7b6e9e2db641c88e98f324b92a88034a7ca19c3f5d180b7e6882a478fb8fcda8

Resubmissions

24/04/2024, 18:44

240424-xdfb2afb7x 7

24/04/2024, 18:17

240424-ww1j9aeg4z 7

Analysis

max time kernel
77s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vvchmqom.exe
Size

2.4MB
MD5

fef437e0d3b39c1d66940200a6ae92f7
SHA1

1a30b28813c5d153aa8335ecf1af0cdee90a2ccb
SHA256

7b6e9e2db641c88e98f324b92a88034a7ca19c3f5d180b7e6882a478fb8fcda8
SHA512

daa7354f2a3b0928645c1c0eed53ea46c41b4004eba11c5c19e73f49711e915ca5eea23169333b8599e6ed10e2d3312272bc647fbd94ccf2d6ae2443c4e19483
SSDEEP

49152:X640cBt1N6IQjfYuSP6bn5lvr8tsc4ABskrucI6fqc9kxoR4Holu:XD/t1N7uUg5lz8tsnA/iPJcqfolu

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vvchmqom.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vvchmqom.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
468	1796	WerFault.exe	85

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vvchmqom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	vvchmqom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	vvchmqom.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1796	vvchmqom.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1796	vvchmqom.exe
Token: SeDebugPrivilege	3476	firefox.exe
Token: SeDebugPrivilege	3476	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3476	firefox.exe
3476	firefox.exe
3476	firefox.exe
3476	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3476	firefox.exe
3476	firefox.exe
3476	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3476	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3016 wrote to memory of 3476	3016	firefox.exe	107
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 4072	3476	firefox.exe	108
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109
PID 3476 wrote to memory of 3368	3476	firefox.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vvchmqom.exe
"C:\Users\Admin\AppData\Local\Temp\vvchmqom.exe"
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 804
  2⤵
  - Program crash
  PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1796 -ip 1796
1⤵
PID:440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.0.686609531\2085329308" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3e4aba1-e300-4b58-96f6-e1b5471ff34b} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 1852 1d11a307e58 gpu
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.1.886622424\613093055" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb5491b6-0bd8-42a6-83c9-a6b36759d165} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 2420 1d10d589958 socket
    3⤵
    - Checks processor information in registry
    PID:3368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.2.2018326331\615686138" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27f87b05-7475-4d08-8ed3-f098de43240d} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 2960 1d11cbd9358 tab
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.3.841449303\607574629" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {439404c4-2b89-495d-ac00-4c72542ec86c} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 3684 1d11f272258 tab
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.4.1276816655\139496469" -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5332 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b012e81-1294-4775-9469-1253ed9b8798} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 5352 1d121306258 tab
    3⤵
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.5.491422659\761372394" -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59fd5771-6e19-4015-b4f9-5cb919a861c6} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 5572 1d1213b4a58 tab
    3⤵
    PID:936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3476.6.106573600\651260115" -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5456d9e-4e63-4896-b83c-20bd1e6831ea} 3476 "\\.\pipe\gecko-crash-server-pipe.3476" 5764 1d1213b3258 tab
    3⤵
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
0b7156bdde11225b003f785f025fcfaf

SHA1
f9c331624aaafe504be48002521bbbe49180b1d2

SHA256
ac48b03737a1841ab0868e254aa9d93bddfec27bdbd22d6caa32b6be2715145b

SHA512
ba1e3ced55691928eb723d77356da9cbfb1c5eabbdd5d3db5f0520f9fe9515e95d0ada9430e1ec2f5e4bc1b6c9dcfa4095a66df95d886fbd4e15e54594c15780

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js

Filesize
6KB

MD5
48d870cb695f010d3f07f3e28c6bcd9a

SHA1
e9ee776f13f62d06d9edd945df16807ba709e7f6

SHA256
0c4e0870737f96b8ac438cc69d4309a8c470c91e8cc7a595215deb0ff7185a25

SHA512
0b02c1953737e79ae87d2a82156b559c6933fe35523d661e965736d75a10254339c171514def4cb0cc67aa34a7ab6a7d516a6bbc79b44eb2701960fb77ed26df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js

Filesize
7KB

MD5
3564b064759b0e9a17af09b9faececb8

SHA1
11b6ed00c66e60e4620f47ed81140d2c591a6cf5

SHA256
84efd410bb30ce96c2c7fcf7ff8a770b105613807958289b8f8356d36016bfa2

SHA512
c698fa515cc88a69a30af527082189ebd52dd17d0b9d8e42c6ec9c1d9f544dd1b23a19e217d9e77b3530cd43eae6d47c0bc7173a21242b37fb2f07bc00b7bff7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js

Filesize
6KB

MD5
74a1c0425ac3bb6059b80351f16fc2d9

SHA1
f0f1a94bcdaa7244ba71e81ed95e63025de83c6f

SHA256
d5e6863a01c104728b5170bb725a60354aa75e7a7e612cab1bef77bb40d8819d

SHA512
cdc4464af6a8307e0886053d720965bafaad596eac713e6f74314b6dd78f8a0408e2f634095c96bf43aa3f168df13b8cba5a67b6a0385edb970e5e9ed6676eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4

Filesize
904B

MD5
a7559d16b5c7a3f46c05d4d11d9a2759

SHA1
1987a7eb3e8786c0ce86286bd09cf47652d7e5c5

SHA256
8ada9bb473c6729e945b4935a2ebaa38eb82fd65c4817a6565632a67b956eb4f

SHA512
a4e11823cef6dc75c8410e7eedc88d8b3e43fcb9bf5e1e212eac6e5aa4a3ce4ff50d9ca92a5128212fcdbe7bc06e728a3143a01494171aceb43f084849c65e4c

Download Submit
memory/1796-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1796-6-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1796-8-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1796-9-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1796-10-0x00000000030B0000-0x0000000004F31000-memory.dmp

Filesize
30.5MB

Download
memory/1796-11-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1796-12-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1796-7-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/1796-0-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1796-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1796-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1796-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download