Overview

overview

8

Static

static

3

6LLIXVr.exe

windows10-1703-x64

8

Resubmissions

29-04-2024 14:05

240429-rea6tacd53 10

29-04-2024 14:02

240429-rch4mscc97 8

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-04-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6LLIXVr.exe

  • Size

    666KB

  • MD5

    521eee081cb849de670e04d34c4cd514

  • SHA1

    4ddede7c6cac3dcd79c1ddbead1f9d618cb97329

  • SHA256

    ffc3e683579ad8d3eb6c63f13dd540230f4993cf17bfe75b4d364df0a77b8c7c

  • SHA512

    37e3a4dde33d1588c7b3c60a545bada0452d91a7cb38fce5cdeaba8ba95aa88149c565e061a48105c2d30dfb9089499a40cdf6a4d182e59ea7e6c17c151e303d

  • SSDEEP

    6144:/o+DAQJApVUh2pyAtuEtCzvF5vGau6MSFcrbWuTA6Wl0NAnFBzh63b42ZtX+lnfS:A+ayh45FZRbwquFLkfZgdf2GFZKMz

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6LLIXVr.exe
    "C:\Users\Admin\AppData\Local\Temp\6LLIXVr.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color B
      2⤵
        PID:2168
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.0.513039397\1909610331" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ce6576-1601-4806-8f4d-e345802adbf9} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 1796 1a5110dd558 gpu
          3⤵
            PID:3000
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.1.1101205376\1130758690" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8944e346-ff66-4b1e-b148-623596c95191} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2136 1a510c3b358 socket
            3⤵
              PID:4432
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.2.1997007933\799519624" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8a4fcbd-467d-4126-8e8a-bcae5491f6a1} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2720 1a5153dc858 tab
              3⤵
                PID:4592
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.3.656142722\1160031151" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc5ce47-3e45-4967-997c-447454ae1433} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3412 1a5138cda58 tab
                3⤵
                  PID:4620
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.4.1067585816\337383731" -childID 3 -isForBrowser -prefsHandle 3548 -prefMapHandle 3612 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {973acb4f-1292-4f2e-be00-3d59a27a9538} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3396 1a5167e3b58 tab
                  3⤵
                    PID:4752
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.5.1224848837\1088084636" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4796 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5784d6-3d94-4536-8a83-1fb26d2ed9c6} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 4804 1a5167e2358 tab
                    3⤵
                      PID:3412
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.6.18982729\691531313" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8569cd53-ce61-45c8-b9b4-ac24cf929a44} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 4744 1a51756b958 tab
                      3⤵
                        PID:1932
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.7.1649092469\841519530" -childID 6 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17141ee4-9490-44a3-91c0-971161dfda92} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5084 1a51756c858 tab
                        3⤵
                          PID:3708
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.8.1222226336\706089320" -childID 7 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7600e43-0849-4a55-9bc8-f51c0cc8f96c} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5556 1a515d7e958 tab
                          3⤵
                            PID:2724
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.9.863789307\2123072619" -childID 8 -isForBrowser -prefsHandle 4244 -prefMapHandle 4732 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6570598c-0bcb-4bf4-ac1d-859f4d69f0bc} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 4492 1a519530b58 tab
                            3⤵
                              PID:5028
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.10.1998536468\586889012" -childID 9 -isForBrowser -prefsHandle 4864 -prefMapHandle 4712 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f0dfe03-9630-45df-8c82-bd976f832e10} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2640 1a519531158 tab
                              3⤵
                                PID:5076
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.11.1328401738\2069236353" -parentBuildID 20221007134813 -prefsHandle 4300 -prefMapHandle 5940 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f45c8029-e847-4313-b1e1-cdaa0afa2a93} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5928 1a5173b3258 rdd
                                3⤵
                                  PID:3832
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.12.905805379\312759745" -childID 10 -isForBrowser -prefsHandle 10132 -prefMapHandle 10128 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15c6535a-a940-4106-ad18-983390e89f30} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5360 1a519fb8258 tab
                                  3⤵
                                    PID:588

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\25605
                                Filesize

                                9KB

                                MD5

                                f5406d89b3a3f9611f83108e2ed35933

                                SHA1

                                2dcc7b34dc42606df592dbf14e4b0a72fb490bea

                                SHA256

                                943f566bb28fff6976673667633b7fdd2550c9c9265ec52a3b2b42b3f253903a

                                SHA512

                                d7cf942ab0e304debd5d34a39a3a19388183812379c88b9047cea03d7bdb8c979f7fc23b708c974a47daece3efc7bb089856c5923c1df34f421fbf27a0742c36

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                                Filesize

                                2KB

                                MD5

                                807af8fd4ddee55ed7282025f755ea02

                                SHA1

                                3ebd4214e16aa920ad1b1c05f73b9084ed6f9385

                                SHA256

                                ad970a8569c0656f9f28fad5a9ef193df06ce6e03528775956dc84346c4ab768

                                SHA512

                                788addd29c35d35922082fb5e67c9f73d00410e8905afae2fa1313ea2caeb165143e88889be418b4df3e9bf3cf5ec44e88f9a19eb76c9a082802416619090907

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\65fef15b-ce4f-45c4-b06b-15c89f8a9ad2
                                Filesize

                                10KB

                                MD5

                                aeb161cf9d3a8c78c279685438de8709

                                SHA1

                                4effa4f0a0693069f20979123f01de7fc3d65d35

                                SHA256

                                f76e0e4ee7e32aeecf8922b9e777e22185e4880965cc9ccf03ad7cdcbf5f4c72

                                SHA512

                                26c6d8606f77ba3fd81d4669b6e13ff087f272805f72534cb321e1c8bb401c31313fa21551ca8892dcf41a5f6d9328252587a7717701a461a557ef6eeba93eef

