hxxps://drive[.]google[.]com/drive/folders/0ADhGpLioWrjcUk9PVA

Analysis

max time kernel
57s
max time network
56s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/0ADhGpLioWrjcUk9PVA

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

21 drive.google.com
25 drive.google.com
3 drive.google.com
14 drive.google.com

flow	ioc
21	drive.google.com
25	drive.google.com
3	drive.google.com
14	drive.google.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4916 firefox.exe
Token: SeDebugPrivilege 4916 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4916 firefox.exe
4916 firefox.exe
4916 firefox.exe
4916 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4916 firefox.exe
4916 firefox.exe
4916 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4916 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4916	firefox.exe
Token: SeDebugPrivilege	4916	firefox.exe

pid	process
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

pid	process
4916	firefox.exe
4916	firefox.exe
4916	firefox.exe

pid	process
4916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 752 wrote to memory of 4916	752	firefox.exe	firefox.exe
PID 4916 wrote to memory of 3668	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 3668	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 5112	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 3280	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 3280	4916	firefox.exe	firefox.exe
PID 4916 wrote to memory of 3280	4916	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/drive/folders/0ADhGpLioWrjcUk9PVA"
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/drive/folders/0ADhGpLioWrjcUk9PVA
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.0.353443172\2086870192" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9809d427-cbae-447b-b767-ff2184ab5999} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 1776 22c29be8d58 gpu
3⤵
PID:3668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.1.900564835\433336523" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ee3167-12c9-461d-8121-576ea1658c2d} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 2148 22c1776fb58 socket
3⤵
PID:5112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.2.1091255883\923801832" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9eaccf-af3a-4031-a277-b2e0e61dd65d} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 2904 22c2dad4458 tab
3⤵
PID:3280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.3.136575363\1553203727" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3709f87d-e420-4994-b7d3-80afaa0adcd7} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3544 22c2ecbf858 tab
3⤵
PID:1488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.4.301258722\1291434993" -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4748 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf82d7a2-6c13-4c8c-8d96-58f231970853} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4640 22c2ff8c058 tab
3⤵
PID:868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.5.1248641994\2000637408" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22ebab58-1cf6-4fea-a2b0-359eb9883544} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4884 22c2ff8cf58 tab
3⤵
PID:1836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.6.936531865\1879182807" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d726c4c4-f673-4a3f-bb6f-8029aa49f7cd} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4640 22c30d8b258 tab
3⤵
PID:4660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.7.202450916\965990014" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5420 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0f376b-3187-4f74-b953-f1391b57be16} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 5528 22c17761058 tab
3⤵
PID:4196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
c6fc3a7ef7442b6c0eb27697d41c623c

SHA1
07bbe273ac69c917d9919ee04c8147dce6d49edb

SHA256
561d19856d9eacbe8471c159714aaa3c04349572933d653bb13044370fbfa680

SHA512
46ddb2a449a10f27bed9b522f3bd75ea8b9cb48eac95ecf1053025102d1ca2bd1ac84d6a0f90ed635d5b72eca5a2b96db0b7528d98678a47e88239526f0f447c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\59ea58a6-23b6-4a6f-a616-03d8bfefbd92
Filesize
746B

MD5
218f3d462817f8d2ecc87bcd6acd78f9

SHA1
3191d424c7f26602e240d37b339611d1b017d27f

SHA256
3fdd9bc264557ba8706b09f1837a991eab3b8de47d5d89bd163711a1e62328ba

SHA512
94b69413cd8366fbadd1b107706f074170facaeb930e17fe8c4e2e8cc572bb64f320d97b3a9458cbb88921bf039682f8aec4fa5665e47b9f84ee1a368c4d7f52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\cc17e434-8a3f-48ab-9f1c-6c0df156d706
Filesize
10KB

MD5
2208e4ec32c83cab22bb2e0f7c346ffa

SHA1
63774b0177fd5a03258583e5aea99a56f1f6c30a

SHA256
b69c21ba140a66d5015a082274088e9e8bfdf4fb73797ff1ca34225f34ff5059

SHA512
49d71058762f3a9a81ef7700145dd4a4cd7d2ac2a7d87468f408e95a6df1188b9ef06cc9d03184c593ba2304a8ac9b5d9edefb04c4300b0a24c1738cfa1873c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
2ffdd530085c8921ea2fe200d4ecb45d

SHA1
b17d023dd3181a86eff23d7d520f3162b1a1c8fe

SHA256
55506ccd881fd1440558302ceea278f19b3050c213df30762b19498b7fba7651

SHA512
659520f2f4a947b67137ec3750fe1d19064a028fc431a6664b018aad7e2bca7a3c6af8e5819ae079f3ca11c2ab6191b8d7d282da206bdc6cef53cefa1a82a819

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
6KB

MD5
07495f3db26ab87951e8f97a6c0a7bf6

SHA1
b9e6c0c33d83b4fd9751aaf59dcc4c1721450694

SHA256
3de27f3b46a8bf9adba75ae31df2b0a52fb9b45af1225419ed6e094430df4b8e

SHA512
1874cc031a17adf2e9648daa97726259e7e4edd0ed1a744e101584c6fe7287947a650649ac103085a13b9d80e9a0a9202a02885b135602fd1e183ef95674edf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
6KB

MD5
aef3d340a20b5154b9df699afc7d2891

SHA1
e55ebc69a97989a959426c73a901244e5a7d7e2a

SHA256
017ce93f4cef407f2c6c56755a8511a2d192e2cddfe3b43a8f14e0ac79e99955

SHA512
bc4d768a4cec95a57c415b974941c8ba4806eeccb4fe807ce921534b1ad80925633a59d49c2ef2497233d796b199024dc86a08b806ab33d8a8e8358d5de3a11b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
cd1955d71f79b677cab4d36bf59dcab6

SHA1
e48836cfd552dcb4b1c0e4e9465e5c8728576897

SHA256
f1669f03a845a0b9c23a89211d95e8519af11da13f7a7a1fd02b2fb0cb8508ae

SHA512
d84055c2a3619c4e0a6b27cb47e8ddc37c002f2637da59c318cdfda51ae1fe8e8b954dbfaccb5cf1cc3aa8ff0c032b113948567146830f6ec40f76757acd9cd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
94562241402c7004ac75a36622e3ce5e

SHA1
e3475c55460ad3b09106946cd8d704b23682a467

SHA256
ed6c3720786efc4b085ef39eee2f9e6e6e49df61b3340ad7f4ac0da74b9b6098

SHA512
d68a7c9cf64852dc4d7941e3013a335a4478d891a3ee329cdac0fd4ad8e917f83a8e429a6e406cf8eb1246f575377c89584a8bc3d3ab34ed48d8995292131d85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
c50df8a4351eaa54188a8c2271c27bc2

SHA1
043f40620b81e65f476e045452e04db8aa556ea3

SHA256
cd35f3f6e261add55f6a8e2a2fe74af56e94ace977e4307208841a2f734c5eff

SHA512
ab7d5b6dc12dca4995a5abc3aa01995ea294cdc273fc100a95589b95b6f6464d207714e0aacd2d5642420f9f76a1eb3602a8a5fffe07834fbeb1cb9a0b30ecac

Download Submit