Overview

overview

4

Static

static

1

id_rsa.pub

windows7-x64

4

id_rsa.pub

windows10-2004-x64

3

Analysis

  • max time kernel
    62s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    id_rsa.pub

  • Size

    575B

  • MD5

    5c4cdff67f5e3d96b4f249d9c4939a63

  • SHA1

    75ad967e74728e0179e03031178815a970bbe789

  • SHA256

    31df9a0c7429c6adee265999deae7fb383d1438f83542906bd13f59e45de1524

  • SHA512

    d0d93fecb165e0e3c56adf47236a04d67eb5869b267736d5c5ac8e6c60a0b491fcc7485da15cf31889f3859119f3d43808e79963fc7171bccbda2b0d7d0041f7

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\id_rsa.pub
    1⤵
    • Modifies registry class
    PID:2200
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\id_rsa.pub"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\id_rsa.pub
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.0.1198472870\170323345" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9b50b6-d501-48b1-a35f-f663acc77eb5} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 1948 2134b2d2158 gpu
          4⤵
            PID:2956
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.1.1716172619\1852294011" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb2769da-2b5f-4f73-b1d3-8616ad3ad361} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 2372 2133e972e58 socket
            4⤵
              PID:2316
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.2.547366610\1186691944" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3312 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b17abc-484b-4342-8a84-0f4be1b44025} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 3428 2134f437858 tab
              4⤵
                PID:4396
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.3.309758202\916721586" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c4cb3e0-4b01-4f7a-a7bb-4a5f3782c712} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 3624 2134ddb2e58 tab
                4⤵
                  PID:3728
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.6.1935047079\504525085" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eefd7da2-b404-404b-9d38-776d1779512a} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 5288 213518b3258 tab
                  4⤵
                    PID:2688
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.5.1637419625\1509835431" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4920 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {592d0f12-7ca2-4bd9-82b7-655486f600cf} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 5104 213518b1158 tab
                    4⤵
                      PID:3516
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.4.1712671915\898032764" -childID 3 -isForBrowser -prefsHandle 4552 -prefMapHandle 5020 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b6d705-1813-4b62-aa1a-6e1507d66963} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 4976 21351833958 tab
                      4⤵
                        PID:1708

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  b5b8e0fd9203f8166f5f50dca2ee42e8

                  SHA1

                  38eb418f8fa24877650a51eecfec579ecc292102

                  SHA256

                  619d45a983e5408c0b9ece00479ab824da9a4d9f5f27df2198ed767a8aaf67d4

                  SHA512

                  98ff6a0ef57d110b0016fcbb69438dd2403c1e513f8f2d5771d8e6c8004f6e5caeb9933d33b4f1020a697b65714921f9d03f63c1af28c577855456d8efc5e68e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\pending_pings\76d70750-4cac-41e2-aa9d-c32cf2e3267c
                  Filesize

                  746B

                  MD5

                  02dc91ef0ceb1cbb855a123b55bfd5ff

                  SHA1

                  06bc43f9c3851b9052b44b0830b93e48f23d56b1

                  SHA256

                  2b3434304eb92161e7018d446ca583bd00d7399b5373d7e1271e170a5d5f032a

                  SHA512

                  68c2ebedc3478cb2c8e5b129137382d602e8a9d49ecbce86e07998217b4e0efdb22f164f5628f6951e0a3b7e8e65d290ad05d86f2b051291c6b4224d5740adb9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\datareporting\glean\pending_pings\c2272c66-c2ab-4108-b9ae-6bfb8311cf3d
                  Filesize

                  11KB

                  MD5

                  b36bf19e770159ba06f116361b688591

                  SHA1

                  555492e1d7f9ada6887b4d106c7a00ef128df4e5

                  SHA256

                  13de3b1f9e3eef8968d15a26f67f3afbdef91beead326057bf8abcaaf954edfc

                  SHA512

                  639feda0ef7a7d4002f0f2b66b8ac5fe01de25e18ad3bd438a800f2a92eece50fa18cd214f8318443a77e8d9638ee32156213bbb8c122a18036d7fc17174692f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  e05bb33489000a119002f26a03187c88

                  SHA1

                  5c454493ab930755beb71276a69db7845af88e35

                  SHA256

                  8f0b6b43892a848a7790a5dedcd57f7efe70a99a4796dba3761081371971d4ba

                  SHA512

                  3215d52ab8405e7f19522058e4fb88d38e774bf8b81a4f049c804f8e21c693dfd1335e447a75de688cbb337f0b72c66e2cbd8915fdb6a8c04e9e844ee1580b73

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r67w6m5l.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  087a3de5325f96c8058c70f9f7728cfa

                  SHA1

                  4380b30e92126805bccf82578917f99bef518fe4

                  SHA256

                  6939da3f4b5a7f44dc6b9a678de2b0ec824f6d9dcc0529305d06b566a9049b02

                  SHA512

                  8762c162042b4b12b262053075aeaeb8fc8c8f1d86246172880e3db2a988aae083c00adbebd5894457d01d45440a250659c2b401af8f4b07f10a6b754855e2d3

                  Download Submit