Overview

overview

3

Static

static

3

HorionInjector.exe

windows7-x64

1

HorionInjector.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HorionInjector.exe

  • Size

    147KB

  • MD5

    6b5b6e625de774e5c285712b7c4a0da7

  • SHA1

    317099aef530afbe3a0c5d6a2743d51e04805267

  • SHA256

    2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

  • SHA512

    104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

  • SSDEEP

    3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
    "C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2392
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.0.144039714\2002500111" -parentBuildID 20221007134813 -prefsHandle 1284 -prefMapHandle 1168 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {734d3cb1-14ee-4623-a4f5-21527256fd31} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 1356 10ef9c58 gpu
        3⤵
          PID:2892
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.1.1650963637\531635214" -parentBuildID 20221007134813 -prefsHandle 1548 -prefMapHandle 1544 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6401441e-d5ec-4905-a303-084935788998} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 1560 d71858 socket
          3⤵
          • Checks processor information in registry
          PID:2884
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.2.422899536\561007120" -childID 1 -isForBrowser -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83b359b9-1042-4f73-9078-a4afb18e96af} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 2176 187efe58 tab
          3⤵
            PID:868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.3.389459967\139399519" -childID 2 -isForBrowser -prefsHandle 2640 -prefMapHandle 2636 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {653fc767-f1de-4840-a3fa-769d8873d98d} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 2652 d5cc58 tab
            3⤵
              PID:1412
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.4.1353254863\37131555" -childID 3 -isForBrowser -prefsHandle 1880 -prefMapHandle 2784 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2035e7db-715d-4bba-bc92-b15a3d783248} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 2640 172e4858 tab
              3⤵
                PID:1808
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.5.167243974\2028702969" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f111617-8341-471c-94cf-da146a1f4b7d} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 3848 1bccbe58 tab
                3⤵
                  PID:2568
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.6.2021196829\1022025959" -childID 5 -isForBrowser -prefsHandle 3960 -prefMapHandle 3964 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb86bc47-4bdf-487c-8b61-4203fdd0bcca} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 3952 1e5c4558 tab
                  3⤵
                    PID:2748
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.7.316821014\380877486" -childID 6 -isForBrowser -prefsHandle 4140 -prefMapHandle 4144 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bad428cc-2e7a-4075-980f-e3b7573e777c} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 4132 1e5c6958 tab
                    3⤵
                      PID:3040
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.8.599002386\1824737422" -childID 7 -isForBrowser -prefsHandle 3400 -prefMapHandle 3672 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11dd6bfa-9369-4b1f-963a-9cdba4db3f16} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 4428 2062a658 tab
                      3⤵
                        PID:2828
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.9.50549499\350917599" -childID 8 -isForBrowser -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bad1760-4509-4f58-a569-9068dbf709b4} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 4708 10723f58 tab
                        3⤵
                          PID:2116
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.10.997572063\1086776392" -parentBuildID 20221007134813 -prefsHandle 3196 -prefMapHandle 3200 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0f70bca-ecb8-46f7-b011-76b1c54b1414} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 3068 d30858 rdd
                          3⤵
                            PID:2164
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.11.21600193\412392732" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 2712 -prefMapHandle 3224 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bf7fa11-df2d-4e5d-927b-2fbe08583569} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 2640 d67758 utility
                            3⤵
                              PID:2064
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2744.12.1261845137\1695123053" -childID 9 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {422be0b5-0f1a-48a7-86f0-87f8422bb73c} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" 4980 209cff58 tab
                              3⤵
                                PID:3208

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            a7af6fa0bc8c30d426f08c480fdf6dc4

                            SHA1

                            e74bde59a2f12717ab6aceb137dcc6f5a3c45bea

                            SHA256

                            ec3eba380a1eae39b2c2286bd2fa6c25542bf491a71be7a4d1d9633c80eafbc3

                            SHA512

                            149002614e6a28e8a79a3ddf1e388fa8f23cf6326bfb0a11d6ceb764be3b7580d700b2f26660b756f0455e05f491d22cc8cd4d289a6b166dc283304a5f6ffd3d

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\datareporting\glean\pending_pings\222bf97b-7842-4bf8-955f-28a58e55d239
                            Filesize

                            13KB

                            MD5

                            480623864f7e00777ff94d7ee3e553c6

                            SHA1

                            44fc8ec949adff2470d23d535d4a3a033dc4de63

                            SHA256

                            e005f0aea024c927acf9b133b3a63dc8a2b0a2d6d780b50fc8299b0cde741a67

                            SHA512

                            fa6a5641a3a9bf8df168c2daf66a11f4109f63f75e7c10014534b033335d906587a75304b7c15b4237c83d2a54d1a0dd6be731225a3fc3a9cb0e7aa9645164d8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\datareporting\glean\pending_pings\7e33429c-f882-416e-8461-4f822dcf5adc
                            Filesize

