Overview
overview
7Static
static
3tor-browse...15.exe
windows11-21h2-x64
7$PLUGINSDI...LL.dll
windows11-21h2-x64
1$PLUGINSDI...em.dll
windows11-21h2-x64
1$PLUGINSDI...gs.dll
windows11-21h2-x64
1Browser/Ac...al.dll
windows11-21h2-x64
7Browser/To...nt.exe
windows11-21h2-x64
1Browser/To...rd.exe
windows11-21h2-x64
1Browser/To...nt.exe
windows11-21h2-x64
1Browser/To...nt.exe
windows11-21h2-x64
1Browser/To...or.exe
windows11-21h2-x64
3chrome/bro...w.html
windows11-21h2-x64
1chrome/bro...dow.js
windows11-21h2-x64
3Browser/d3...47.dll
windows11-21h2-x64
1Browser/de...efs.js
windows11-21h2-x64
3Browser/firefox.exe
windows11-21h2-x64
7Browser/fo...ar.ps1
windows11-21h2-x64
3Browser/freebl3.dll
windows11-21h2-x64
1Browser/ip...ts.dll
windows11-21h2-x64
1Browser/lgpllibs.dll
windows11-21h2-x64
1Browser/libEGL.dll
windows11-21h2-x64
1Browser/libGLESv2.dll
windows11-21h2-x64
1Browser/mo...ec.dll
windows11-21h2-x64
1Browser/mozavutil.dll
windows11-21h2-x64
1Browser/mozglue.dll
windows11-21h2-x64
1Browser/nss3.dll
windows11-21h2-x64
1Browser/nssckbi.dll
windows11-21h2-x64
1Browser/os...ts.dll
windows11-21h2-x64
1Browser/pl...er.exe
windows11-21h2-x64
1Browser/qipcap64.dll
windows11-21h2-x64
1Browser/softokn3.dll
windows11-21h2-x64
1Browser/updater.exe
windows11-21h2-x64
1Browser/xul.dll
windows11-21h2-x64
1Analysis
-
max time kernel
145s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/05/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
tor-browser-windows-x86_64-portable-13.0.15.exe
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240426-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
Browser/AccessibleMarshal.dll
Resource
win11-20240508-en
Behavioral task
behavioral6
Sample
Browser/TorBrowser/Tor/PluggableTransports/conjure-client.exe
Resource
win11-20240426-en
Behavioral task
behavioral7
Sample
Browser/TorBrowser/Tor/PluggableTransports/lyrebird.exe
Resource
win11-20240508-en
Behavioral task
behavioral8
Sample
Browser/TorBrowser/Tor/PluggableTransports/snowflake-client.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
Browser/TorBrowser/Tor/PluggableTransports/webtunnel-client.exe
Resource
win11-20240426-en
Behavioral task
behavioral10
Sample
Browser/TorBrowser/Tor/tor.exe
Resource
win11-20240426-en
Behavioral task
behavioral11
Sample
chrome/browser/content/browser/migration/migration-dialog-window.html
Resource
win11-20240508-en
Behavioral task
behavioral12
Sample
chrome/browser/content/browser/migration/migration-dialog-window.js
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
Browser/d3dcompiler_47.dll
Resource
win11-20240508-en
Behavioral task
behavioral14
Sample
Browser/defaults/pref/channel-prefs.js
Resource
win11-20240426-en
Behavioral task
behavioral15
Sample
Browser/firefox.exe
Resource
win11-20240508-en
Behavioral task
behavioral16
Sample
Browser/fonts/NotoSansNKo-Regular.ps1
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
Browser/freebl3.dll
Resource
win11-20240426-en
Behavioral task
behavioral18
Sample
Browser/ipcclientcerts.dll
Resource
win11-20240426-en
Behavioral task
behavioral19
Sample
Browser/lgpllibs.dll
Resource
win11-20240426-en
Behavioral task
behavioral20
Sample
Browser/libEGL.dll
Resource
win11-20240419-en
Behavioral task
behavioral21
Sample
Browser/libGLESv2.dll
Resource
win11-20240426-en
Behavioral task
behavioral22
Sample
Browser/mozavcodec.dll
Resource
win11-20240419-en
Behavioral task
behavioral23
Sample
Browser/mozavutil.dll
Resource
win11-20240508-en
Behavioral task
behavioral24
Sample
Browser/mozglue.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
Browser/nss3.dll
Resource
win11-20240508-en
Behavioral task
behavioral26
Sample
Browser/nssckbi.dll
Resource
win11-20240426-en
Behavioral task
behavioral27
Sample
Browser/osclientcerts.dll
Resource
win11-20240508-en
Behavioral task
behavioral28
Sample
Browser/plugin-container.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
Browser/qipcap64.dll
Resource
win11-20240426-en
Behavioral task
behavioral30
Sample
Browser/softokn3.dll
Resource
win11-20240426-en
Behavioral task
behavioral31
Sample
Browser/updater.exe
Resource
win11-20240508-en
Behavioral task
behavioral32
Sample
Browser/xul.dll
Resource
win11-20240508-en
General
-
Target
Browser/firefox.exe
-
Size
1.7MB
-
MD5
1415ff2562e8a4c595e99ff713a1ba38
-
SHA1
0286f612a5572ec221e456ec145149078930c76a
-
SHA256
18324f12f6e5858900e764340a24cf1f86b78041db68f3da062b9bca8ce6c7a8
-
SHA512
4dc261ba9bb6476eedf0c050bbfc20f5a46d080dbe35665b0d9230608b0c08115e6d251de741e87d83cf4ab4304d59e3f2328af71196443f3b967d4492d8dc64
-
SSDEEP
