Analysis
-
max time kernel
129s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-05-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
file01.ps1
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
file01.ps1
Resource
win10v2004-20240419-en
General
-
Target
file01.ps1
-
Size
1B
-
MD5
c4ca4238a0b923820dcc509a6f75849b
-
SHA1
356a192b7913b04c54574d18c28d46e6395428ab
-
SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
-
SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
Malware Config
Signatures
-
pid Process 2324 powershell.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2324 powershell.exe 2324 powershell.exe 2324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 4424 firefox.exe Token: SeDebugPrivilege 4424 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4424 firefox.exe 4424 firefox.exe 4424 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4424 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4140 wrote to memory of 4424 4140 firefox.exe 79 PID 4424 wrote to memory of 1248 4424 firefox.exe 80 PID 4424 wrote to memory of 1248 4424 firefox.exe 80 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 1504 4424 firefox.exe 81 PID 4424 wrote to memory of 5012 4424 firefox.exe 82 PID 4424 wrote to memory of 5012 4424 firefox.exe 82 PID 4424 wrote to memory of 5012 4424 firefox.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:1716
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.332289981\1675457701" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52e99201-a427-4869-a321-0099fde59249} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1796 272cb7d5758 gpu3⤵PID:1248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.7643128\554099899" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d4c3bf4-1695-451c-9a87-8b34e7981ebc} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2152 272c0570d58 socket3⤵
- Checks processor information in registry
PID:1504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.2030195509\1795321553" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f306ef-ff3f-44e6-af46-2fa7648a2561} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2824 272cb76b058 tab3⤵PID:5012
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.1930277001\519820404" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cbc9a24-c030-48d2-a9e5-ee027ef43dab} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3492 272c052f958 tab3⤵PID:4964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.194903839\1191296928" -childID 3 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a58a9b-f1a5-4b9e-9e08-dde1c96e38de} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 4156 272d08df658 tab3⤵PID:4516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD585ba4108b26bbfff8e8f1a7a330caf85
SHA1481953030af12ef6ba0f721c7a9fbe7fd16937bd
SHA2560b237ee576738e0a2c2cc8ed7259d87689e528fbf0e99a2df11810ab64c18572
SHA5129299648e0970483f33f883b3b9fcae9b980c1b0681ca791bf4e51814c40bd271e31706950c5b4de204fba3be992cc5513b1d092a3c046f8f5cdb0d571cbb0be5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\4b13f24e-e68d-44bc-8bc4-548738f8d93b
Filesize746B
MD5f3ad0c3d8ea0a865b418deb767d0e692
SHA109538fe84dca39616724875b6f8aa8ca9bee357a
SHA256a6d3b314fa8085cac5c4b0aab0f0d344238ce0ab76af354c50fab97bf30a0e1d
SHA5128ed2edac3c3732133fb16c28318d220890886b8b87a8ccfef7a7037a407cb24a396c0b8e749eb2eddcc06e9e633725f5aabb8413595cb33168c72d91275a2ba9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\d7ad5ff7-c0a0-445f-8a78-d55569bbb951
Filesize11KB
MD5570426a636f3945892fbbb9d1767c423
SHA18a4e0ce03becc68adb17ae3946636fe6d6a11358
SHA2561affeff9a4e2f1ecc80f200ae6d41b7f733d76cfcc76dfb56b1b5bb8f72ef8a0
SHA5127416025ca339d38f4feecbae364044b0ce52fd4853190fa090235df0c4bad971e0004355dbac66c399131977b25fcdb53ffe12c2872ee0f009b920c9caa8f67e
-
Filesize
6KB
MD549426c842f0039699f5189ea5fdcce46
SHA110524607929da68561b38e981dd8e211a82fb863
SHA256b89d6fb5bff8b32c7bfeea2b7560bb977f92fceec44cf7b76943b6c04d2ed3be
SHA512a9a6ae4229fed31fe3dffde053a4314c0eebd73ac7269889552d8fda7a7ea54c028ac1c64b90294a5d0a405e11b30d6d2e91651a09613da495f764ecba6140ef
-
Filesize
6KB
MD5a927c00433145821feb98e1e50974f35
SHA17a7c016dafd81e11b3c6d4f0a68015a3b38034b8
SHA2562eb96167fa1bb1243ca94cdc985f263f5dbabb5e0425a4365ee4cb27a5739d5a
SHA512221fcf8beed794662021e01f06d23dfa60feec4ad95db872643b6c85961491461e804060a24a15c16024c340b15e888b50236d357de13e3b3b76fbb309ce983b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4
Filesize886B
MD5f93e7653db6f5a24794a7c3c19a2bd18
SHA1483be1dab38e47371b2dbdd59f3967d2f00867ee
SHA256ec0c363373d3c9a3ed1922a9fe849e520fafc982cfaa317794ea0db9a7ba1da8
SHA5124e9ab939c73421c559d2305a7d3eba419bcfaf701786608a5f6f1002cadfedaea3eabb8c993a870a130cf266ff5c8b51431dd6650b4f2ea24478f6a8e44d5e59