                            745B

                            MD5

                            04c07dfb7ca8b6b06e6b3a284e805b87

                            SHA1

                            57e43e1c78b1cb34ac19f1344dee7b2cdf122ccc

                            SHA256

                            55a5f8243e91218c52aadefe52ede7e956de8e951de1ae52ebc8828ac381880d

                            SHA512

                            e00b65ebffc0ce423edd0bf21de2eb3401c1af6a0b7eaf876b8dd5da224c77874c29315715eb666de5d3ea3a6957bc0b67a4f2675c6851ff380c550b62f08a96

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            4daec0938e5033b0ee987c006696af16

                            SHA1

                            f3b734c024a3a70fc86cd2d744b176e82f091f7f

                            SHA256

                            393872fe160c7f4f7c976abb9c4b05398c407bf61742adc4d7dcbaedc393c01c

                            SHA512

                            abe9628417c83369c369a4e79f663e415f67ccb0244bb6cf84be8a5e92bff8e969a8de34a6f740b134edb1cf76a3934b3c3e47f463d0a29457140df748102f39

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            94bdeea9d553e989dd9279e917a64c47

                            SHA1

                            e2aef4a7d21020a99cff0f9536eedc8644401e96

                            SHA256

                            d5d5d4f14eefe46189147859254b407649d0773ff11231f1f2e851857ec4719f

                            SHA512

                            6abb66d2e3fd7f5332281156f26d070263e0e849da508d8b9438a0018044480379ca2041e35f3ec9a95d75260fb692c95b87b24ce7b2a4e7ce158a59cb5c9fb5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\sessionstore.jsonlz4
                            Filesize

                            2KB

                            MD5

                            980a4e5aedf5faf9e96691f173a9e5fe

                            SHA1

                            f1abc941157b37d11cff4c85095babcb171592d6

                            SHA256

                            bff71f29c4386389940ca7e272a6cf5fef39567bf0133462fb57666a41a8d574

                            SHA512

                            f45572c8ba9e0e09e3c6ec54963a1fba29c4066ae745cad2e20b0265791593d43a2b84ca7ca83894bdd574152b07d8728610adfb85b3e6cc746055aca258ee99

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\storage\default\https+++www.youtube.com\cache\morgue\50\{3e45856e-728e-4558-b7db-df66a72e4b32}.final
                            Filesize

                            192B

                            MD5

                            2a252393b98be6348c4ba18003cc3471

                            SHA1

                            40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

                            SHA256

                            04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

                            SHA512

                            07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\storage\default\https+++www.youtube.com\idb\2241430006yCt7-%iCt7-%r6e8sdp5o.sqlite
                            Filesize

                            48KB

                            MD5

                            d02744af1559c7dd267e06825a50ef4a

                            SHA1

                            50796c7cf925a0ceaeb2c7b22d2390eab13b6fd2

                            SHA256

                            c5c85c014e2bdcd79ed424302b50b3da89189002437413e65bf955cf115f0816

                            SHA512

                            a6bc824d1f3f3df4a2b838e7e49f0e66293ad86047341429f1121378272bf9af3c845f15764cbdf70f8061c9dfaf26dd3b84d0e60f4add8e3eb39e3968539f6e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xm25i6ct.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            7403d14d6e4ec29afdb0966a97d06dc2

                            SHA1

                            8673c6ae8631aa05290590a7be895326dc3dc5a4

                            SHA256

                            d5e36a0e7c8a3f2f54cf21be864174a5db8b7e9f7bbe06b5dd909cee4981b9ad

                            SHA512

                            cbdcd8af55b61084f29566e2dc0ed22423b5ce46f306d9962bd8e41057f67910f67a373aea0c8156cd2100ae4de98ecf078e383e1729b38b537c2af87bbe191f

                            Download Submit

                          • memory/2392-5-0x0000000000760000-0x000000000076A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2392-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2392-9-0x0000000000760000-0x000000000076A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2392-8-0x0000000000760000-0x000000000076A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2392-7-0x000000001BFD0000-0x000000001C050000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2392-6-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2392-0-0x000000013F2F0000-0x000000013F318000-memory.dmp

                            Filesize

                            160KB

                            Download

                          • memory/2392-4-0x0000000000760000-0x000000000076A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2392-3-0x000000001BFD0000-0x000000001C050000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2392-2-0x000000001BFD0000-0x000000001C050000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2392-1-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

                            Filesize

                            9.9MB

                            Download