Overview

overview

3

Static

static

1

Windows An...de.lnk

windows10-2004-x64

3

Windows An...de.lnk

windows11-21h2-x64

3

Analysis

  • max time kernel
    881s
  • max time network
    890s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Anytime Upgrade.lnk

  • Size

    1KB

  • MD5

    dbd8d6b1de75c4cef7388656ff239675

  • SHA1

    32d04210f219316840dfa95377243adeda0a2e84

  • SHA256

    72e961b79fe41d668101d78bb7d5bbc21472ff2c8d3db3e0dacb485a13201b38

  • SHA512

    1ad47a07d59a1ffff9c6d0e3e1ad5a66c8a7b4a4b0e004ff44c35ef99ed7f18a413749c3ca7b574562aca0eafa3a81a6eab0f2cc588cf1accdc3589ddf3430bd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Windows Anytime Upgrade.lnk"
    1⤵
      PID:3424
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10af9435-ff61-4c6a-bfba-e9fbd169531f} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" gpu
          3⤵
            PID:1892
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a88744bf-387e-442f-aa4e-cc61bb9ab91a} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" socket
            3⤵
            • Checks processor information in registry
            PID:4888
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2892 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08e328e-f55a-4fad-8a22-c0b555a4229d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
            3⤵
              PID:1644
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -childID 2 -isForBrowser -prefsHandle 4212 -prefMapHandle 4208 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5719e198-76d0-441a-a14e-66247c2dc4f9} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
              3⤵
                PID:460
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {311c57e9-01bc-4e59-80d7-d57ce3252e3d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" utility
                3⤵
                • Checks processor information in registry
                PID:5156
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5148 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {838ba352-4525-4107-bcf3-42be4be5b5eb} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
                3⤵
                  PID:5436
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2f5dcf-0848-44c6-bf6d-7ea944323ba3} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
                  3⤵
                    PID:5448
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29565cdd-4249-4db8-aa33-528f27ccd5e5} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
                    3⤵
                      PID:5460
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5984 -childID 6 -isForBrowser -prefsHandle 4432 -prefMapHandle 4428 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4419893-b7d1-4508-98a2-ae4b4f9ad207} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" tab
                      3⤵
                        PID:924

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ihcffylf.default-release\activity-stream.discovery_stream.json
                    Filesize

                    18KB

                    MD5

                    80d3804326046eaa7bb30464324f6d4b

                    SHA1

                    b7a90df600f743e76050f8f903a72b3e9b230625

                    SHA256

                    9005b3fa27c680ba53ada3bb951c0d4ee5634015acc01571ce5f7bbdd541afce

                    SHA512

                    5199d4eb3755da459671199cef0961c30538cd968cc6142b5ed304554dace5f33874f99877ad2b0cb724243e33dd36c4b36ecbf57b79b4ef9a10c9449aeb6d76

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    3a98214341df82115b37c2de47676a13

                    SHA1

                    69f50702e261efc3569cda2f85cc1c4d62a43ca8

                    SHA256

                    54779cefd06dc284de93c77167b9c4a68b7544948c03ed95db1c839d13d3e2df

                    SHA512

                    1906a1da3ace6fcefeb8aa4a0fb4aa9b4a0681fe42f7b50348623972b52708b178d6fbe6f56565abfa3802010eeb840a20943010c393ac76f0b283c91592c51e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    11e32defc47e94d642db1bc2c4f764b7

                    SHA1

                    2415783e6e400f9f78333158ee03ded927f763d8

                    SHA256

                    7719dc2bb2b0e6a3b6fb6fd7e6f7024727b422e0b99edf50557943f90a21c979

                    SHA512

                    67ec89a35bacfb453878c20ae88a396534c5e71dd7aeefb5b66b3ed4eca8dae025198b72ac615f0ea6fed9080f96c206df696421365fbd707f9d70ead58889c6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\7517cdcb-11a8-4445-8b7c-73002469b7ec
                    Filesize

                    26KB

                    MD5

                    ade1cca9d4bb23e6681ca13f2effbe2d

                    SHA1

                    46d9a7ec6cc6d38e124824fc5cc30cd8db88c153

                    SHA256

                    efe694829d2dd89b956f65a78a7eb98e2d74cbdd408a5e49b96e830b9cf9f0c9

                    SHA512

                    8ef4a94f40f61f32f6f3793bc4647cf20afe1279f8ee665f24922406c64b3a40959f899aa02cdf6ad34772afa919a6bfc846a21a1caa48a0c07028a689fdb9d0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\b53c4835-a6b1-4880-b760-834cdf6be3fd
                    Filesize

                    671B

                    MD5

                    879e7437d276bd0633c07c0dccb78a95

                    SHA1

                    ca2bbd9cdfa466baf15a3981c37a4924183670ca

                    SHA256

                    6b11a7dd9bf0e4e537d566941a6c17c2fb666dca193ba84b5c1dffcc9043a19b

                    SHA512

                    9b8f7e3e49c62f4bbeff0d26d0faf7d9138b92642fbf580655930312ccb828355fd9765b77e6a8be572c37f761f930b705796800867e09c6ed974018a1f179a2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\datareporting\glean\pending_pings\cb8d241e-64f9-4dd9-b8a3-6032c1cb210c
                    Filesize

                    982B

                    MD5

                    3a71f3297e5c6ac0db997b7990afa7ca

                    SHA1

                    1b24906420712df54943f6adb4e8872e9c152358

                    SHA256

                    7afcd12e75d864a98ca9935307d0cf21055be9648a5b0c1a4b1d43d252e40489

                    SHA512

                    242991c89a094306ed80c17286e6a79baac0e7dc22ba7d2eebe8fc0b2a920449af8836d46366d8362c5c86b822b9814eace8f2a74e646af8ce703e3e17ecbfe0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\prefs-1.js
                    Filesize

                    8KB

                    MD5

                    69adc07637039801438bf72f93a6719d

                    SHA1

                    31cadc28d4572f7dd948efceb42539ebe60a3939

                    SHA256

                    a3c4c419cc151c3772b5e509fcc602431d34453d7c9eebd091b077e783b593c0

                    SHA512

                    c7add440052a84a4f0c332df2dde5e451a1af17f0e552403c61e668727a088d8ae647604e675cfffd4080d74e248c6f2a48e5633189621a95aff9ac85a1bf7db

                    Download Submit