Overview

overview

3

Static

static

1

Windows An...de.lnk

windows10-2004-x64

3

Windows An...de.lnk

windows11-21h2-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/04/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Anytime Upgrade.lnk

  • Size

    1KB

  • MD5

    dbd8d6b1de75c4cef7388656ff239675

  • SHA1

    32d04210f219316840dfa95377243adeda0a2e84

  • SHA256

    72e961b79fe41d668101d78bb7d5bbc21472ff2c8d3db3e0dacb485a13201b38

  • SHA512

    1ad47a07d59a1ffff9c6d0e3e1ad5a66c8a7b4a4b0e004ff44c35ef99ed7f18a413749c3ca7b574562aca0eafa3a81a6eab0f2cc588cf1accdc3589ddf3430bd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Windows Anytime Upgrade.lnk"
    1⤵
      PID:3848
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:2512
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25455 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f496fe-b286-4c99-ab14-cba3fc23e6c9} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" gpu
            3⤵
              PID:1508
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 25491 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87b9d0fd-aef4-4327-9a39-2df32796d3e3} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" socket
              3⤵
                PID:3520
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 25632 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2016bb68-94b5-4fcd-963e-83157dca7007} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                3⤵
                  PID:2764
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 30865 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b295608b-bb58-431b-a309-c42af010b417} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                  3⤵
                    PID:3968
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4392 -prefMapHandle 3676 -prefsLen 30865 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d70be5e-3bc0-45da-b060-febf3f008cc9} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" utility
                    3⤵
                    • Checks processor information in registry
                    PID:5244
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 3 -isForBrowser -prefsHandle 1500 -prefMapHandle 2580 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39434bd7-7162-417a-b695-a47048629fed} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                    3⤵
                      PID:5588
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2596 -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5236 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02e3c32c-7bd5-4a81-a997-66d54be69c99} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                      3⤵
                        PID:5596
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b67351a-4669-4431-85c7-6db00e9c4c50} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                        3⤵
                          PID:5612
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -childID 6 -isForBrowser -prefsHandle 6012 -prefMapHandle 6016 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {061c11bb-1977-4985-923b-84c1486f66c4} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" tab
                          3⤵
                            PID:2980

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\le59fmg0.default-release\activity-stream.discovery_stream.json
                        Filesize

                        18KB

                        MD5

                        da4e3cb564934c54b8a6c1c54e433150

                        SHA1

                        84e499a1ff131fde989aa63069ecb7c92c751c7f

                        SHA256

                        b4943ce0b2c09320821e9204ce32fee4ccff8f6887dc56b5a8f9c67db1bb9653

                        SHA512

                        c95efcd264110dc397bc0ee636221de24d64f7120ff5d8c6a2ff990a59310afc57ecff0266dcb1842596f47742d620bba966da3d50b28ab0eac5cc887c5b4210

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        5KB

                        MD5

                        6a77d0362c78246163b7af46ace9d297

                        SHA1

                        c8c2182fc35cc74813134f978eba22e1f5d331c9

                        SHA256

                        d49e356192af62da29bbee7475339bb0917f74ca07e821bbc158cc0da40b43ac

                        SHA512

                        42792bd3d0f57ece4c422eeadae81e4c7bde8d459c874084703a0d27a54520dac28c7adf46ec66433067d57e3429f993bb3efa5515fa2cdca2e7d2f3d5c12c5e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        5KB

                        MD5

                        4c10f923d084506c36850e7c7df26aea

                        SHA1

                        bc4674df80ade54caf7410fcb2c51161061ba1ca

                        SHA256

                        9cffe133d55f915d5f9d3699dfa77290d64e0861e22142422e1428b8a9378c96

                        SHA512

                        dd7942b235a0b76b1b3ffbfb02548163088ffef792ed2682eac4ab38f67b4125558ca70b62b5027fde8dc4d258b6ccd73ad5cb93e60ab577dd987dafa61a39fa

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        14KB

                        MD5

                        93df9ed1c2d68f052641db5ba5d18a78

                        SHA1

                        62b4eae1b22d474b87acbd0ec6fd8f067219d925

                        SHA256

                        007c7a837d3c13218ec63f47bc783f91c25650b211a8b346c0b54ae51350bd09

                        SHA512

                        230c36aa06a6b5e27c23d2d48ef8f5bf6c6152f5f5b41c95b549798db0726b9f29361c5efef956aec377bc6496f7471ff39bf776eecab996d0f0bb5ddc5344d8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\1e5e8efd-450f-4ca4-a371-a4ded999fb64
                        Filesize

