Overview

overview

3

Static

static

3

email.eml

windows10-2004-x64

3

01) Muhamm...CV.pdf

windows10-2004-x64

1

2) Life St...ot.pdf

windows10-2004-x64

email-html-2.txt

windows10-2004-x64

1

email-plain-1.txt

windows10-2004-x64

1

Resubmissions

22-04-2024 19:38

240422-ycgn5sfc81 3

22-04-2024 19:32

240422-x83qtafb59 3

Analysis

  • max time kernel
    222s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    email.eml

  • Size

    740KB

  • MD5

    b0bf0688ac54b0ecadc5bf56dfd6b08f

  • SHA1

    90fc59ef7d5ae4de924c214929aad7d63a2e59cd

  • SHA256

    3b9865a2242b817605bd082e44d98e639e2e3e7688e2a6d74fb5783b5c2b0239

  • SHA512

    dec34e821e25c6f4a0e194a84326aef7f62ff2cda72e0f57b0010f2267b9db65d0b03218e172ee7740f29bf21c13eaf1976d70859f2602c9d36019d74d9d3085

  • SSDEEP

    12288:euWYZbII/dZRTl0EveIrmWt6rdEITbSDNPlk+tcl5XUfiaYFxx4gGBhoU6Wms:k4UI/T0EXymkdEzjKl5k6HFxkBIs

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\email.eml
    1⤵
    • Modifies registry class
    • NTFS ADS
    PID:2188
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2996
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.0.1040071326\778132874" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb41db7a-5e6b-4e93-a8a9-999ec7e2da97} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 1884 1aef0123258 gpu
        3⤵
          PID:2768
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.1.1006897235\2088731534" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3b0485-2656-41f0-99d6-f7f0192dbf6d} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 2452 1aee3389f58 socket
          3⤵
          • Checks processor information in registry
          PID:4940
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.2.1243376510\448694491" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2976 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0395704b-bc68-4282-8ef3-418477722fd7} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 3032 1aef29fcc58 tab
          3⤵
            PID:1604
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.3.834703304\1690086789" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb235b4a-d3f6-4e4d-abfc-f0a2d281f297} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 3676 1aee337ae58 tab
            3⤵
              PID:3716
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.4.1550504499\72832808" -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5272 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {303421e2-b7b1-4c7a-8c01-211e7077a80f} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 5300 1aef72e8858 tab
              3⤵
                PID:2296
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.5.169647659\1539279112" -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5298783-6908-4144-bf2f-718ec3324201} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 5428 1aef72e6158 tab
                3⤵
                  PID:4288
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.6.1782104252\1113873028" -childID 5 -isForBrowser -prefsHandle 4568 -prefMapHandle 5220 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c42d08-45e0-4bd1-a098-bf72e3c16d22} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 5172 1aef72e8b58 tab
                  3⤵
                    PID:2576

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Query Registry

              2
              T1012

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                24KB

                MD5

                0be56799bdcaef1862d25f615d9d987f

                SHA1

                993d2f9276ff6cf34fc24802a081d4f82e3fc778

                SHA256

                b5dd1724a7132fa1b0cff550eed3b132cb9a222a035015e94825b2b9efcd00db

                SHA512

                44227d497687413fc11550fdc3240f0f64abc84034c3cd0cb879d1c5777cfcb1c28fa1cf9abc2fcdd8bcc8a361e3fdbdf2ff206f327718882b745550cf796500

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
                Filesize

                7KB

                MD5

                33d731c7182763dcf75575dc25779713

                SHA1

                7699129d9b4d68d05b53fbc07d909fd564154aac

                SHA256

                36e3cf45f35b3f02f1cd656ef6a2bdbfdc26c840d0ea7bf64212faa86e1dffd5

                SHA512

                f4f81941910f88db1e8c3ce0c10c6cde3ff27fea123ca73a32900e5819a5b6250b4f0930460dd42e02bb63e91b0816bbe1e43afbccea05e6dc7a330ed8445129

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
                Filesize

                6KB

                MD5

                7fb20cd09ee1b8ac9ab048b57d875915

                SHA1

                71bb1a972949f87c2bb1dd14aa84b643b6e1087c

                SHA256

                354346ee7e6844e292ed45517d607b60de5ac539d7bc8572b8975cde87d25ca6

                SHA512

                2294031f07cef207633685583e2391f1a2715926eea7660beb7110a02862d153fbe78af5962e2251740d695e863a7ba179d23af990d941acb8a7207106ce49bc

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4
                Filesize

                903B

                MD5

                3161df922f57442e5ccf0ae2bc02ee1f

                SHA1

                7e1dd445a6c4dc649bfb70a82013da330b2ec945

                SHA256

                fdd5e0776c9e9aa18670f8048f02814d0c528d9ad578bb592bb7d69e910ce2c3

                SHA512

                a2980601880048475060e23bc131ef857a1e5bc2ba67c94022c2ba22131c0fe2e56fc29f13cfa490024992b14399a72c68b6b71c62fab990e81e8e2867d86c5c

                Download Submit