Analysis

  • max time kernel
    124s
  • max time network
    164s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/03/2024, 22:42

General

  • Target

    LICENSES.chromium.html

  • Size

    8.4MB

  • MD5

    e400cd908b8fb7c13985e2f5cc7a7044

  • SHA1

    bbafebdf5b067a7d7da130025851eaa52ec3c9d7

  • SHA256

    ee3b1ab8794c749673ce9bd2dd302f12d69f0a1a4adfe40a64247746cc311829

  • SHA512

    e7ca440f0e042d7fcfa99367426bf19899a2b227c6d7b6e2c25d4f1a40113250f21ebeaaf91067d8569dfbad1415d4fe3e5626d7254722f2778497fcb22e5d6e

  • SSDEEP

    24576:/UrV6CI675knWSgRBPyQlrUmf1C6C6y6Z6/678HqBMUpuQ:MsWKA

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.2039562987\455464182" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {019158ec-da5e-4f03-9bcc-f7d97eef9b7f} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1796 1f29dbf5058 gpu
        3⤵
          PID:1524
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.505514600\1428057295" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a54e6628-1c64-4c1b-b63e-703f37437fa8} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2172 1f28b672e58 socket
          3⤵
            PID:1268
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.2.806926298\1848200382" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2816 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a3bd9d6-0b95-4228-a63f-2600f37cfc62} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2912 1f2a1d0b258 tab
            3⤵
              PID:3628
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.567252275\1242879341" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3412 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f004befb-b66d-4b22-b683-423506948daf} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3432 1f28b661f58 tab
              3⤵
                PID:792
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.4.812379313\886626858" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4712 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be925ab9-f186-4732-b4db-f9b0525e438e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4580 1f2a23fdf58 tab
                3⤵
                  PID:2280
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.5.294450091\1303026960" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0725436-9b41-4953-8af5-6e036dc6656e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4824 1f2a425eb58 tab
                  3⤵
                    PID:4316
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.6.815832330\335564342" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd44c2b-faee-4327-846e-c27ed37618f6} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 5116 1f2a425ee58 tab
                    3⤵
                      PID:1696

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hcue34dg.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

                        Filesize

                        13KB

                        MD5

                        c91f5a12dbd6b444d1f1f5fd1af0b3ba

                        SHA1

                        61f25c12694294a9ca7179b2effa9fefd020f23c

                        SHA256

                        fa0d84da39e7ce3d6e22af65c6aa4b307ec4c508386fa3488293ff6f33664223

                        SHA512

                        eadca075ca6956d5ca80e64f701494babdd38193c0c3483a5e265bc098fa24df3aa2c030178e11308a26eafacd6e6e281b39e5d57e2a58401d22f7d3f7180a01

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                        Filesize

                        442KB

                        MD5

                        85430baed3398695717b0263807cf97c

                        SHA1

                        fffbee923cea216f50fce5d54219a188a5100f41

                        SHA256

                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                        SHA512

                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                        Filesize

                        8.0MB

                        MD5

                        a01c5ecd6108350ae23d2cddf0e77c17

                        SHA1

                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                        SHA256

                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                        SHA512

                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\db\data.safe.bin

                        Filesize

                        2KB

                        MD5

                        9dcfdf0d46ffa98355174dda0b40039a

                        SHA1

                        c33ae58eb66bfd7415f3dc1d93b74cc11a0d229c

                        SHA256

                        70b2381264a09d027a0a0a21fb76df934b3354596f873c7dab8c4ecae08ae34c

                        SHA512

                        62cb8fa31447e0717fa2b20bb77d7764b3e660e560cda32b0e4f29ada1dfedc0ff8cc71c70a294770ddbadd152a22b6a6630d7c56a125b3a1e108c7665e127d5

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\37b7968a-dc21-4b74-b5e8-540e81c04b0b

                        Filesize

                        746B

                        MD5

                        fff93767430d998fa0de77b7ce01450e

                        SHA1

                        552cd33f07e069eba7a4f227b8575b5009e325a6

                        SHA256

                        ae548e4585bbbe0d4acc119167c5e829936da3cb59932e70de2ff74efd691197

                        SHA512

                        86145ceb0500743b29f5e21ebcab8999b18560faea812b9bd022ed18522d0e7aa4200e3616cdfa67b16dad3b5635257515139f1dc7ad0bd6f2be00777d672daa

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\datareporting\glean\pending_pings\fe9c8353-4fe8-4724-b6dc-b11f8c613623

