37007796bbcd4370c8e562d2d80f99706c5e0910d866cea567b5c5da71f3fc2c

Analysis

max time kernel
154s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FirefoxReportLogs.exe
Size

1.8MB
MD5

ceef4762b36067f1d32a0db621ee967e
SHA1

d23da38df6b0fca8c524b641c59c700a2338648e
SHA256

efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb
SHA512

6301871a95e48f2873b60c706757af38d956c895112f14c28eac4c4a83456a1acdf15d0a5b1cd35f267a4149dc78b2469c427bde6a1bf5aa99de51d5e824d1b3
SSDEEP

24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FirefoxReportLogs.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FirefoxReportLogs.exe"	FirefoxReportLogs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FirefoxReportLogs.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FirefoxReportLogs.exe"	FirefoxReportLogs.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\http:\15.228.77.178\ytr\serv.php	FirefoxReportLogs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1584	FirefoxReportLogs.exe
1584	FirefoxReportLogs.exe

C:\Users\Admin\AppData\Local\Temp\FirefoxReportLogs.exe
"C:\Users\Admin\AppData\Local\Temp\FirefoxReportLogs.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-0-0x0000000000C50000-0x0000000001C50000-memory.dmp

Filesize
16.0MB

Download
memory/1584-1-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/1584-2-0x0000000000C50000-0x0000000001C50000-memory.dmp

Filesize
16.0MB

Download
memory/1584-7-0x0000000000C50000-0x0000000001C50000-memory.dmp

Filesize
16.0MB

Download
memory/1584-15-0x0000000000C50000-0x0000000001C50000-memory.dmp

Filesize
16.0MB

Download
memory/1584-21-0x0000000000C50000-0x0000000001C50000-memory.dmp

Filesize
16.0MB

Download