Overview

overview

3

Static

static

1

persisted_...s.json

windows7-x64

3

persisted_...s.json

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    persisted_first_party_sets.json

  • Size

    2B

  • MD5

    99914b932bd37a50b983c5e7c90ae93b

  • SHA1

    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

  • SHA256

    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

  • SHA512

    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.0.156024122\134717680" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {498b696d-14f0-4642-a8b5-d8ea8200dd5a} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 1312 11ceae58 gpu
            5⤵
              PID:2424
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.1.848383802\827831252" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21532 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b32aa49-7f8a-4e29-a5d7-0a078e1b8d6a} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 1516 e6fb58 socket
              5⤵
                PID:2776
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.2.2071160316\1099118277" -childID 1 -isForBrowser -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 21570 -prefMapSize 233414 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbab1847-d468-4712-99a7-cd2eeedb081b} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2160 1a1ebf58 tab
                5⤵
                  PID:568
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.3.586319835\573469478" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 2820 -prefsLen 26033 -prefMapSize 233414 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b5c0da1-1695-45b1-95cc-af825295f5b2} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 2836 e62258 tab
                  5⤵
                    PID:2120
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.4.1215675718\713056345" -childID 3 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26267 -prefMapSize 233414 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86125869-46dc-41b7-95db-c1e371659c1d} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3628 1ddbb858 tab
                    5⤵
                      PID:2564
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.5.1659709789\1624782410" -childID 4 -isForBrowser -prefsHandle 3736 -prefMapHandle 3740 -prefsLen 26267 -prefMapSize 233414 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc47266-2881-4573-ab4e-ccf524eaf7b3} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3724 1ddbbe58 tab
                      5⤵
                        PID:2288
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2664.6.1699250543\697031248" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26267 -prefMapSize 233414 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a40c3f7b-9668-4a7b-b715-44ab2016a17f} 2664 "\\.\pipe\gecko-crash-server-pipe.2664" 3892 1ddbd958 tab
                        5⤵
                          PID:1640

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ru80b8rf.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C
                  Filesize

                  13KB

                  MD5

                  9adbb1de06ef2011fbe0e045732944c9

                  SHA1

                  753de6fe40e561b482073571f9788aa3c59ee5ea

                  SHA256

                  be112149b71a9412485b5eaafedf1ef9f263eda332c44c2272a22b2e1382bdde

                  SHA512

                  bb2e23fd8aa28f73c65844f100e2ad81ce5022ce69404cf6e146ac1cf39e99a75947c68872a7c7b73d6edf6076af90ea8c11d98f82d72529d5ea58ea52edf83f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  442KB

                  MD5

                  85430baed3398695717b0263807cf97c

                  SHA1

                  fffbee923cea216f50fce5d54219a188a5100f41

                  SHA256

                  a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                  SHA512

                  06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  3.2MB

                  MD5

                  ad46c7075ffd66b48818e52132419439

                  SHA1

                  ec9f404354411de53cadec6b37b9e09e572b53ff

                  SHA256

                  65083be9ecb9e428ef60cf81303eba11dff5512015022dd0afab76606d5f7405

                  SHA512

                  e672836201e00f760e63830c38b961ce0d441728a99220fcc8815aa2817d0ec733157475bbdc00a4208d05084f973ba218258f036e7929aa37293fb16ba629f4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  ac72a0720f73783f261ac86f4ad74e2e

                  SHA1

                  5a471c3e7da852e3913951b1f0d8bceb3560cb06

                  SHA256

                  c4607cfbb997549acc4066dcac76d203bbb8a36d2eccd57f1e67cfa3359e0f78

                  SHA512

                  c0399362db251423fad32436c624dc777915fb15eda74a5470bff19aee59cbc652ef6ef8af9a66dcf0915a62fef8a38dcf39d9e33f0b2472e61a20774fcaf6be

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\datareporting\glean\pending_pings\9c288dc9-1336-4c3b-a624-9cc1e1872ea9
                  Filesize

                  745B

                  MD5

                  cb3f67b171f81b565d6388428e9c1a0f

                  SHA1

                  e223371702eabf7b8d7319020b00a59f8e8f56cf

                  SHA256

                  8c5cacfa8015dd3307935463a2b959de70b780e2dccc0e2be07e96e05d72542e

                  SHA512

                  f255943fb63c469a3d82a40e906801119907777200a08ebd48c6a9c6bd0d4f54bb727b0bd99d2d594868ccaeb0d641683c9b7b82b82237eb11a5a283b00a4d78

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\datareporting\glean\pending_pings\d31cd874-e728-41e6-93c0-551cdaa6d10e
                  Filesize

