1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

max time kernel
157s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (22).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
SSDEEP

12288:0qtavSvIGmVujfIzEQlzlmgGak6H3lP3XJik0YhBhrj05:0qsVrYyl876j0KDrj05

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

firefox.exe

pid process

4280 firefox.exe
4280 firefox.exe
4280 firefox.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

firefox.exe

pid process

4280 firefox.exe
4280 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4280 firefox.exe

pid	process
4280	firefox.exe
4280	firefox.exe
4280	firefox.exe

pid	process
4280	firefox.exe
4280	firefox.exe

pid	process
4280	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4340 wrote to memory of 4280	4340	firefox.exe	firefox.exe
PID 4280 wrote to memory of 4472	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 4472	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 2396	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 3252	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 3252	4280	firefox.exe	firefox.exe
PID 4280 wrote to memory of 3252	4280	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\Setup (22).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (22).exe"
1⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.0.2125267661\1250706507" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {226b05e8-3755-4051-b987-ee5a851a4cfb} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 1980 2013aed6158 gpu
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.1.649453054\941090610" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7856cb03-2070-4096-b953-0336111267fb} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 2364 2013a830e58 socket
    3⤵
    PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.2.1920175562\211781918" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71c6bd6-b60b-47d7-aa5d-2f2a634bc2d3} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 3068 2013ee9ed58 tab
    3⤵
    PID:3252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.3.989095732\477195490" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 1120 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1392e56d-1bf9-4ce1-ae5d-122deb3e2f24} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 3520 20127071c58 tab
    3⤵
    PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.4.2017141595\933131707" -childID 3 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {883bf0df-1eaf-4e81-bd6a-73f5713ab262} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 3968 2013d843758 tab
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.5.408908518\2123547248" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 5004 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5126a3cb-2c22-44e5-9100-2aa7fc2c0741} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 4832 20140c1af58 tab
    3⤵
    PID:5520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.6.115649378\15816055" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5008 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02504912-93f8-439a-90eb-55b244bed0cd} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 5020 20140df5958 tab
    3⤵
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4280.7.724831908\719073204" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b62923-dc48-44fd-8f91-bc8b906e99e8} 4280 "\\.\pipe\gecko-crash-server-pipe.4280" 5232 20140df4758 tab
    3⤵
    PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0651b7ffcc69f516115bf04c55bdf4ed

SHA1
171610e801a52cd7e26fda8155d7a7e02c3ec796

SHA256
79e4394136f9f330f8ec8e7809d6f7899554bfe641bbd277c2212e6e860fcec4

SHA512
125b13b0e5d321a968ea11fef7392dc8cd08772762b67d50935c7669994aff36af9e169e9870ca98e8cb27515c0326d9c8d6f639b1eb0964500d0764acb71f25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a5c985f7-b669-485e-8c9d-9d41848215b1

Filesize
11KB

MD5
9fb096b4b86aa6905933b33259fbda05

SHA1
cd696b8918f738af24650605df5b682848f24adf

SHA256
c2c66fbf466ba2c6afb59d031db8fc8e71c68d94bc2e9db23218ad07ccf8e1a2

SHA512
6fea0f382e77b56f93ae22893b71290048c669a9250f48337d22a486fc072694f6589f008ed538f8cfa9621b583f49f417e4cb0fd818ce8e7a59ad2abff71a14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\f7fb77a1-177d-4942-9594-68a374904675

Filesize
746B

MD5
1700577780ccbf131f5493df4b388a2e

SHA1
de8e2da5ef43cec379f0b6a21a9e48ccf013693f

SHA256
03d6ea016ffaa098b5f82af416e9950d2f6fb5cfeef20b4b07d167031b86d650

SHA512
857eaa67af870c9d82a8de390ebcbb093a7604a571dec69412cc51d5db17fb3d4dcd323dbdf52597c7864cbbdd350ccc00e20f1e3b920d90df53c38ce0df5cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
d484cfe3c8a5308555e24f584c84aaf2

SHA1
e4fb11ff1ca096dddf92dd17483fc0c0d05e751e

SHA256
67968992525498087e54064cae5afa9881729f615f2faa5cd8b8b7754fdcf10c

SHA512
4e2bb37cdbaa6dbd02a20b4accd946b1ebae9d9c2db17278dbc6d0f87d15c4589dab143ac513c37263648cdbef3b2b0d1e5620f71c7b64a79a7e9b9b1d7e7903

Download Submit