Overview

overview

1

Static

static

1

42.zip

windows7-x64

1

42.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    105s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42.zip

  • Size

    41KB

  • MD5

    1df9a18b18332f153918030b7b516615

  • SHA1

    6c42c62696616b72bbfc88a4be4ead57aa7bc503

  • SHA256

    bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

  • SHA512

    6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

  • SSDEEP

    768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
    1⤵
      PID:2808
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4052
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.0.1919364128\1037890705" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a35cc1b2-5fab-42e3-8ef2-282396031920} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 1980 1f1562da858 gpu
            3⤵
              PID:4004
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.1.1582368681\286820969" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f71f6a1-e443-4bb1-b454-40d3203d6e3e} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 2380 1f149972258 socket
              3⤵
                PID:4916
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.2.2110671622\378692279" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3040 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a92085a-7cdc-41d5-a663-60049e8218c2} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 1728 1f15a40d658 tab
                3⤵
                  PID:2744
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.3.324809795\1322008135" -childID 2 -isForBrowser -prefsHandle 1316 -prefMapHandle 2520 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab604174-b5b7-47c2-a3a5-da6d95db717d} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 3540 1f158d15b58 tab
                  3⤵
                    PID:2180
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.4.566969462\1101161907" -childID 3 -isForBrowser -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af403c83-11c3-49c1-9e9a-b4ad7179d5c1} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 4540 1f15bec0358 tab
                    3⤵
                      PID:1980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.5.1596337828\330479213" -childID 4 -isForBrowser -prefsHandle 5128 -prefMapHandle 5148 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5324be8-882f-4edb-8cdb-7a788a45f991} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 2812 1f15b4fa258 tab
                      3⤵
                        PID:4048
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.6.1780778138\835910189" -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110cfad3-8054-4a3e-b334-1375bcf33d50} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 5332 1f15c5c5e58 tab
                        3⤵
                          PID:4968
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2124.7.1146389087\1452889449" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16d03ffb-76c9-40eb-8ed5-f7846b3ca505} 2124 "\\.\pipe\gecko-crash-server-pipe.2124" 5516 1f15c5c7058 tab
                          3⤵
                            PID:3940

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        3a92fe33bacf69e1c433566fbad26c08

                        SHA1

                        108407777821e8b64d85e3f8395f24bd5d95a859

                        SHA256

                        3afa90b2afe9c8798bbee8c6ea8e88ed6e71db5a6eb1a1c78f8e63072002ca4a

                        SHA512

                        d05ede54031e347c193fbad2374cafe1c0ec1bcd5c85ceaeabea493e6aa466eda59a87d5cd46674f972ccc130a6d4b3b62e17dbc02515089ec7282c4322a4f80

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\0a080611-1aac-4270-8e25-06ab1c7857c9
                        Filesize

                        746B

                        MD5

                        53270b6bff7fa85ae1894c0a1f02e653

                        SHA1

                        457ce158571b7170ba1c4688a138c15aa079deda

                        SHA256

                        556383f61b1fa9533f0f607191f4cd6a01cd4def3d97bb357e1076dae92f46be

                        SHA512

                        602fd27e65fd56e8cad63e734542b17255a81f35ac4db10aca0f9df9595ec50692b8b8b787418b8aa4d10288640f818696c2ba2aacedd01715518d768140eb08

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\99dd65ac-a489-482b-8d48-a491a31eeeca
                        Filesize

                        11KB

                        MD5

                        7f7c76f7a29d6076482d6e6c562df220

                        SHA1

                        b97358a8fafac5fbeb9bbdd88272ac72aee7c2b7

                        SHA256

                        6671fb9dc6bc1909b2d5130ba91636909b05dd51f5e00b2d71059a8a45755ff7

                        SHA512

                        83727202c4dc4f758defd0fcb9d55f4751bd1436d632416992176ec6bf7aad87d0a8aaa9a4de93ebd009fc35bb390249c1d4e71993258840c435e6bb2282c4be

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        b05f2aed40d35d708424da92eba99d21

                        SHA1

                        4337bba79aa929c4a85d9e57a22f339ca25e8d1a

                        SHA256

                        bb21dbf135c54225a550fd4201ed8fe9be5c571baa80c7f8f72de0dfabc7fd98

                        SHA512

                        2a6fd6423fc7cad5e0248b28a0d5b3918104735eb3ea70aef8eb53dc37f55ea792b42347ce7ad7a0cab83ccb9d7b68241a72b1533c54fbef251986358c0ca373

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        a2385c890b0e550983164eabde53014f

                        SHA1

                        fde363fae9698efc014531065d2d1e24298c6009

                        SHA256

                        2113a404407cad23b9acfbf8b86467efc8ee96ab3607b7479d6f6bc8d28382dc

                        SHA512

                        1e34df554043bcc82ee76facd44b86bcb76786d4799d7d7b848f0bd0cf763f341b42dcfa0ffff7e7e8d1d363a48d4fcb1494e4df1a17d57983ceca246c904cb6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        924f5ee1f9b65a1b6b96fd1dc40e9fa1

                        SHA1

                        ebe4d6e7f209c58235e13068375c9bee6766b224

                        SHA256

                        39f4cb8dd25a2a9cebaf9d3773998a388d4309d0a783df75350757bead32974a

                        SHA512

                        bfed55a86c032272cd4455d914ae80a0a81cafc41d4a6da9c09b0bb51c06a5bb8fd9d55cfb950b281e3af054288c519aaa409e8f5dbbafdbe2d91b048bbbf56e

                        Download Submit

                      • C:\Users\Admin\Downloads\42.Pfjw0Rfx.zip.part
                        Filesize

                        32KB

                        MD5

                        8d10475fd6d4478eca15061f07f6d05c

                        SHA1

                        7453584acfa48459aa08fbdccbb0a97d175d453b

                        SHA256

                        3fc60f97dc4cceb103337319ec7a61b5b87af672642a2ad31499b1280938f67a

                        SHA512

                        293a32f2ac16ac0a86423bb1ed78dc232db8c34cb2be64cd8dc6c1190d86f21f4f9ed1ef9f1633d71c3bdddc323979d7f3857de9aa6fb0fed2532365440cee4c

                        Download Submit