Overview

overview

1

Static

static

1

42.zip

windows11-21h2-x64

1

Resubmissions

19-02-2024 08:57

240219-kwn1nsbh49 1

19-02-2024 08:53

240219-kthe4sbe9s 1

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-02-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42.zip

  • Size

    41KB

  • MD5

    1df9a18b18332f153918030b7b516615

  • SHA1

    6c42c62696616b72bbfc88a4be4ead57aa7bc503

  • SHA256

    bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

  • SHA512

    6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

  • SSDEEP

    768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
    1⤵
      PID:3592
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2956
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.0.2083891162\921015878" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2da9c32-8499-45e4-b19c-94d6271db1f1} 864 "\\.\pipe\gecko-crash-server-pipe.864" 1868 265bffd4f58 gpu
            3⤵
              PID:1100
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.1.335642908\1843714092" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6705a9e0-bddb-4d71-86a0-c8cca3c1b930} 864 "\\.\pipe\gecko-crash-server-pipe.864" 2244 265bfae2558 socket
              3⤵
                PID:3972
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.2.1536479482\212521985" -childID 1 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a55d6fb-6f98-4355-a781-ed0352519191} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3408 265bff5ab58 tab
                3⤵
                  PID:2232
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.3.882687852\727359568" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3668 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b5abc8-72cc-4b10-af2e-641e98fc122f} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3688 265c48c2858 tab
                  3⤵
                    PID:3524
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.4.1569791133\743453303" -childID 3 -isForBrowser -prefsHandle 4488 -prefMapHandle 4476 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4928db72-65cb-456f-9a26-982e9954aa19} 864 "\\.\pipe\gecko-crash-server-pipe.864" 4492 265c6bde758 tab
                    3⤵
                      PID:3332
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.7.892293096\179107207" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3670b0e-de47-4477-ae82-5d1dc9d71c8a} 864 "\\.\pipe\gecko-crash-server-pipe.864" 5304 265c72de658 tab
                      3⤵
                        PID:924
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.6.1699831035\480008146" -childID 5 -isForBrowser -prefsHandle 5008 -prefMapHandle 4936 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e23d462c-f3ab-4df9-a7bb-ff91fdb82333} 864 "\\.\pipe\gecko-crash-server-pipe.864" 5108 265c72de058 tab
                        3⤵
                          PID:3380
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.5.1633020872\1283125848" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b878783f-4fa0-413d-90dc-2a4c4c92b8d3} 864 "\\.\pipe\gecko-crash-server-pipe.864" 4988 265c50a3158 tab
                          3⤵
                            PID:3500

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        2894a75a16c4514b7e3518f510c8599d

                        SHA1

                        fb338521e47b53846cf639a1c76a4febb9c37556

                        SHA256

                        847dacbb918aa69b796de9ba039685cd38ac2a1fe45a7a61ae309fed60031557

                        SHA512

                        5489d9a365eac9faf7531c3f29873b173c29529bf58ae80d745108c8d2886cd56ef58d84b03da519f4dc1b41ee7d123ce69c53320c21143015e8f4582fb09926

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\datareporting\glean\pending_pings\80b0e773-1557-4603-85b8-61fe4095ce2b
                        Filesize

                        11KB

                        MD5

                        9dc9c4b70912952a53b5f685303697bb

                        SHA1

                        13887817745cc49637ad95741f2191f75b1a4dc4

                        SHA256

                        8f5ca47f3611d76f072a66703ce5c329a1fbec166681a554ada9a57eb8e7d1d7

                        SHA512

                        98490a842af7705b898d5fa871f4d2d80ad3db14ec799dbd06d65eed659925afe752580159463a9a56f92592bb855c8e2d9c371fd9786853e0d2e92f4cc06fbe

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\datareporting\glean\pending_pings\f0008bb5-ab8f-4735-858f-e0fb6eabfa8a
                        Filesize

                        746B

                        MD5

                        a259e5b1d285a5c7ad51f597678eeb36

                        SHA1

                        2881b367c5a6b390abd294c05f6a20b0c17e6e02

                        SHA256

                        4a923509895aa6b5715f23be253509174daa9ef2ea1d6d784dbb5848bc61be19

                        SHA512

                        bb3866db11fcbe82d4d2a5d79f20b82d75d3efaf1d4d49907173b52de80ffea9a33ae84cd8e557ffcb8b7b68c47e0b8b127d3b0466e186121320e33d0de5a323

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        997d46daafc4994a08946eda6680b598

                        SHA1

                        2269a13c3e7e7e758c1d3ca3b9799b6a2eed536a

                        SHA256

                        8f56db30a13cbb0fd9c3196f8f28a3d9793502f94e78cc6bc84af07ea7c0814d

                        SHA512

                        09fcf7d059b28130ece1f46423e7f0751c126e26e06a29f5b75419b998a79c6d6c905912b69eb4581659a343420248ea48e3b740c32b8d123ad9d886e03a1ce2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        946ba0d48d45675e414f8b6ceb1449b8

                        SHA1

                        81a093975ab0d98ce2db435db30f0d899e878629

                        SHA256

                        5cf67ebf5ebd8899760171391f48d81407b6f8737ed2d54dfe05aad896dbbf54

                        SHA512

                        6cb5fecee541ca7ea13d167a73018488644797fecaa4fad655e4f60157a9498997e5f16cd81073866f75443e5d195e2a95c24109151c1b6cd39ef62fc22adff7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        8ad328134f86a746842e8c710112416b

                        SHA1

                        343d4c3836e623ddde7e7d433f41dccce4e2eb47

                        SHA256

                        59b5135ab7ba18825196936145e4be32cbe0ed727bb399689fb08450a7f67aec

                        SHA512

                        05cbec70b363aa7af0fc8ab62ae0333e6d8d2232a93e30a9e93acefdf2a455ce6e7c1f3a2f027cd360b435910f1c29a850d036d4b2e5ffa4a71284a163cc9573

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        e0999c3be696fbdc1d17b6abfca85e99

                        SHA1

                        cab6d819fb9888331754387735c410abd1b3f0f6

                        SHA256

                        64783057fceae4a799dfc29fe578e4b0c5cf1d593f3dc63a67731ba7612f3e93

                        SHA512

                        89a27d9c512950626bd405f8f40c7a042b78d7a7fcad4597d7a6e15cd7ac3ea3c05ac23713a5bba8c52bc8c5fb07e44a40db82111a143be8276e26b16b0c1985

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sxl3jpn4.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        d57be7b09565fec5e9332aefe0209787

                        SHA1

                        e4c2902374e2311e5916c060f7ed73588715280a

                        SHA256

                        fcbd6f87993b0ab2d001582b7655a319cdeb1f55d4ce094911dc2e5080bb84ef

                        SHA512

                        177701cb76c0f2bce0be6d620ff7313c831e440704d620bb795a2a58a5be5d4f025ddeefc396991dbfa78ef4c87427aa6aa081412ef7ac21f334f85de433b385

                        Download Submit

                      • C:\Users\Admin\Downloads\NzXWqrA7.zip.part
                        Filesize

                        41KB

                        MD5

                        1df9a18b18332f153918030b7b516615

                        SHA1

                        6c42c62696616b72bbfc88a4be4ead57aa7bc503

                        SHA256

                        bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

                        SHA512

                        6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

                        Download Submit