Overview

overview

3

Static

static

1

_171259556...p_.eml

windows10-2004-x64

3

Analysis

  • max time kernel
    95s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]_.eml

  • Size

    56KB

  • MD5

    39ce35f4ea1ce893633ed6cb85ca2147

  • SHA1

    1d7844f2b414115b679a6a48810b9f2c1bbf26c2

  • SHA256

    a154e8b9e2dd3cbc0001a329dd081d1866e0fea03b0195a5c417b6c74b76d54d

  • SHA512

    7c641f785dfefefaaf1329528f02083393371d28575e24906ba5a28c21281018f1b651e5ae012dec185e67ba603704004a62e98d21dc34c3679529cd135eb0eb

  • SSDEEP

    768:RS5TCAqbV9mb93KjTqiMbjjwG7WFhMNk+E21o9:R2TOmY3R1hRn

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
    1⤵
    • Modifies registry class
    • NTFS ADS
    PID:3208
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.0.1913419761\757247170" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {812f53ff-938c-4a90-ab40-7be1f8168e5f} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 1960 258fb4d4858 gpu
          4⤵
            PID:2796
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.1.183924507\752974687" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d0b06a8-223d-4015-97f8-ec3c14d07e14} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 2388 258fb403258 socket
            4⤵
            • Checks processor information in registry
            PID:4368
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.2.1039214674\18834472" -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 2936 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd381621-6e68-4422-9c70-a0ddbe575b96} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 3196 258ff5da358 tab
            4⤵
              PID:4860
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.3.1423004293\790484962" -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd57facc-b193-4f14-a4f5-6ed997d72c31} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 3580 258fdde9e58 tab
              4⤵
                PID:1964
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.4.241013225\1480196811" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5224 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5f92d16-49f5-48f4-98e6-82278aed8106} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 5272 259016e2258 tab
                4⤵
                  PID:1956
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.5.77466752\1287635472" -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e35e1ab1-c43e-4172-bb59-e793ec7b405a} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 5404 259021d8f58 tab
                  4⤵
                    PID:3420
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.6.1785542806\574832597" -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61be69a-ae05-4bf8-9d70-a689c92413b5} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 5596 259021d9858 tab
                    4⤵
                      PID:2252
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
                1⤵
                  PID:4960
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
                    2⤵
                    • Checks processor information in registry
                    PID:3000
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
                  1⤵
                    PID:4660
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
                      2⤵
                      • Checks processor information in registry
                      PID:2052

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\[email protected]_.eml
                    Filesize

                    56KB

                    MD5

                    39ce35f4ea1ce893633ed6cb85ca2147

                    SHA1

                    1d7844f2b414115b679a6a48810b9f2c1bbf26c2

                    SHA256

                    a154e8b9e2dd3cbc0001a329dd081d1866e0fea03b0195a5c417b6c74b76d54d

                    SHA512

                    7c641f785dfefefaaf1329528f02083393371d28575e24906ba5a28c21281018f1b651e5ae012dec185e67ba603704004a62e98d21dc34c3679529cd135eb0eb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    7ab24ffd57c988876be475374a52a016

                    SHA1

                    28e506ee40ac7446fd6ee0dc6a278b1cb7916d03

                    SHA256

                    624ce1ed40702a88d78d1cad9c3a7a9c43afc5d778fddb4a3ef64d6925e4033d

                    SHA512

                    935e0b0a9b359f520b29bf3614b727c9fe9f0e643119dbfab7932ad1e5bff97d9f34690fe77f4e2e4537750ac6768400bdc16ebb229cee2f1d21f8bb890b628c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\pending_pings\91d6eb5f-5d87-4e3e-95d3-b317c334bed2
                    Filesize

                    11KB

                    MD5

                    847afccbd3a90e1aa4bcd2fdf028e189

                    SHA1

                    9d9054fe2407982dd1615e3809d7847d2b594b5e

                    SHA256

                    1a58071ee2273340c0347e08382437db799bf59d9ba9a9d18f1a262331f8ce52

                    SHA512

                    299e537c179dd35a9783d4206bb19763cf26cf3c5f9c92b2a3eed0f13da9e60f74cc715e85fb37f249589243d055994ab3edfb3426017c7be4dc8a2618b197d1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\datareporting\glean\pending_pings\feb0684f-702e-43e5-b170-a7ff8b427347
                    Filesize

