291146daa2d2c2c07a299f0e5f3bf6c6d84dbd4b6ab88dfb8024ab7541a1a382

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 10:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

[email protected]
Size

197KB
MD5

7506eb94c661522aff09a5c96d6f182b
SHA1

329bbdb1f877942d55b53b1d48db56a458eb2310
SHA256

d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c
SHA512

d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070
SSDEEP

6144:p4bORZxkA3Qhj8zMc1dBmGR20WwG4ysssrHywHdch:abOlkA3QhjiTtmGRnWX4XssrBqh

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	[email protected]
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616257"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	[email protected]

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	firefox.exe
Token: SeDebugPrivilege	2556	firefox.exe
Token: 33	2796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2796	AUDIODG.EXE
Token: 33	2796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2796	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]
1700	[email protected]

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2556	firefox.exe
2556	firefox.exe
2556	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2468	1700	[email protected]	31
PID 1700 wrote to memory of 2468	1700	[email protected]	31
PID 1700 wrote to memory of 2468	1700	[email protected]	31
PID 1700 wrote to memory of 2468	1700	[email protected]	31
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2468 wrote to memory of 2556	2468	firefox.exe	32
PID 2556 wrote to memory of 2768	2556	firefox.exe	33
PID 2556 wrote to memory of 2768	2556	firefox.exe	33
PID 2556 wrote to memory of 2768	2556	firefox.exe	33
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 1924	2556	firefox.exe	34
PID 2556 wrote to memory of 3068	2556	firefox.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.0.886525229\1344609082" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1188 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e93b1c-e8f1-44a7-b33e-d2efbe15a5a5} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 1352 ffd3758 gpu
      4⤵
      PID:2768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.1.1052838751\408012657" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {913c312d-4c23-44d3-ab3b-f64fb4256d42} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 1520 e6f858 socket
      4⤵
      Checks processor information in registry
      PID:1924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.2.1820868875\572801243" -childID 1 -isForBrowser -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {903b4175-0d4d-4c89-a2c8-ca87036061cb} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2408 1a095658 tab
      4⤵
      PID:3068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.3.2060685684\1134619209" -childID 2 -isForBrowser -prefsHandle 1840 -prefMapHandle 2076 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b144d0-5103-4b96-bed8-f0de516bafe9} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2100 e60a58 tab
      4⤵
      PID:2108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.4.1147199832\1747621206" -childID 3 -isForBrowser -prefsHandle 3092 -prefMapHandle 3088 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1327013e-9bda-4859-b18c-5730038c00ea} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 3104 1be4ee58 tab
      4⤵
      PID:1548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.5.1145724128\1924802802" -childID 4 -isForBrowser -prefsHandle 3736 -prefMapHandle 3748 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cbb4c23-d00b-4d44-8f86-36432af0c5aa} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 3760 1bfb5358 tab
      4⤵
      PID:2608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.6.190823847\1001276815" -childID 5 -isForBrowser -prefsHandle 3788 -prefMapHandle 3780 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0528106c-2e78-4109-8ca0-d5ea7eaf06df} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 3868 1bfb6858 tab
      4⤵
      PID:2000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.7.184617132\2129841971" -childID 6 -isForBrowser -prefsHandle 4052 -prefMapHandle 3964 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c4d0271-ae08-4a93-82f9-0fb229007e56} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 4068 1bfb6558 tab
      4⤵
      PID:2864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d89e83ca9d8f89f72f9712f63e6734a4

SHA1
3241b50e99504595e87cef6a827f304eded5fa0d

SHA256
47424b9ca27ee000d486dbb092f1fe4719bfc30fbc2c1d52d72cee4ffdcfb120

SHA512
ab1eb70c0064d43c52b913e8a81efece38f7ecb7e9b051668f43f942e163e0db7d4472c71ad089a2b97b079736d417ce8e77c0825a963e1b42ba0ed0c23ef477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\54570a88-19c9-4e9d-8737-e9c8c56c5c4e

Filesize
745B

MD5
cd2dfb0a45bc992c499fe11782eee11d

SHA1
87b0d7bb49a8c400a70d9692386c11c2223056e6

SHA256
0e8b68fae7907e2de5c0fb17f875c2e0490ea4bbdc603d85d5fae2d9917ec7c5

SHA512
adcd5cd95d89321f390e9a21130e844369c0979241cf026d59382937037f1d62002bbd9e72f219b53f37823c12c1d1c048ba374cafddb1cc0053edbb221f88d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\693fb88e-c8d3-4b09-851a-bda56b492c62

Filesize
10KB

MD5
b00d4a097d0210f771cfef45bfc894e0

SHA1
2db54bf75a188b8966e5e35f8bb65b0bc1a6f088

SHA256
88f4168f56dae9664b903ece3b2b18f3dee5c2c8344186b914a9b40e7f906896

SHA512
2a8d2d561df37527db45587b745a3c0dcd75c8642103bef95c6ee9c40c44499abd624a615f6470c8a3754b97eeadf7df55c29777dabbe4d2bcd6cb7fc32fd33b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\prefs-1.js

Filesize
6KB

MD5
a37b099f6cf4e910b210a089fa2a7e0c

SHA1
f8645d3ac17b38f5c8487173a5a4f947012dc123

SHA256
064217f970cad35d6053fd33b6a803d9be9ae8296daae53fb6c7d61abd2a1c6a

SHA512
d368a090db46817e4f3ec5ab20d6a368d80e4fde12e52a773ac4df8852e53660754afcca17bd031a15b2b339bb3ea200ad1904a85d52e346bc60da4c8833ffba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\sessionstore.jsonlz4

Filesize
832B

MD5
fe8df73fea994827daf2ea6ba753be66

SHA1
9e04c6e6d5d63132c1240c7525fb6d5bc030698c

SHA256
1fd9317f405cdf3fbb9281a7b9fec3bbea72a61f0922b0192c561e7feb6b9d27

SHA512
523aff58ef507acc90a9e8de2c878ce5f942d71f23f2dcdeb417e74ab2572f8f7a657aabc885e773423620220d069e7c3e810abdd693443efee2f428961f6e2c

Download Submit
memory/1700-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1700-5-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-6-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-7-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-3-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-2-0x0000000003FB0000-0x0000000003FB2000-memory.dmp

Filesize
8KB

Download
memory/1700-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1700-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1700-164-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2412-165-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2748-166-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download