a91f0751daaea7fee73c87370e94c989c6e9d058545403ba75e7cf241701dae4

Resubmissions

15-04-2024 17:10

240415-vpz5gabf35 1

15-04-2024 17:09

240415-vn3tzabe93 1

Analysis

max time kernel
30s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trusted Root Certification Authorities/Class 3 Public Primary Certification Authority.cer
Size

576B
MD5

10fc635df6263e0df325be5f79cd6767
SHA1

742c3192e607e424eb4549542be1bbc53e6174e2
SHA256

e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e70
SHA512

7c2f94225f679889b9ded741a00db15cc6ca2812bfbca82b22537af832412abbc105e00cd0a3979d5fcde99b6806e8e6ceefb2718e9160a2c80c5ae78b33f2aa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1840 firefox.exe
Token: SeDebugPrivilege 1840 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1840 firefox.exe
1840 firefox.exe
1840 firefox.exe
1840 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1840 firefox.exe
1840 firefox.exe
1840 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1840 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1840	firefox.exe
Token: SeDebugPrivilege	1840	firefox.exe

pid	process
1840	firefox.exe
1840	firefox.exe
1840	firefox.exe
1840	firefox.exe

pid	process
1840	firefox.exe
1840	firefox.exe
1840	firefox.exe

pid	process
1840	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 5016 wrote to memory of 1840	5016	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 2576	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe
PID 1840 wrote to memory of 1384	1840	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCER "C:\Users\Admin\AppData\Local\Temp\Trusted Root Certification Authorities\Class 3 Public Primary Certification Authority.cer"
1⤵
PID:1864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.0.193992947\116880101" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b54635-b343-4791-8092-2a7a1ccb2652} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 1868 168c4c0c758 gpu
3⤵
PID:2576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.1.1856694710\1262141858" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {772d10c7-9ab3-4ad0-9261-b2863e05cf7b} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 2440 168b7f89c58 socket
3⤵
PID:1384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.2.101801580\1898221663" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1232 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edee585d-d7f2-401f-a61a-8d38b503b051} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3164 168c7a12558 tab
3⤵
PID:1328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.3.2019270976\923658106" -childID 2 -isForBrowser -prefsHandle 2572 -prefMapHandle 3580 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1232 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4126fec0-5be6-4b35-9161-e5de0079c692} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 3584 168c9791158 tab
3⤵
PID:3056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.4.2052370794\137315345" -childID 3 -isForBrowser -prefsHandle 5080 -prefMapHandle 4400 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1232 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c60ffff-8e8b-48f7-8b86-195bfa071554} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 5052 168cb895958 tab
3⤵
PID:4008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.5.1802747698\699736348" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1232 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0037d5e5-c8dd-43ed-9199-ec72066f05b5} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 5176 168cb895c58 tab
3⤵
PID:4544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1840.6.1177741338\21959269" -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1232 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7da865fc-4b63-4f72-9a11-a493646a9729} 1840 "\\.\pipe\gecko-crash-server-pipe.1840" 5480 168cbebb958 tab
3⤵
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzqgx44a.default-release\activity-stream.discovery_stream.json.tmp
Filesize
25KB

MD5
8c58148f300d316452995314948a7961

SHA1
c63d1f690c7988407ef90c3978b540cba563d286

SHA256
27b42d6f5f50c5f27ed3b1b396d4dd24b7c2ca87fb5c5f435081e964438ad226

SHA512
4ccb6354ec69e6134b8440b1cb43e5be2da1dc265b53695610dbb66b373bd43e8c9089febab497a255adbce67f460585bbc41235fc0a36d046a50d8abfc6fbb1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hzqgx44a.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
ab6eaafb95ee70f206f018482eebbbba

SHA1
98a2542299681ea066433dcdc319f4a06211e856

SHA256
ef5b2f1e70d8dac8beaa82adaf36dfabda8869059c85b84cf915739a9c35d313

SHA512
23729797985ad0020c18e1ea4478b7d96ddf975c69c97e136d6f4653bf2803e0db3b568261d42353bc46fda7e4fc289c472b1b137f260f436a80b1f749727c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzqgx44a.default-release\prefs.js
Filesize
7KB

MD5
be11878adf1746e4432ed7a28e117652

SHA1
475aafc5f280ad65ecc694573cb39ef16d30426d

SHA256
c37dfe0925e175015b2005d295503338d4f11470e833f3076a5c9360aa3453a2

SHA512
bb71d8fe245637f3b02610d851b7bd53030aa811dc3ef0fb49087a7c241ca6c901d259f45235cfc58126a3b0b7491ff080eb64ae52f4d7bf391dfce8168f03e4

Download Submit