Overview

overview

3

Static

static

1

HORIZON_VAULT.zip

windows11-21h2-x64

1

100-+.cfg

windows11-21h2-x64

3

110.cfg

windows11-21h2-x64

3

120.cfg

windows11-21h2-x64

3

130.cfg

windows11-21h2-x64

3

140.cfg

windows11-21h2-x64

3

150.cfg

windows11-21h2-x64

3

200 PING.cfg

windows11-21h2-x64

3

50 ping blatant.cfg

windows11-21h2-x64

3

50 ping se...it.cfg

windows11-21h2-x64

3

70.cfg

windows11-21h2-x64

3

90.cfg

windows11-21h2-x64

3

@@@cocacw.cfg

windows11-21h2-x64

3

@@cocacw.cfg

windows11-21h2-x64

3

BLOODINHERMOUTH.cfg

windows11-21h2-x64

3

HIGH PING AF.cfg

windows11-21h2-x64

3

UW.cfg

windows11-21h2-x64

3

WOW.cfg

windows11-21h2-x64

3

aaa.cfg

windows11-21h2-x64

3

cocacw best cfgs.cfg

windows11-21h2-x64

3

cocacwaa.cfg

windows11-21h2-x64

3

config plug.cfg

windows11-21h2-x64

for a nigg... 2.cfg

windows11-21h2-x64

3

for a nigg... 3.cfg

windows11-21h2-x64

3

for a nigg...xy.cfg

windows11-21h2-x64

3

ggs.cfg

windows11-21h2-x64

3

low ping.cfg

windows11-21h2-x64

3

ue.cfg

windows11-21h2-x64

3

uhuh.cfg

windows11-21h2-x64

3

urlegitscfgsir.cfg

windows11-21h2-x64

3

yeye.cfg

windows11-21h2-x64

3

yourcfg.cfg

windows11-21h2-x64

3

Analysis

  • max time kernel
    85s
  • max time network
    89s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2024, 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    130.cfg

  • Size

    354B

  • MD5

    e9f55e3a0fc322a9fe5fba243984312a

  • SHA1

    5c49b8065fb6dcb4836a3ce6af1cbb8c93d2fe3f

  • SHA256

    775ba89f9925fb29b0b4b9ac9d92a0f0cbfbe22b37878f33f8d0efc9c62e5e9e

  • SHA512

    1a96de5aa82c9cb1bff65cc6bf411a799d1681e8a6c22794b6022aedf3510a0dacf6cb81fc4164a4a947295a06e58c79dc020f99887d6002e3572f187476804c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\130.cfg
    1⤵
    • Modifies registry class
    PID:4092
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\130.cfg"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\130.cfg
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.0.1839609573\1874000741" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6be039-fe6d-4dfc-b7db-32fe7d6fbfc4} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 1872 23829ebba58 gpu
          4⤵
            PID:4752
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.1.1482178662\34439309" -parentBuildID 20221007134813 -prefsHandle 2256 -prefMapHandle 2252 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {614f116a-f402-44c0-b089-643dc727cefe} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 2268 2381df72b58 socket
            4⤵
            • Checks processor information in registry
            PID:1996
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.2.1362879548\869733696" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 2964 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe047085-6041-4967-8048-8a97ea0d547b} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3120 23829e62458 tab
            4⤵
              PID:3580
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.3.968127743\808627711" -childID 2 -isForBrowser -prefsHandle 960 -prefMapHandle 1152 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1303e9cf-c2e0-4779-b8f9-08a4c5006c81} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3488 2381df68d58 tab
              4⤵
                PID:5096
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.4.533434257\533757915" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4996 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78c12644-7822-487c-b882-6852bcd80b2d} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 4976 2382f09b558 tab
                4⤵
                  PID:2596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.5.1575427635\2051903584" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2458655-0c47-4715-900e-ede2b95c34a1} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 4936 2382f09ca58 tab
                  4⤵
                    PID:3784
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1508.6.921956874\1849954845" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10e944a4-4173-428c-8a39-4499fbd7c04f} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5288 2382f09d358 tab
                    4⤵
                      PID:4976

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\db\data.safe.bin
                Filesize

                2KB

                MD5

                d4ce5f30440448db6c456af4dcba41ce

                SHA1

                f5421fb326538f558045687dd0877729775377a7

                SHA256

                0a627b3effd6f494aac2240e01e99801657ca74d522bd4a66b0fba1eeb8a04d8

                SHA512

                94140d454661f27e20a0ac0dab9c8fe7f57c2d7713e7206f4f77f2b73f3c21d40dd70c5d1b08ca3091aa6ac1b542c06683a68e6c81d5bb8bbdb83f971437b557

