Analysis
-
max time kernel
37s -
max time network
35s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
09/05/2024, 05:27
General
-
Target
http://46.228.221.162/d/msdownload/update/software/uprl/2024/04/windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe?cacheHostOrigin=2.au.download.windowsupdate.com
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://46.228.221.162/d/msdownload/update/software/uprl/2024/04/windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe?cacheHostOrigin=2.au.download.windowsupdate.com"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://46.228.221.162/d/msdownload/update/software/uprl/2024/04/windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe?cacheHostOrigin=2.au.download.windowsupdate.com2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.0.2042891519\80104472" -parentBuildID 20230214051806 -prefsHandle 1796 -prefMapHandle 1788 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ad408c3-3e09-4f32-bd5b-2e1832ae9f98} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 1876 2227f908558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.1.524204305\1826887632" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {082dc248-2c7b-4e0f-8966-fa4fb86791b1} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 2420 22272b91058 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.2.218806107\1994052308" -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 2776 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 952 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33a72875-192d-412a-8b32-0f89fe249fed} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 3076 2220262d658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.3.1980884518\1721533009" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 952 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5bc3d25-fa9a-4eef-9bc1-3b0573e86f6a} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 3576 2220571a858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.4.893943972\673616589" -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5248 -prefsLen 27735 -prefMapSize 235121 -jsInitHandle 952 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5dba811-513d-4897-8b62-e344cf3992a9} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5296 222029e3458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.5.1975342326\1792136805" -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27735 -prefMapSize 235121 -jsInitHandle 952 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56d34ee2-2a12-4246-9770-a7968fe1dd2a} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5368 22208764658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.6.1727921346\1040458390" -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5492 -prefsLen 27735 -prefMapSize 235121 -jsInitHandle 952 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8c48996-4764-4bcc-a960-b19b92b92709} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5584 22208762858 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MRT.exe"C:\Windows\system32\MRT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"C:\Users\Admin\Downloads\windows-kb890830-x64-v5.123_12cbe1571c83eb7c16bfdfde1426dff713619670.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD51c9298ede442602ce6ccb344bab95206
SHA11c69d4e001983585f8a84bdcfb92a9908246a492
SHA256647c50fcdb498d6cca1e9573ad1edcdf9bfd2c15fb9a44bca9a242c44da6c186
SHA5120a0388930ce1f397ecebdee160cb95bf6df0fbc7acdc53e7ce2559adbebf6b861d0a87eab4c8b4469ec023c30b0cb514a3d070abe5958714465281d20d27d204
-
Filesize
7KB
MD5c0ec4edf6a690704303816798ccb4119
SHA1bf3160b43682494e9c12c722cd017d0944a98b00
SHA256cc3ba085a1aa523347430d291075c444f9c18637a51dbe39123bc8fec1f5a435
SHA5123c1967f4def00cbaaf52439caa02defffb7ecf794d3e70e976e5bbc47a98197e1180a503715d8e7a7f35d276e8a253f3eb22f7fda28d8b3f9029a69e9114704a
-
Filesize
6KB
MD572c337bbc436365ce74509f4158f932d
SHA135fbee3f15b8d4238d518b14fcb6d8ed14f3ff68
SHA25688e7a20172188065de17b6e2c252b3cdbf8daece77ad575a4d2b005a91ca9705
SHA512e8eba6aa79b23835e4a1ef58deee10815439efd725482de13b30b1357cc069aace859f588f5b676b756f95db85ee20715e0818b8e889014af8145b830dc4c883
-
Filesize
6KB
MD55a9b75869a97cc1fa04ea8891766a20b
SHA1b205ccb11b4dc947256773fde407825977fbdb5f
SHA256e22f8b80c79506c5bfbc92d90c81a4b87395196229aa73b09deea932e02724cb
SHA5126b6398eaaed8a9fdc7309890d9dfe2ac100903be89349a561391cf8c670ea5529b8b26a1b786b645d5c52689f4a3672e4717d42dbc706b585f2da79270f17413
-
Filesize
1KB
MD55a8921d56f7dd32fcfd108f016e37bf4
SHA11c318d4b3fa7ff29b44c2788cd4dd8149d215b19
SHA2565d7b5d33336290b0cf14b03070c455416a230d74a68e0612463719e580262a15
SHA5128431d1abd6c1763e03680622f30a5918fb5b47a22348a76f0342b3cf10f72833a7d216c89027b12004495f59ecf8284ead802be6bfe3c161d02c9c8f34aa5d2c
-
Filesize
18.6MB
MD5348432b32a3cdd1f2f727f8f66f78107
SHA14d9a137b73548672bf871ddf8fe062d401064f53
SHA25694e37aa3d76eaa7a9eb5aad793d77025ec34ef47cc2f52e7dba8d966705f9639
SHA5121857c2a0a1c29cee470004f3795e87d0016f970a243e939291e45fcffc7df595b8e05bf4f8a846d97ebd537597f0b46fcd2cc50752a056bbaab01fa47b1f7801
-
Filesize
607KB
MD5a0c4ac6378ce0313955dccfd2d9208a6
SHA17ee2f0f3bf4504f4f7bbc63cb5fa883711c13801
SHA256abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1
SHA51272ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5
-
Filesize
5.1MB
-
Filesize
3.5MB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
300KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB