Resubmissions
30-04-2024 20:59
240430-zspv5aff61 630-04-2024 20:58
240430-zskleahd78 130-04-2024 20:50
240430-zm2bzahd23 130-04-2024 20:47
240430-zlb1pafe5v 10Analysis
-
max time kernel
74s -
max time network
77s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
30-04-2024 20:50
General
-
Target
http://workable.uk.com
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://workable.uk.com"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://workable.uk.com2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 25455 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3ef157b-117d-40ba-a3f6-8f3a99201958} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 26375 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea2c0e7-4341-4ebe-a9c5-33467ee3de32} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db2b7a64-f2b9-4cc2-a6e3-a514a0d6866e} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 30865 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99828e2e-21cf-4866-870c-1ee9a3a7c916} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4360 -prefMapHandle 4356 -prefsLen 30865 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7581d49-d5c1-4d6c-9d2d-f4040d1f8801} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5224 -childID 3 -isForBrowser -prefsHandle 5256 -prefMapHandle 5252 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba60723b-aca2-4cbc-b764-ec6d48af408c} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4e6880a-db5d-4058-9c32-5f944288cdb4} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {454fdf74-184e-4074-a428-72d71245ba51} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 6 -isForBrowser -prefsHandle 4272 -prefMapHandle 2576 -prefsLen 32091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d705c455-2431-4d43-8a31-d45e37cd739f} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 7 -isForBrowser -prefsHandle 3468 -prefMapHandle 3456 -prefsLen 27795 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a02a97c8-ca3c-4b55-bb48-9372b1f43b9d} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5d59482e0967edda953fef020ebab6781
SHA172daedf38759474c76f88d0514ef2da7a5794f67
SHA256a78826d0f070e048af102171ccbbc80f56b0df392025648f40daa68f45f6163b
SHA51263bc66cc04d75ab28e1abc47fd2a9dffb793b4cc113263c63043df904b35d8d20e2a5423008a0cbaded6dda41cb0cac359099be5eadd67fce8d10fb5aaf7043f
-
Filesize
5KB
MD57879589f834791513150f2787723a0f0
SHA1e4f6e659faeaed741dec6e96cd78d9f4a154099a
SHA2563d055913a11b65e77e23abc07c61e9667cf03574c8c94aa11071a045c72c9825
SHA512c3ea10617b3cd055aa9e2476fe572b0d092a059e2b16389550d7b10709a76c0080a76ae959934913bc77136fc801f9b5c31d03195f329e06a6dee23961aef20e
-
Filesize
11KB
MD51625f76bd8f048c17744cd8228bb1687
SHA139efcc9b4694e700b4c36d2209b29cdf05233921
SHA256f4d7809cb4a37466dac26737ea503f8c0a0ed04e8500cfbfcd2fe6048e5a7ee1
SHA51268cac487000bb5954e8f25bccf0c68a2afb13c791d1810d19041db9de7d4bc189883d7fad153062e2723e18fb80bbc484265a5cb303994c28dc7d40326a6124a
-
Filesize
11KB
MD52d90f1b12ea1e79e2d88f389b7822e9e
SHA17515c42b8e0cc421a8e595fd0522a9fa1b64d252
SHA2565e698f1715a85cc32c734ee62949c141a31cb803a3f2101b160b9296ece7f0e2
SHA51226b9eefc5b33f1d7b44b5b11987a2275663b5fcf21f0b0a9aee647cfd532065d84414d304b5893ba936a59689f08c11abc2391287dc6521c20f76e40e71189bd
-
Filesize
671B
MD5f1794f5c3b2aadad845b601848dcc226
SHA1427e6934e9042b5b915b06c631f6112e898c7535
SHA2568bfe5cf5c2dca4a887328bcca06cec176e3b7a135393c0c4a301b260fb294bf3
SHA512f75b93389f84e18461ebac2d66f2044834a9eb865eb37732fea7bf24a29b59c2057a1616b0e91f8d2c3334f50ac54be6afe5191ce90ce99e3ad7e2f16033114d
-
Filesize
24KB
MD5aad2431b5cfc7e56a90835a56e23f8e2
SHA1fc10e8058b64b68b9ab75093efc2d234393c56c1
SHA25699c42ef4e139f856cff65912485e6acd68598b29e6e648ffa1519f28495525fb
SHA51200a6faeef487768845438611331f299ff790d8f49cf14b22aebf6b0cb42ad653c901316ea658e96e27c3f78be1c550c465f27b4be11cf45109a1ddd206464a6f
-
Filesize
982B
MD5471ddb4f376d92a55645233f374972d0
SHA1762cffffb29ccf4c99f8b8dd73c0000392fd604d
SHA25624b9be7d1f340611183c47fe6a6c6fba09c2a81ca01a659b845fe0fc07b85f4d
SHA5127ebc93f35608f6ba026ed12ea6e54ff11b82e7b8c6c143505f581116501bb475f7c2c4bf057bd651282c1e19b975331babb3b223eafbf101c6f7a1bf4e8e024e
-
Filesize
8KB
MD5e88606b2d1e93003438813794445a037
SHA10cf183d4cb040f535a7a5ed3a78470e92d37ea9b
SHA25695bf38d0b36569e9c28c37d443a1b3cb3c92f6fc343e96430eb9d2f1e33fa5d1
SHA5124fabc7378793923d303bc8d37faccb3a42616b7d3b50a4f767736ddd1fb64cb45d984d4a4730aa6416d9635b89b403e5060bb9202a438cdb64ca880f9c3c85b4
-
Filesize
1KB
MD576174639a16c05158d266a93f846e9d8
SHA1d67b407f5ecf6bce0796f3d2614841bcc2c1db92
SHA256a444120a2b95e1768f8cdeb23b9abea0be5abfa90ebff1078ffa1cd323afd26c
SHA512345b1f5d6c7024a241d5163f1696283400c4fba82c193b0aaeb5e6fd6604c42fb548816f960564024ca0c7ec8a6bdb5daeb7fc0a821ced526afb03f923a90a31
-
Filesize
1KB
MD5b81a9a5e4e994141d0bf17be60bdcb7e
SHA19e67d853ef095a29a09667fcbaa2b4bd04567c9f
SHA256283b4be870a957408be24d976d10c944656b66f27bba2708559c5ad8d1075f93
SHA51235abeb7669b2bf1657257e2409df0ae378774643e18996055213c2572c012199c8ac5494b603af9714a0eb05303ce125bcb9efdd3a1428a70d61e70d8a46f5c5