                        671B

                        MD5

                        443e5e61d34cb934bd4b7a69f25b90dd

                        SHA1

                        980128d59a90c10f1453cb4ec74f27a44f2851d1

                        SHA256

                        32b886551f956d30caf4dbfd8568aa2259569998f265098462dc22694b70a1f2

                        SHA512

                        31c8a8a121b9bac46a580bb239a4db88afd200089078f2071ffb70d41f5d19e0565a3d1178df1b673a0eba3dd3859b3cbf8e03b70cfbb6716d2e075d243f48ac

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\509699ed-585d-4869-a6ea-84d8bfda1b81
                        Filesize

                        982B

                        MD5

                        85084740fb86e1c6cebde9d96c350514

                        SHA1

                        58ba39544edcc06161a2cc6043f61767ee868432

                        SHA256

                        56c1143ce567b82edd3aea1273f36e11f80fe5583a246113f5168a7e4fa1fbb3

                        SHA512

                        64065ba63a9cd8fe7e747f55d70c2f1ead7553c6efffd2134e6e3df5fd38d0ad2bb36340dced36ef7b6c71dbc76639036b009b0ef425a64f9884fe46b492d3b0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\a57df662-024b-4a5d-853b-b20c8ded3247
                        Filesize

                        24KB

                        MD5

                        e4a4458010d2409dc97a68beccfab302

                        SHA1

                        4f1fcffac6abb688748abb4d5aa74509681402d9

                        SHA256

                        8ea1ebc0bf0126ef73fd8f449434d0039a5b0b8bc0be27ecd7aaeaf987143f61

                        SHA512

                        f130404db48f1d40ccd0e776ed8382f14fdc59f337cb98a4624dd37ae5df451bd2f2880722b94ee62c46818e971d6836f0496d1fe324229fccff2a037a62c227

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\prefs-1.js
                        Filesize

                        8KB

                        MD5

                        6b93742ab5b7a510427a2f1e23072e02

                        SHA1

                        3f38008d56e166ce3d6a055cf6cacbd6070aec68

                        SHA256

                        9f48c8df85f0a276404afc5ff074f584ab10f7dc6f52711211d043fa0dfce8fb

                        SHA512

                        a23ccd85237ac65ff79c426406b4e3946046277924070cf628052aa2207a389b01adfb34fda7be4d5bac60a169b5a8eee1788def89c3a25350124be650bb367d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\prefs.js
                        Filesize

                        9KB

                        MD5

                        1ff368d80901e644e3cc59b26cc4f6dc

                        SHA1

                        1c6b30374f46eca18a5cbf512c9fb3052afc19f3

                        SHA256

                        5ad035095a73afdcb3e1d7f6ae14c333238d646bae234a935c9631be425e4f08

                        SHA512

                        42d76cc24e7e3e7245a709a8a3bbc0fac6d46397ab9ed6398db2523bace35cf7e56989d50b32bc7f733d6d04ad8726d552f86f4ecc96c00577774cd6a9f678e6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\sessionstore-backups\recovery.baklz4
                        Filesize

                        1KB

                        MD5

                        54472f65d44395cea601beb78a5e3dd8

                        SHA1

                        3207c272bf589835aa4f3020142cd2dd242d1591

                        SHA256

                        b364645e17b757ca779d0a5be247ae0a71e42f3f522c65ea4ed71a65d2774eb3

                        SHA512

                        16b9ec8a703b979ef5269b225e6c82653e11d7bc59c938fd1d355272ff5872ca7bb64d07a41f5ca3e9a0e789eee1317083894323664c47a92dcfeb52f0268236

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\sessionstore-backups\recovery.baklz4
                        Filesize

                        1KB

                        MD5

                        4983063ecbe34ce60c174bb3487ef065

                        SHA1

                        05b656eb298e4ceb0b270c6f26cb51b35f8aa604

                        SHA256

                        f62898a696eaa6359a3d60b35348a55524c05237ead46ee1817655f77c7d6c2c

                        SHA512

                        1881dce999a450bef474f4acd82482c0cc4270b42fabaf1d1af3470b3b49b342e7c7500da2cdddab6a7770d48a898eafacc2ff4c3ade5cb37627932f65c64a19

                        Download Submit