d4af5eebdff35ef6d10fa6581bd3fe5da5e921557b92b6173bd94dad8cfe7ce0bef10950d5bcb3d54d8a9757

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\pending_pings\5b423cd8-9e3b-412f-a1d1-c195b01cd00c

Filesize
746B

MD5
7c1b2abda7257925d69b97837b09d747

SHA1
306c3250003a1633d4adcf9078c040890229a88c

SHA256
943c21d8a09b96232527b8e45bbf7a17bb4018c00813532c1c49ebe33d62fc6d

SHA512
71b1bda4c0d680687ec9ceaefb845d6c50c85b9e26dee8de3500be98ac1b3bb5f1ef0f4cc75f9f21ef323ec8850a433b8923a919411a89eaa4589dba0488842b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\datareporting\glean\pending_pings\e85e1a77-501f-44d2-97cb-1917becb6b44

Filesize
11KB

MD5
022d5c7d557f170f0a68e8b799de37f2

SHA1
b02c78f1463c3335932895c680b0e12c10ade877

SHA256
82d8c250468dbd466760fe369020a73181eaa02dc4e0cb2423b905e112779af2

SHA512
1e9ff8f7e7bc8162a64f355e1fb5a3d63ab392bcc53c29ff0dc63823fd0502670787cc70362696d31288d8aebb07f2942580ba78f6bdfbfa2cbe3fe6879d5027

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\prefs-1.js

Filesize
6KB

MD5
14e64d585a0b3f1b418858cb71a70a18

SHA1
0f4e56f5eb38585f2eb3704f92dcba3231fa1971

SHA256
96a6a54572b69fb4e56f635cfe4f0d3aed7a3035d378f868adc2601f64e0f993

SHA512
974b985f3087db1bdc2f7d628bf9cc251923391950bfb4ca42dda78072fde40b0857bbc40ebc03e6a9da0bb79eea31725dad815c193063082d8c5bcde56741b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
4f87847001c7ef16158d97c6580970d0

SHA1
6bf0078a23040c8bc7d576d1363bdf1dcb90e8bc

SHA256
9c2e5d03ff8c4f2f06ba167a1d8b583f956adec8544148de93ee2da82059dcb2

SHA512
47d6cb69e3221c5678d93ae58511b6e51beb1a5e556365b7fbe4f5e70373b9c9df079f052cac07e7be8aaea973b0ae0aecb76ae871a2b03b7dc24db4a1de6b4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
74fffc0e9ad0521e3f1b407264809a3a

SHA1
b676322b47f30aa3ee329c924d533316b88e484a

SHA256
c2b6cc22d21f74a28967d72a0940cd2ab3b0844646897a8626c325efca646aee

SHA512
2786cdfcb64245c2a06e990cb290581045961298700239848b3c291a349b99e78c7dc6b3b79a14cfe3bb06da62af269a27497b3d2c6748b6a058a1eb98b8b6df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
caaab8268f60d9e5e2b378c74420a269

SHA1
b9080c2652b53cb3e3266946c66d14968f8b675c

SHA256
f0400febdc33128687b3464d9b8789a293362dfee5f2738391eca6ce8884de78

SHA512
f045b29893f8c30656f67bb67a724282fb2aa05d44367e908496e93c352f6a7223edde9306252fcebc0eb5d00804b49d8e53f7744ca28f2ca8432ebbe94144f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\28jjyjhp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4eda6874c272bffcb52d78ab368c2a95

SHA1
99b01e289a92aaaf6227ac0488c5f76fe05317c8

SHA256
32750c4de1eccb5d40a5689f9bb4eabfe23c04adcb470d761ee44ca88dbd778c

SHA512
9fddd56b0b0c80c26e0923dca26a96115f50ae066e8b2c21abc461c64c5b7b3749bf6c56c99804c25462abdd65bd2108d6573abf5eafac89b66f8a237f3bfa31

Download Submit