9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2

Resubmissions

07-05-2024 20:34

240507-zctt5shc99 5

07-05-2024 17:28

240507-v2hqysag33 10

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2.rar
Size

664KB
MD5

3a4f873789223eb401d926d968667abc
SHA1

50916ef357ed21411d87a6bb236a72c78d1498fe
SHA256

9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2
SHA512

8cbff38be7bcaa7440a4436bc19b94cf3ad5a21767732742a783671bb260c8efe1b770fd52a375ea46ffdeef83e058640ad061ccefd07c13acf7584c2fd77b76
SSDEEP

12288:torxUSm4IYHPE/7c3NhzkfLA7+EvgWQYUdHc7gDa0igowji4zPfZzUiJ3IX:utmQMGNqLg+SfUd3eDgo+tzEX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3912	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
6136	OpenWith.exe
6136	OpenWith.exe
6136	OpenWith.exe
6136	OpenWith.exe
6136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2304	3912	OpenWith.exe	115
PID 3912 wrote to memory of 2304	3912	OpenWith.exe	115
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 2304 wrote to memory of 3304	2304	firefox.exe	117
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 4412	3304	firefox.exe	118
PID 3304 wrote to memory of 1652	3304	firefox.exe	119
PID 3304 wrote to memory of 1652	3304	firefox.exe	119
PID 3304 wrote to memory of 1652	3304	firefox.exe	119
PID 3304 wrote to memory of 1652	3304	firefox.exe	119
PID 3304 wrote to memory of 1652	3304	firefox.exe	119
PID 3304 wrote to memory of 1652	3304	firefox.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2.rar
1⤵
- Modifies registry class
PID:1240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1852 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09757955-8d0f-4b38-ba40-db86c88a32d8} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" gpu
      4⤵
      PID:4412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ac3156-b764-4839-bc07-e7dcf1bcc647} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" socket
      4⤵
      PID:1652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 3124 -prefsLen 26518 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e8cd03-4c30-4374-8b98-cb4fb038f0c0} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
      4⤵
      PID:4752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 2 -isForBrowser -prefsHandle 3144 -prefMapHandle 3580 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04640eb6-2179-4e2b-99af-d0924337b13a} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
      4⤵
      PID:2068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5124 -prefMapHandle 5116 -prefsLen 30854 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7eac6a-c1fa-49fd-b501-a362aaa0d1e4} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" utility
      4⤵
      Checks processor information in registry
      PID:5144
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5468 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4da01cff-7ff4-4570-a1ff-de481e8971ce} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
      4⤵
      PID:5528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5648 -prefMapHandle 5520 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad56f2b5-fea6-45ad-b9ac-19edb67e2a55} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
      4⤵
      PID:5540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5908 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd8e56fc-a889-49ad-9fbb-a5f7f4d65326} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
      4⤵
      PID:5552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
50c0f6d4377342ee826291dec6766e27

SHA1
f6182cee5a612a8357ee84fe8143ab4486eb6036

SHA256
be4e2c22887565e6b7288a96154c6e0b1cc35d1441d153ed4439b2e94205241b

SHA512
6e921e7d1c55dc7524e61681e64749f562cdd2302340039976aade42984191d4187a49588eb0d31f5d25071f58ed7da2de8c637dbd8f2a9cbf8abfc4e4ac0416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
74e5649afefdafea89ecbebba0a14a58

SHA1
8a85c370ef550b31e912b7d1b9b97436e45116e2

SHA256
bbf6854b611e7010cf4f8fe31bb127a145d35ae054ebd06329e45b144e86434f

SHA512
2bba072f626d50df123e74595a902a0718579602ded3ae86235a96e4e64e6cee8a626cb5a002981361690335bba22aefd9bc0440b1d12b897b26a4080853816d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\3177e036-54e9-42c3-80cd-4b5d44cfd3bd

Filesize
25KB

MD5
13b7194b09818e509f3a2b166ca83371

SHA1
f843e308d03c6fb412b4f74bb1994a8cdbc0740d

SHA256
d07b287026bc51d682dc7e6b6bb8554cf6c91dfc3d2eec47dce336a8210171ff

SHA512
a2ccc59e256206380aeb1318555e6c654fea1656865dd89928cad1fdd5fe860807fc8cbe0c7d5923049177389cbc1b3d11938168564b8889603d0f6325eddff4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\8108a56d-9f45-4238-91fe-206e429bf6b4

Filesize
671B

MD5
1128f1d074492f86853c521da1b4922e

SHA1
d8bb98560c3e76602900e4a46ce6a0f6e7b195c6

SHA256
bf000b37515a7cbbc17dea75c3952f9318c04b733105770d000ed9eb86b476c7

SHA512
b947432621127effe42fe7c17fa603d7cd1c7b0662be77ba3b667ee0573f17479bc9109e4cd871b7e317ce8b2fda99d99af74e11d33624a63a6ceef5103437bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\e2280c1a-0977-4b13-821c-a1f983afb412

Filesize
982B

MD5
eac948cf50dd171d94946c61d6ca2d0e

SHA1
5b50b42203f611bda41ed6de73aa5e6eb62f4e6f

SHA256
7f5f17a42150f5bded290f44c34baee287d1751e30eb8f15228e26ab811281a8

SHA512
724d0bc327172097298ea07db2b9fabcef3a312d924c9772bcf744c725f62e1d4d9d9fda8c1c3cf8f52a632a8037092c38dfe58c404b9c084e1a0b573d9f73b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

Filesize
8KB

MD5
171d3be8bcc41aba3a938915d88177d9

SHA1
102a170b92bf3f3e2a5edd47ece8c72fcbd2bd15

SHA256
2bb65d297f16c8132705e516930249b45001d6899e50641268263469f6ea4ed4

SHA512
d5765f24240ee2d7b900e29dbf0eabaa73e2607535359a306c4fa190debc60ee2d40f60c433a3eaf616965adc65be892b682bdf134c3ea4dc01468d4ead759af

Download Submit
C:\Users\Admin\Downloads\hbcozyce.rar.part

Filesize
664KB

MD5
3a4f873789223eb401d926d968667abc

SHA1
50916ef357ed21411d87a6bb236a72c78d1498fe

SHA256
9566d114c21b49a11275b58e47c8d3ca416e31f3146dc06dd674f5537f2d54e2

SHA512
8cbff38be7bcaa7440a4436bc19b94cf3ad5a21767732742a783671bb260c8efe1b770fd52a375ea46ffdeef83e058640ad061ccefd07c13acf7584c2fd77b76

Download Submit