                        Filesize

                        13KB

                        MD5

                        8a6ca981d9caa2adc5b7a10aaca5139f

                        SHA1

                        5b44641877c600a13335d956e28e8cd9e0fc8d77

                        SHA256

                        cd26f78cb240d6f2a8b823f3b46bd94cbfabd78f7101972c2acffecd2af210bd

                        SHA512

                        88f1ad722165047bb84a9d192282cdc6e95edb795ea63498e50f528ba0a9e695dc25c5753888443c68b2e667467a476cfdb9325d5dd80a6f7da82447390f6ac2

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                        Filesize

                        997KB

                        MD5

                        fe3355639648c417e8307c6d051e3e37

                        SHA1

                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                        SHA256

                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                        SHA512

                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                        Filesize

                        116B

                        MD5

                        3d33cdc0b3d281e67dd52e14435dd04f

                        SHA1

                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                        SHA256

                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                        SHA512

                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                        Filesize

                        479B

                        MD5

                        49ddb419d96dceb9069018535fb2e2fc

                        SHA1

                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                        SHA256

                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                        SHA512

                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                        Filesize

                        372B

                        MD5

                        8be33af717bb1b67fbd61c3f4b807e9e

                        SHA1

                        7cf17656d174d951957ff36810e874a134dd49e0

                        SHA256

                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                        SHA512

                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                        Filesize

                        11.8MB

                        MD5

                        33bf7b0439480effb9fb212efce87b13

                        SHA1

                        cee50f2745edc6dc291887b6075ca64d716f495a

                        SHA256

                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                        SHA512

                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                        Filesize

                        1KB

                        MD5

                        688bed3676d2104e7f17ae1cd2c59404

                        SHA1

                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                        SHA256

                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                        SHA512

                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                        Filesize

                        1KB

                        MD5

                        937326fead5fd401f6cca9118bd9ade9

                        SHA1

                        4526a57d4ae14ed29b37632c72aef3c408189d91

                        SHA256

                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                        SHA512

                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js

                        Filesize

                        7KB

                        MD5

                        db81a6ab86f36895a86e1aca19605b73

                        SHA1

                        b51f2f3e8b18040b26f9200e3fb0e538ca9e0b46

                        SHA256

                        fba8b2f2e5f52c7154529fe5a074b15b49779951ff5f86454b1ea337fecb5b5f

                        SHA512

                        f95ede8a1c23e832207ab3c9332192bc222abb3b9055cd310fa98d22799e4f1cd909731c2956f6333b27ef907d8d442cb26906e0595a781c85b8fea5db6484ea

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js

                        Filesize

                        6KB

                        MD5

                        8fe264f72a0b4d6815d4a7fbfb029297

                        SHA1

                        2ce5fcf621f20ff9a0281a22f764002091f5dcb9

                        SHA256

                        67eb0df4e9fa1ce3315665b1fc9222fdc3dfa625210ebd1585dbaf4a5b3fd1a5

                        SHA512

                        367fb579d30200c55dd1d6903501ea4f62f4b848c0ec15ad39a31d6707b4fc6ccb0e69f57d8fbeac9421ad3998b80add062c0e642590b01a9e34df93416eae47

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\prefs-1.js

                        Filesize

                        9KB

                        MD5

                        20197a55ecc6710a2bcccc7c9b5b7470

                        SHA1

                        c5886b56744a15242379fa19aeb0cd4b7c54390b

                        SHA256

                        d284dc0b9219e336f2f51fea3b175df10725e4feff7ccc57727dcb87002960f9

                        SHA512

                        cedf4b52e203f39d78061cf15e1eb5594ab46f25ac3308320565e3caa4cdeab8ac707fafb614f79e266c6ef19849ebf9bb21a6c9139fc810d41410f62ed5551d

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        1KB

                        MD5

                        de36f74e1aac06a957d5dde63b4533bc

                        SHA1

                        0ca4884ec1a5cc9cfcfb97495dd25e9e9743b0ab

                        SHA256

                        200f44033094d3243d842c7e03c861e90f66fb402f95fcae6e7a0b6b735311c5

                        SHA512

                        65fe16e81a3c453244d9e5f32fc147d165852cbb708f301e983fd9807e598c98212c3d3d7e37be39e4f9c278a706e7be7d1940f91294b3cfc64099a4f274f032

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hcue34dg.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        1KB

                        MD5

                        81be40eeb7ce5f36e18daa2eff56fe06

                        SHA1

                        5205df1bde7d9e24d1f4150288938dfc63aec19d

                        SHA256

                        c43568600a4203ac8dc7bbe0d75cfffef2659398ff1f02b4587803273b9cf6f2

                        SHA512

                        f90f7c6c78a4a165f1b3b86cef8878397526868521fe8b3303af2f174a6403d61b07d866fc662a5a3831a563669e6167fa76ed84f59e8c4cbd61b3fdfb0da139