Overview

overview

1

Static

static

1

kernelmode.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kernelmode.zip

  • Size

    42.0MB

  • MD5

    f72611c738055809a296cc4bb8a00ee6

  • SHA1

    351ff7505cdcde751f2cd0832cf7eff3a463bb1d

  • SHA256

    9c896bbc1cee6463af1632df82c89b03e105fd5a831c5ae0e33057e363d642c3

  • SHA512

    ccf37dcaf3cc015c2e35cf2ccc5e6a2edd24ff87ada7c2c41abc74b56135cf9150314672a39a7f46be67ee91b28341a5dd09259a5daf1fffe9a6ccf316996cce

  • SSDEEP

    786432:ERaQe6MOrQJN90rm84cn/dDPLTY7ed2Xhdtq6AZREDvw3t6Avp3gYrB7YVT35IZZ:UaG00D31fTY6d2XDyyoPp3gOB7OJIEGX

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kernelmode.zip
    1⤵
      PID:3308
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.1865821942\1109673172" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f37eecb1-1b1f-4d73-b545-fbe9bcabf0d3} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1904 2df72ed0758 gpu
          3⤵
            PID:2916
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.371004060\1967888953" -parentBuildID 20221007134813 -prefsHandle 2284 -prefMapHandle 2272 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b26aa458-d89b-423a-8473-fd991680475d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2296 2df66d6f858 socket
            3⤵
            • Checks processor information in registry
            PID:2972
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1055748337\1044407676" -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 2908 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9827e7b-0900-44d2-aa61-387f49c96459} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3188 2df7769a758 tab
            3⤵
              PID:1624
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.759554448\351764686" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 2988 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {800f1fea-7938-4c7d-bc92-3d29daedbb21} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3584 2df78416b58 tab
              3⤵
                PID:1220
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.169078337\1352991789" -childID 3 -isForBrowser -prefsHandle 3480 -prefMapHandle 2988 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2979d06-1c6f-4fdd-bc63-eb3f43e86fb2} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4184 2df788f5458 tab
                3⤵
                  PID:2632
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.478025589\1552884216" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3933320-8678-476b-bf96-3f6b8e26e5da} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5504 2df79972c58 tab
                  3⤵
                    PID:3012
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.988877532\1807643638" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {083ccde8-99f6-40d4-aa08-d9f8dd9d2897} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5296 2df79972058 tab
                    3⤵
                      PID:4052
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.234963636\912913708" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99d5573f-9e55-4988-bee7-362fd64e45bf} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5164 2df788f7e58 tab
                      3⤵
                        PID:1840
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:3604

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      82b5f53bce4857a908be53fb00c53f97

                      SHA1

                      c87b86e6aa7d1291c36381054548058dbe61c64c

                      SHA256

                      a25740d8e04915fc16f45688befddc22925fa7014038a8b7125ddbe1c255ae20

                      SHA512

                      12b83d69df807be205c2980b9fe900866ae9092965faa0c1c993bb1f1dbb4e265b4bb2cdb3509ec9be61f29a86a93f4261bee05b97511119c8c2b80b0dd08c7b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\pending_pings\359cd94a-9673-47d4-98a3-0331ea94393a
                      Filesize

                      746B

                      MD5

                      ad5fcae93e7bd9dafc2beaa8fdacd21f

                      SHA1

                      27e661e91d213ae6dc2e2f3bdc77850fda252e18

                      SHA256

                      2709fd087f3145bbe6c97faf330580a39f357c1aa82f07771b46b2f24401d8a1

                      SHA512

                      3934856dae21e348088ab08b4d7174b1cc9730d4b6e3fbb9107eb0f85f263f44e51b98b8a3992532988dd86720766814c1a84c9cfd76778441ac4869e764bbec

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\datareporting\glean\pending_pings\93fb9db0-51b6-4c6b-97eb-0273f1da037f
                      Filesize

                      10KB

                      MD5

                      9efc8bce848e3ad84da9ae73b87721ce

                      SHA1

                      c6a8dbb97d5f7271cd6836997e03e357a50f03e3

                      SHA256

                      016d3f9b5e261e314770d38164a479af8568ee211a3aadc8fbf935dbe642fa2a

                      SHA512

                      b49b3df86c490eb6878ae1bee5e03c1169ce3aa2cc22775a74c2988747e98099b02129dadb04e8675cc7946555e3ab3d5df714e717a8c481f9a0044df09f8f0d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      131be2efe65ea57ceff450b9bde505fc

                      SHA1

                      446bafa08ac4c622295d7ebab27b6f2ae3044ecb

                      SHA256

                      b54773da90446dc96a1437051b355617464abb8d0c785317f15e94c58623f88c

                      SHA512

                      99f0bc314112401b85460a47b7c9b49818fe4d456aed0f0550fa428cd8a282acfa004a970d806acaf0bda5a86079c3da3b1ecd0baf7a91b9d3e0407413928f48

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      233c4271042ca61d796ab739e6edb3b2

                      SHA1

                      8fac82d3611c115c22e9e041a9ea1013bbb86cd8

                      SHA256

                      3b582d28bc2750489e8d77c347a9916bb6745552ec24b9a1324e9db96bbff6e4

                      SHA512

                      02858144feabf9e117c95be68dcb7a9fc4f3340ce9fb9bcd9c955d370865a7699ee73fe2fa71840233439bebe2f2d1282762f5a5a9ea0e510c1e7e3585f704e1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      7d6f2677c997509ff31a9243d9d52cd1

                      SHA1

                      4c1cc8ef647f37312aafc8e468fa7424530d1f27

                      SHA256

                      6d88cfac1e667eb8ac17585c9735c1985588232460f6707f290b2556277267a4

                      SHA512

                      31c9ddf22b8e6f72d039e272bc076a7be3eedc3332599d854fef0b59eca90e29c38c58020db0ae02770236c74bbec04efb8e8438592ce3b152fb111fd1232fab

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ubtcfhsb.default-release\sessionstore.jsonlz4
                      Filesize

                      889B

                      MD5

                      23ac7f9e068535f8f4c30731476bbb63

                      SHA1

                      c869b1988904fd47cd3ccbceff41e05592414233

                      SHA256

                      551c3db7eb34ae561a3fc727d1da2cd36cc542bc6978da54125387d08a559b4b

                      SHA512

                      19e3116770f5b98ef9319bdf5a568aa37008f2ce1c25f01d7943d4f726cb75d75fd4e787a5c2b59742c08d930b5b4c70c00fcadd53e352cea7b24d677356b8ba

                      Download Submit