Overview

overview

3

Static

static

1

glitchnation9.png

windows10-2004-x64

3

glitchnation9.png

windows10-1703-x64

3

Resubmissions

15/03/2024, 23:47

240315-3tb77sed8v 3

15/03/2024, 23:40

240315-3pbe4sga28 3

15/03/2024, 23:36

240315-3l17cseb6t 3

Analysis

  • max time kernel
    311s
  • max time network
    315s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/03/2024, 23:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    glitchnation9.png

  • Size

    950KB

  • MD5

    f7679f38c3be7a9871f3b4da455d888c

  • SHA1

    b0ef376ebe96e3a784fef2c2302bcae51cb4b923

  • SHA256

    cda74129c2cc51a1f808695e163f05d4a9fc6ca2244e5d2c7f03d9f19d42d7da

  • SHA512

    43e6f93f20ab2c7970deb2e31169e708ae7ec616c17e08fbdd7de82fb4bb89c512f51c09e3841109650f27d582f0ac678da47b88bd4a0a7408a6c580eba7eb66

  • SSDEEP

    24576:J+H/c1UXLNk8YH2Mb/C17ZQW9m0fc8zsOS0AsxyQ49SV:ULNk8dSWI92cpYn

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\glitchnation9.png
    1⤵
      PID:3936
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.0.1248927903\1677305388" -parentBuildID 20221007134813 -prefsHandle 1608 -prefMapHandle 1600 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9706f98f-05b0-4078-ae50-77df7d92ec70} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 1688 1f6c6dda258 gpu
          3⤵
            PID:2104
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.1.2082212159\1367754251" -parentBuildID 20221007134813 -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce3d1d3e-ba44-4426-b807-9e484febd6dd} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2068 1f6c6942558 socket
            3⤵
              PID:2364
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.2.1026449377\1534413998" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41262ab5-9491-4232-8c10-9d4dd1d0f1b2} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2496 1f6cb99ae58 tab
              3⤵
                PID:2240
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.3.2124769174\1212871930" -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 26044 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dbc0520-e1b9-436c-9c7a-978dace8f355} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3200 1f6b5467e58 tab
                3⤵
                  PID:3112
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.4.752011684\353261133" -childID 3 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f739b5c1-1d97-4640-89d3-e92775adebe3} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3984 1f6ca29c558 tab
                  3⤵
                    PID:4388
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.5.2106300228\79549035" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4400 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {758cb58c-a7e5-455c-a65d-5e2695aa376d} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4800 1f6cd870958 tab
                    3⤵
                      PID:2836
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.6.1206882217\1319451073" -childID 5 -isForBrowser -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b48086f-aada-497d-8e06-e6f56b5c664b} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4956 1f6cd871858 tab
                      3⤵
                        PID:756
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.7.1115722240\236733130" -childID 6 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79beef7f-87df-484c-bfd8-9a79f582c5b0} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 5096 1f6cd871558 tab
                        3⤵
                          PID:68
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4480
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                        2⤵
                        • Checks processor information in registry
                        PID:4608

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            a57d320ed5d7937046ca69af249a9eb8

                            SHA1

                            0c9f78a9e8155e9ed12adfae7030541b519cb9ec

                            SHA256

                            ca77947befd34f0610cbd0ee8e6a4f381126556b26a7afac8c8824d00c9b1f35

                            SHA512

                            edc58b3c394186510f53420a9190585ecc7da95dae45aac75da558fe2799b6a0cfa88a9af2000215092a37c15b116b03796e26121370e013d3363928271e8033

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\pending_pings\ba311f10-04bd-45f9-a4b1-3005648d2f69
                            Filesize

                            746B

                            MD5

                            0ddf47d52b0716f5ac8b49918abd164f

                            SHA1

                            39035e47f1d29a2e7c3eac4ded3dd10b9849a7ba

                            SHA256

                            410d4630ad42a5bea1b1dcbf290125ca84a7a50f4a8a381565749e5549e7e60d

                            SHA512

                            f2ece6dd22adc1b82352135c9842301f2eb63ac5bf096674c983a0e93639f5cc050a2952282179b3c25125b7b8681dbc133df3f0aed0b39d691be0e43c0a44c7

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\pending_pings\fee229d4-598d-4edf-91b4-3c1122ce8545
                            Filesize

                            11KB

                            MD5

                            0a0c134d64e3ce99d2e7a865c15ac251

                            SHA1

                            fc8589fe6d8f7c4139f3182d4459deeded0113bd

                            SHA256

                            8f55a83efa3a0309a2ad91d36205558d2a31bcd9882330a9e4ba426516eceb0f

                            SHA512

                            49f9d6f56ac63ab1ce0260d75783e26487d50fca5dc80bd7795a07afe18d4e47c70dbe6ca04449e14382ff5de837dfce2f7c7ba9bb307e190ee954ee1f260d78

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            18194d7a157a5e53a992953ecb741636

                            SHA1

                            ad2e55b5457e2233082b7ade0db72ae4d89a3ac5

                            SHA256

                            95284bb256f0656cbf17ddcbd9c9945a80eb21019bab13455c7e2901d388385b

                            SHA512

                            4b2078818b72a9b37629b731c4bf8376abd877326433f0756bd31605fb108978aa27279561a31b7fb7bba5fefefea9e6a0b9ee1f66c11811538762ee3e7ba339

                            Download Submit