Overview

overview

3

Static

static

1

IMG_2143.jpg

windows11-21h2-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-02-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_2143.jpg

  • Size

    1KB

  • MD5

    093be9e5610d338b81c4d93696439df5

  • SHA1

    e6d79d92fb323def237c63e2a1e2c75cf4fd1823

  • SHA256

    0c861a8bcd2ffd0df41f0ff4b39536ce3eb5210ffde63cbe0028075942bcd956

  • SHA512

    8ad619d2f3de461da4a311c8bf4eba3fd199589df8d083e802deee8a045b16119af8bb508dedb9b5981a6ca133b24e516e7fd36b35c13058cb5d974c5bc5faef

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\IMG_2143.jpg
    1⤵
      PID:488
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UndoGroup.ADT"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1996
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.0.1121387210\1899600168" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbfa7f39-7478-42dd-a331-3c6c26615052} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 1872 1d3bebdaa58 gpu
          3⤵
            PID:4464
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.1.1812168355\377556163" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af43321b-9db0-46a2-8be2-7f9ffa1f94b2} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 2248 1d3ab672558 socket
            3⤵
              PID:1848
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.2.2081518552\1657165410" -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d343f71-9b45-4a82-90b1-556fe503c56b} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 3252 1d3c3df4a58 tab
              3⤵
                PID:1088
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.3.1769985298\1532827018" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22ff6cf5-181b-44ea-9608-900ae61414e4} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 3648 1d3c36ec758 tab
                3⤵
                  PID:2468
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.4.1064890389\291317287" -childID 3 -isForBrowser -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ade1818-eb55-46df-8f09-7b7a2918373b} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 4492 1d3c52f7b58 tab
                  3⤵
                    PID:4172
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.5.231864666\1041943327" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4968 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d8cc07-148e-4b08-a8bc-8b74f05fb840} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 1576 1d3c419e858 tab
                    3⤵
                      PID:992
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.6.345582326\1351164577" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5288 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa7bd65c-5b56-46a3-b0b5-3c0ca4d938e0} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 5276 1d3c60e2858 tab
                      3⤵
                        PID:660
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.7.864018266\1464756662" -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {240625e7-2a67-4137-9910-7de8d2a6f562} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 5376 1d3c60e5558 tab
                        3⤵
                          PID:4636
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3960.8.1578510817\1446419147" -childID 7 -isForBrowser -prefsHandle 5792 -prefMapHandle 5816 -prefsLen 26458 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d848dbd0-3e6e-4e57-887c-da47df4f40ae} 3960 "\\.\pipe\gecko-crash-server-pipe.3960" 5828 1d3c80a4858 tab
                          3⤵
                            PID:5096

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        e844742d28b3ecffe5274a81ee574b03

                        SHA1

                        d801d7832ccbbaa6719082f242ec5e210d52ce11

                        SHA256

                        cf105c4cc8be8d50ab173e6f23866eb387c82e9bf49182468b450717d76847a2

                        SHA512

                        e7b34679af6919052e70c26357311da858c491840308261819807175736b3cb0dbda11ae54c9c50d8ae8120823ff6ce4d55d72317915fdc90fb87d110d3671a6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\datareporting\glean\pending_pings\11be87be-919d-4dc6-9486-4efa81dd5a71
                        Filesize

                        746B

                        MD5

                        ff861703fc4b0c7efebd396a4b458367

                        SHA1

                        1875e8f4d69c9b5782e73287558a84b9c844a3a4

                        SHA256

                        334c697ab53dbf390714e0806fdee1b4cb06ee332eb0d39fcf50e3b34ae9a98c

                        SHA512

                        16ce021a6ef704a0b04a8341914a90ab6310559c94871654915474bff606d88745188342667822d63ea3fd714166e461d2b2176bf0d6abd050d109196851d4f3

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\datareporting\glean\pending_pings\8e5395b2-2d87-40c4-98e5-bc75a187eb4f
                        Filesize

                        12KB

                        MD5

                        a23b38ffac6e12da0e9a66e40a373034

                        SHA1

                        d7740804050bc2abfed2df9e1079eaf646d241ce

                        SHA256

                        e12909c485dfe1f0009cbc2021cead3c796c03f277954014d8c0de2a0e73d7ac

                        SHA512

                        6b3d3870b6958a90e65897bd3e3bfdc0a7aaad35968ce60d8a0b191e4fe55ccb4c98a78d669614e1964d5c925f02d125ce8a13965764dcfee80588c66a27cd08

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        82f07c6297c3188347ed848d457376f1

                        SHA1

                        1a13d198e8e1700958723cd678472195c48571c0

                        SHA256

                        a0ea6d5c72171f819fed7f97980c38c4c393e403af8cad91fe69cfce03b25f0a

                        SHA512

                        274fe475b5a1febcba3eb62a112b2e6f8681889817881fb68a3ac1e14e913f339ec33e3a92e1d5f1c6c1654b0f7736f958027844e9806117e623424feae1105e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        e5804147ce48eaacca3c7c2cc8e1b85d

                        SHA1

                        9129fb7c069631fdb6b28637e2403c299d73182a

                        SHA256

                        a50b0843aa85267a82c17525c9af339c639e8511b2f4958916b5dcb57ba8ffaf

                        SHA512

                        e610a117e1d9c6c163b0658c29be209d931f6e7649cd3f42822632db08dfcaeb60c1110c25e67748ee3ace0ff35173b4cece3e31d26ffd172718ff68a1f330ce

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        65a9d03336484a96520c79ff80fe70bc

                        SHA1

                        0e25d51a89ae21fabe43d26ece022c2724ed8637

                        SHA256

                        1a4d5ea567849f9c5ad79fb5dbbe18ff50ec9202c08694b92a0630ca880e20cb

                        SHA512

                        c023e38f1a12c5f999ebc2256ef9fbaeffc5777cb19860f6e3de56e586db5552e16afe835a045cfa524f099e16c48ff00643c5627742205a1235290c75b59693

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\orgh2jt6.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        9254d0d248dfb535e5abd0611738ca1a

                        SHA1

                        a9e1aa772026c0fc198207b8ddd0b56a0fd1aacc

                        SHA256

                        7fecba91a15c522f0aab8f60bed1025b4032c86c503e38c4a3c604a69181d871

                        SHA512

                        6fb80619a1b779559b3596463394fba9c55b6e31ea1bd53c0e1ad6f1b54d7d05cb458a6abfa3646ee95b5cce4b55b1b736c4f8d49145d9da5fb7d2049fe2425c

                        Download Submit

                      • memory/1996-7-0x00007FF6A97D0000-0x00007FF6A98C8000-memory.dmp

                        Filesize

                        992KB

                        Download

                      • memory/1996-8-0x00007FF959810000-0x00007FF959844000-memory.dmp

                        Filesize

                        208KB

                        Download

                      • memory/1996-9-0x00007FF955380000-0x00007FF955634000-memory.dmp

                        Filesize

                        2.7MB

                        Download

                      • memory/1996-10-0x00007FF943300000-0x00007FF9443AB000-memory.dmp

                        Filesize

                        16.7MB

                        Download

                      • memory/1996-11-0x00007FF942D40000-0x00007FF942E52000-memory.dmp

                        Filesize

                        1.1MB

                        Download