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\80200ec8-7b7b-45cd-b099-0a2b0d543f24
                                Filesize

                                746B

                                MD5

                                4a52982670a4a207b4ea3dc7e19db814

                                SHA1

                                351ac81d950ee82c8d073fee154e18a3e8ef6560

                                SHA256

                                fb23a00fc13c8fefb631e6e170c2bac99625d5553f1109339eefc0118b80d385

                                SHA512

                                5f75cc8eccf62732a52b95b5f1a0100a001218cc305c3c43b630d19e152dc70c7adb3e5d1f711c97d0eb0c837065bc5fabc5d0525b4cdf0dbfb97627b2d3f4a6

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                4a712d7a1fc0f0e1b7478ae4619039ad

                                SHA1

                                98edee4b5e8f5d03da1ce2dc6ae93fc1489036b0

                                SHA256

                                12898a42c640b59e5770b62f4ce15b2495d6c7f191495846a3ff9472349fc492

                                SHA512

                                95e68dd8dcfda31e9d2441d2204180f95412e09ea173d6be9ef2353a13e333c61e912262d28ad7622e9b8ade76a1a8e75a01ce4645d42bcd92475c55ec889cbb

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                bc06301fd0696604a669dd35fc59ef35

                                SHA1

                                1a77065f4ca74ee0e8c0eb15b89231d314875b0f

                                SHA256

                                8f6d8f0797540d43c6a92cf807c5e18ba61620ef51749d36409a52ea0dad321f

                                SHA512

                                f2247b849aca928986a60dc9ab03e02ed7186c8f378a73e8abdc58b0023bd1114af8c646abee63fb3aa561037a5f6e2b3cfe9e94ad9f17124018190110a9bf99

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                ee3108555ff8ce7df86f8ff622f6453c

                                SHA1

                                b8d68629d9a494c2e519b5558459e1d933da2999

                                SHA256

                                f6588febaa3ff97962979d8ccc0cd7500b4ca4cf65474bf860845a913325a3c6

                                SHA512

                                ce3b2b67236d87e310428142004a5aba712b55c2969bc3aa8e9a0630312ecb4b05a80836f24fac029018e6a79bc9322cb16a934abd4b04f02a6204a01a9c34ab

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                4KB

                                MD5

                                989b8caa526e2fffa9cd5f8626a2c81f

                                SHA1

                                bb40ec434431692463e0902ab40e1e7507b68335

                                SHA256

                                518746059d60150263ba39b6a0be67100f6cebd16d4edbd9d551f8563ba1da5c

                                SHA512

                                d4256f24ec9f515c488fdbfafd6f7e5a7291b07805520435a2f47688d3fa6d97621b5ec05326e5dcb65310cc5dbbb5c556104edda5b794330219a096a31df62c

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                1KB

                                MD5

                                9b3c169655fc61e253bd084e3712aae4

                                SHA1

                                aae66e9d5f00131830cfb970ab3e520753941177

                                SHA256

                                4af4caf4258117e1de1e15cf1ce99b402e383ff1d32a465291f0df798d3d3fc8

                                SHA512

                                9d03307b7392b0b88507b3d33fbc0053ae820587197ed00354162d6b1169b0d511e1e6645388443aa71f0cc821ead7fb28d8586205395b7ce20103ef80a7e8b5

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                8KB

                                MD5

                                0b6e72e2968c52bd0be687ffe2dcfb13

                                SHA1

                                6d64371345d8168c287083edcf78a81055f12c42

                                SHA256

                                0e531b5227de6726308fea36f51dbb03562f0a2198c6e35a664b538e97d41df4

                                SHA512

                                7287ac0116ad0bee83e531b499c0200e6c17dcd7f59304779f8e49667df6bc6db31ee48b237f93441e4056bc773471300cc55235a442758d7ba364b772e70678

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                4KB

                                MD5

                                a2d6976ca79d8581f70a01724607446c

                                SHA1

                                c0860efad9a573d2d4577a01747825550e89005d

                                SHA256

                                05c60a080beb07cc1218c0da6a9deb9b1817167d98778ed4bbc8d7f0f28828cc

                                SHA512

                                f78db6bb46d914e0dd80380550ae90edda97a1c0fe34f276bcd3bbca287e151a0b10a4ff11228fcde03db6b20c267d99a23885bcd05527f1b8d1671cba4fc1a9

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                6KB

                                MD5

                                631f4171cf8132c176cc27b46581108b

                                SHA1

                                ddfc959365d55a506fcea87f848a589a5a7d9a96

                                SHA256

                                e30444426d14ea65e6e0de4ef0ade09112695c949fb280500c1c09176ae0a0d3

                                SHA512

                                aeb7fe6b61ce3d5ec5b8473b26b9892b4c98cbb493c01255e2a765a420fe8d4a4e8e0560d0e93d0aa272ee524ec77deb479d409ebd9974a7fe148d4135c764b9

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                8KB

                                MD5

                                0bb6e6e3095103b6bf6bce7bd77c46fa

                                SHA1

                                1c6ebbcb4c7ee023fc4622dfcdae15e00a41e908

                                SHA256

                                9ec677b595d8622f4a13d8076152baa49c7d0fa64b4f95bf5c12f152e61f71fb

                                SHA512

                                909f4076a7848ae51f099857b4c58f05a455bc4425811f4228029b73a7881b6cb38ae1161be83cf2b4662c7edbad70fc8f6a627b809450bd561da6e8061ebf52

                                Download Submit