                    746B

                    MD5

                    89897eb29c1c0e800950eca9494ad770

                    SHA1

                    105b7ec3f2a18e64b667ed7ac3c245122239250f

                    SHA256

                    6a77502ab14daa51aec027ce2da0e930cbd53d7d17ca533cae94ea16eab2c175

                    SHA512

                    91e06e7f57d87fcfbc1604181d7d79de067e0f0bd9c56acfe2f179d9e46446f9a0dd603b3d037c327a6f86d67fd85075e104f721b29e852d9d8a1148a031d2db

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\handlers.json.tmp
                    Filesize

                    554B

                    MD5

                    9a50959c94fceff22b18d4f9c2dcffa0

                    SHA1

                    3e3561f8132ac3c77e3740091bbde4b3371e40c5

                    SHA256

                    6ea3441094223d04c67998ea9aa365a83312243d2a309959d97f51fa503c27e8

                    SHA512

                    23e03c0eeb54924044641dd296b444a383d1cf2e4db0ab369ef83be111ed2ba1271b1629c045f4a28329d03b1a5931b846320daf1239f9b424e0e5140bc9144d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    a040115b73c1d8a227ef37668c805bec

                    SHA1

                    b5ff0f2c575fa0b91df9aa89be8f3e9fec69afb3

                    SHA256

                    73d77925fd1954123efad6a0ae601ae8e93357939747a8be8949b7a3a45be5b6

                    SHA512

                    dd499dbaae161cb1a3c94d59458236138584fc7dbd5d1026d5ee6fe1d74baf2764a1413c0d1c9edddbefab1c835a40c014be3a3848fa4b3f07933741f7bdd39b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    2da2df1c2e41a45e2aabf33db8173cc7

                    SHA1

                    e7696856ee078aff45ec7f5441f9eed3fbdf31d1

                    SHA256

                    ad2c1c60289bb1856e68de67dae8b1cc36b91bdced6ef49ae65b7320babefe00

                    SHA512

                    b1186ce263921492dd809d414ca2e38e26ae6e2c1e9aebbaf9896448ef6cb649fe1e3a0466f125a3338867f04f41f8eee038fadb1de71c10e553b344368e814e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    971f2e363ac35a48f22f73948b714e9a

                    SHA1

                    681803b42dacc198cbc200744c629343b885d531

                    SHA256

                    5a654864e20d78c29042d8c7d9aee8251e5e0a9909fb76adc1b6549cdc4cc28e

                    SHA512

                    934e2e8ee42192fd868a70dd33e2000edbb91841e0aefa58417b95b970c316364ddd254ff8783530922d7533bddbb5f32daa381d1c75a608d53fa0af6a45503d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    e8fbd02777586a976fce066ec00f9c3e

                    SHA1

                    6ad0444bfe4b9084fa59df1336542ecfcac3d16d

                    SHA256

                    986d440b4e4063004028ed7ebf048407d3876eefd98f573684112328d7540859

                    SHA512

                    16396c2993aa6b2c9ddb44ba602cc84efdfba3e39a21245a653d9a9893681af28d03d4e60693f0d01e6f6d78a65b3843c2d5f62150d20ce44b02c4aacae282fd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    998B

                    MD5

                    b588780ca68a3e4f0279fdabd2d425cd

                    SHA1

                    6f2e7621c0c3adb2aebecea3ebf83aaa57e1369a

                    SHA256

                    0ecb0c5db70bf99917fae4ce798a2234ed8b7c1d793789c8582b342d8221936e

                    SHA512

                    f76fc24722690b768e19b4362bfcbd850b1e72273bb11bc0fb22196f61c05574dc52c2159e7b2837cc0d91e4b0a2ebfa1a87188b5fcd7242da6bb70774d9e0f2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    42d585204447261f8445817e293d1bd4

                    SHA1

                    15371eb4e532653e99a898fdbee3d89c3141b745

                    SHA256

                    9e01fe5997ddd1d9c8553bad206bd953fdd500439c27d7a76274c346bd4204ce

                    SHA512

                    2f39038fc99c8709f94bbd04fc587cd1f6ad0c8e9b5670a59e5460d623eb735458006703289bc7f89995848a91a486dc8a532922ad10c7bd6a3e46426668f1e6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0z1r4qkh.default-release\sessionstore.jsonlz4
                    Filesize

                    818B

                    MD5

                    bb1ee3e80458c4f093a02f3103973960

                    SHA1

                    6dac4bc6d3541d2d4e8225d624c645a2ec8b994d

                    SHA256

                    7dc43100107c6b51d665c7efdca506ac3912b6a1ceb78ebbb627a02a99931501

                    SHA512

                    3c69d3400d726eafdde353b8e296325fc377f5e814d5c5571b4afd1aea55a86282e527b023e24cd2a3f302600e8a060a157a44829770ecbf4d7312a3a5839420

                    Download Submit