                  10KB

                  MD5

                  9f6c99576f09107ad0e603aceb2320de

                  SHA1

                  358f64fe701f45af8bfb3e34eb7b21194360d39f

                  SHA256

                  d696dc18f4bc0c8646ff3c2e385ca540ff904b85a34d82b0d69cd50973e38162

                  SHA512

                  c46e091e2d507388ae1403bb07ffbf17277980763915f37d120b43538e0ee0f713907f4f9ca71482821a7fa2b91e46e9b92efc027af0f04cec9571dda6325a2b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                  Filesize

                  997KB

                  MD5

                  fe3355639648c417e8307c6d051e3e37

                  SHA1

                  f54602d4b4778da21bc97c7238fc66aa68c8ee34

                  SHA256

                  1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                  SHA512

                  8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  3d33cdc0b3d281e67dd52e14435dd04f

                  SHA1

                  4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                  SHA256

                  f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                  SHA512

                  a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                  Filesize

                  479B

                  MD5

                  49ddb419d96dceb9069018535fb2e2fc

                  SHA1

                  62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                  SHA256

                  2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                  SHA512

                  48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                  Filesize

                  372B

                  MD5

                  8be33af717bb1b67fbd61c3f4b807e9e

                  SHA1

                  7cf17656d174d951957ff36810e874a134dd49e0

                  SHA256

                  e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                  SHA512

                  6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                  Filesize

                  1.5MB

                  MD5

                  ba4246dc7d03779d436a7e3e53a75135

                  SHA1

                  78632847ee9dea64332592eed2e2f75cf57c7d03

                  SHA256

                  c050ab79fca1a025260e5997d9a2e5168e68eaad830a7e3d9acaa1bf486fbdda

                  SHA512

                  8b71c2d842913255658332df53115543d96a6dd364b9e8f810bfc673e9a4fa1b886dc07082b3088aeee39d5d2add42361323a3ac98b6650bd5abd70d2df975d6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                  Filesize

                  1KB

                  MD5

                  688bed3676d2104e7f17ae1cd2c59404

                  SHA1

                  952b2cdf783ac72fcb98338723e9afd38d47ad8e

                  SHA256

                  33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                  SHA512

                  7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                  Filesize

                  1KB

                  MD5

                  937326fead5fd401f6cca9118bd9ade9

                  SHA1

                  4526a57d4ae14ed29b37632c72aef3c408189d91

                  SHA256

                  68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                  SHA512

                  b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  c933daff0aa1f3de197d0468f3189359

                  SHA1

                  9930deb64434952199dd5200e13c82c27775d0ee

                  SHA256

                  eaf30fc7795f5b548a90584ca8970eedc899d79e4454187c6420e01a6b3bb8c1

                  SHA512

                  75eb2b8df0368a1c04b1de6526c77cdf3ab90a1e3d4a4952ed4fc4f0c65db360eee6d1fcd561ecec86e099de303e1350e2af122fe7b11dccdbe7b22e4acb4735

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  2fb290c3a22f2bdf25fd354533f36be5

                  SHA1

                  c51bbee518dd996f22e64c5f5aeb091bdaf27507

                  SHA256

                  a3b3cccbe14745874a1dd1988cf1dd5d70124262d3c159d757b2fbfb9ed7d7c5

                  SHA512

                  6e6a5cd269d0c66ddded06efaaa75d6805515c3809dde7aadc5af1ec964625fe93554a3a08ed6e600bfdb88f0ce17227fbaab61a40356a81335008959cdf5633

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  062f3756846f810f55a809e1789c3649

                  SHA1

                  dadb4d1d260fa64e5cffc83b6aaa5ffe540f01f2

                  SHA256

                  79e1fd9dda814c0377bacfb7f97c0b4dfc0806a517d11b7e79ea29bd239b5caf

                  SHA512

                  037cc6303c02192d758b60f68a04b078339ea2fc120e66794228317b11991cd342d8ed048a6295ee09fde2870fe9f213ad252322d3f92b8e0172a1a3e70c12c2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  fabe83c43f2449bbbda6ae10e9d05b31

                  SHA1

                  90e382975511168fb3267c0a0af51ff413fb7107

                  SHA256

                  98d1f489134d0275fa0a9728d8685fb554cb75a818c2090d81c45d68bec81f72

                  SHA512

                  d0ed3eb489a7dbf2f2550b635f69743b54ee9b371ac64194824eb79dc3f8b2c68e681ddf64d1a5ffb4e6ede4c4f97629430bc5a4179344dbe43d48fefabb953d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ru80b8rf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  4.7MB

                  MD5

                  09b7d2e4c2c7be4dc538e92d020af121

                  SHA1

                  eeec853ce00e513696492574f2138ff62cf30784

                  SHA256

                  239be541997b1bd82c7b84c137f0b6c8016556d435e79c57143ee26a954d6567

                  SHA512

                  6ee6e125fbb5a4c8eda872f5bad5da862003e51959d08cf7e8a48c2af8bd139781eb9d2ad3f7f9bacd1eb14836f4be662ea0c860cb4e35b026d2c41ff6bbec71

                  Download Submit