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\pending_pings\258c5178-d908-42c0-95c5-86dc9a7f6023
                Filesize

                9KB

                MD5

                1c73beb38f621cdf43ebdadd56821c55

                SHA1

                808ca17b8378d03f87a5c36cf870bcd5b1783f41

                SHA256

                9777650ab6cdad3a6a8be922fba8efa65057072de12be4f09e29f1d3275785eb

                SHA512

                a6d7a47cd1adce587e6b6d4f6387351b9affb184137685028064878151183f54c52193b1e16d65b6a193c20c44bc8b88486b974eb5fd203d98d6061838425901

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\pending_pings\f4cf1f6b-64da-41d3-907c-9a7a62733303
                Filesize

                746B

                MD5

                1aa2611702a46c7d1257e2b4b41b0818

                SHA1

                1dda038719b8b848c9fe48513cc13ade6911644e

                SHA256

                7960205eadb0a1655948ecffe7ae5f477c8b64aacacc72e83f8de2290b57666a

                SHA512

                01470507960422e897ed9724836ed6d58062806fb9a266025e3959f18c97e00bf97adc49001d05647b8ede5d6997714fc02c075e93acac4b4a0d846ea03d23af

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                429b24bf89e33672c6de3b7b30d4293e

                SHA1

                53b5c6358bfa7194a9e53bda63c57aaee7881be1

                SHA256

                44fa08322c82acc895fed0bbb6a9efad5b5a94deb407b432ed72379efff76c1a

                SHA512

                aa8dba7b136f8d0794bfb14c3ab7012d8140766602183d9ec91d0c45914f5eef5eedabb72ebd8d8756371e2ef0c7a3437a676579a28cefe784bad943c887c334

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\prefs.js
                Filesize

                6KB

                MD5

                872b930efc83ceac121fc2a549cf57c9

                SHA1

                708112bb601aabc4ef31de3ae0f3559c58cd9a53

                SHA256

                391b5fcfc1b0d3450df2d6d289e95d1fe2b6067fb0a1776d6854f487091278a5

                SHA512

                489b95bc83d0617484dd1d9e2abce908f482793fb466553d8c75fcb0ab12846aed12e39943401f371a124763d0cb5a2f236719b5e7fdb50a247a57fd2576480a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionCheckpoints.json.tmp
                Filesize

                259B

                MD5

                e6c20f53d6714067f2b49d0e9ba8030e

                SHA1

                f516dc1084cdd8302b3e7f7167b905e603b6f04f

                SHA256

                50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

                SHA512

                462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionstore-backups\recovery.jsonlz4
                Filesize

                1KB

                MD5

                5698dcede3f00c705358e5da3b4e2490

                SHA1

                49fe9c8490621cc6673fe0f27b7511b24100fd0e

                SHA256

                7fdcbd886d21bbedf40468fb1fbce3b933527095e97f39250a46b8b527573f06

                SHA512

                cb67f76f760271d37f721073bdf562ee2612b03e9caa1bd0a81943830742b4da763b8e1de05630352ac0a7aab8d847b819b55de698b672ea94aedea7dff34975

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionstore.jsonlz4
                Filesize

                920B

                MD5

                4799eff2c686c611f8e84e5b1b4b601b

                SHA1

                cc8288951a93f60da4e5c23270d7c1c6a6e73d27

                SHA256

                72167885666510098f51823cd8b7a95dd583e3236143f4aeddcd1cb5d281caaa

                SHA512

                e806680491ff07934963831e7bf05019a53c74c25a35086374f790083fad3ef14aafbab7e84bd2e04da70a65d209d675045eaef6df4a162b79f2b4abc7c51a86

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                Filesize

                184KB

                MD5

                b161c7a30c50f69ea05e159a93039c44

                SHA1

                cfc9e0ec94dc6f981c5058f84a792b8c554e68a4

                SHA256

                a128c6fad2ab59aeb9f1cead2df9e9a40e0275a2c31324d762166c8150cf8005

                SHA512

                b7783e70580513bb3d09d313366b962f6716995de714637fc2aa5475da70f0932b2b66ceb7833a68a021927b5053509bece43d5a478dbc9c14b62b27a34dec12

                Download Submit