24576:M7iOs4gKM8fqEneVGii3OwaJpORKTCRa:MOOs4/qEneVGdyAwE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3520 tor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3916 firefox.exe Token: SeDebugPrivilege 3916 firefox.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3916 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3916 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3796 wrote to memory of 3916 3796 firefox.exe 80 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 1684 3916 firefox.exe 81 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82 PID 3916 wrote to memory of 2668 3916 firefox.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exeC:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe2⤵
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.0.1631249123\1487568922" -parentBuildID 20240510150000 -prefsHandle 2312 -prefMapHandle 2160 -prefsLen 19246 -prefMapSize 243824 -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {c33ed8c6-3a3b-4d95-9884-e907bd2df4ac} 3916 gpu3⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.1.318879471\1879080826" -childID 1 -isForBrowser -prefsHandle 1668 -prefMapHandle 1852 -prefsLen 20081 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {069167b2-69dd-49ee-852b-d46b72711c4b} 3916 tab3⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Tor\tor.exeC:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Tor\tor.exe --defaults-torrc C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\torrc-defaults -f C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\torrc DataDirectory C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor ClientOnionAuthDir C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\onion-auth GeoIPFile C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\geoip GeoIPv6File C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\geoip6 +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:510b100a45000e91609f8498f1f4e5a89eeb848ac0e7d27736aa093c3c +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3916 DisableNetwork 13⤵
- Executes dropped EXE
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.2.2130457654\1312317537" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 20897 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {cd90360e-fdb6-4993-93d9-eeddc0986df3} 3916 tab3⤵PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.3.53409278\224759922" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3652 -prefsLen 20974 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {f9d99280-a86b-4160-923f-7e18e970600d} 3916 tab3⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.4.1413823346\437713956" -parentBuildID 20240510150000 -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 24113 -prefMapSize 243824 -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {42db61b8-f1af-47d6-815e-f0689a65f0b7} 3916 rdd3⤵PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.5.1595948434\542238547" -childID 4 -isForBrowser -prefsHandle 2932 -prefMapHandle 4164 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {1c59cf77-e38e-4141-be20-4b10b5ab08c9} 3916 tab3⤵PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.6.1887609612\652937032" -childID 5 -isForBrowser -prefsHandle 2872 -prefMapHandle 2860 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {ace222e6-1a75-4b3a-ac00-246f2e023f64} 3916 tab3⤵PID:3788
-
-
C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.7.1264688062\1148788858" -childID 6 -isForBrowser -prefsHandle 4360 -prefMapHandle 4356 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {fda15517-ed0e-4511-b0b9-528b9df0f36e} 3916 tab3⤵PID:1184
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD5c58234a092f9d899f0a623e28a4ab9db
SHA17398261b70453661c8b84df12e2bde7cbc07474b
SHA256eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c
SHA512ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd
-
Filesize
27KB
MD514d88504273f8836e75a665133af2e11
SHA162c38047463db5a0bfb20ab4e0a8bb139b44e48d
SHA2568b81f64ae5b7bc31e3d73f09dcc5bdb6b51b81bf3fc2543439b181eb2a574392
SHA5128ff9218dec18a954817dbeadb7ec0462c6d46e96dcd0bc90856dd49c478e01579c814c7848272b46e0c80a23a4582d4a6513155e7dc2636f8c61c86af59e4777
-
Filesize
5KB
MD534cf753d2547cc7b4829c95546314d8a
SHA11719a1d8b3f4e7f267133131f3f2c314bcbc951c
SHA2566f4b10dc169edef472f6305202f815653fdd56aece9aa1afcd039a69e5626316
SHA512115eaec90ecb19acd1d62af10228b71162cb445a51500b9eb3967bdb5e506d636f436ff6d6376b526076c0d10df15a81b4e82235ebce3cd0322d1f94cc8e4300
-
Filesize
5KB
MD565f5981cb41f4306bb9d68c4d51e322a
SHA1b4cfb0972ce4919c3701b00d5bab276d48caf13f
SHA256ae1f710b853c63b385e507b4c0b45aeb85c8fd298a1852dce62cecb468ff04bd
SHA512a1c9cce23e202a2b3891b8693be261373dea5732d2ec84a901724ed9ebd0285f55c0b82cfae239f9776cb05149e8e09707860cad2f3cd11016d94b3243089ba1
-
Filesize
1KB
MD5213ca6a0a157dbafd2e557512e219851
SHA16409fac97042a7daabb3c14127dc34d01489d6a5
SHA2567031b84e0b47bf190103de20ea1c4253a731246faf13ae92745debd993ec447c
SHA5122619452043690e00a9150fd3c572ac1573a88fa304db8ef3e145686361bf96163aed7007f010ba5312eadc81f3776e111f28d6d940cbd8c908b7d8efdc5abb8f
-
Filesize
5KB
MD596c5cbf45b3c744965d6d615e698816a
SHA117df0b8510897e1f966396fe8a764de307c706e5
SHA25618fbca53caa33794ca9432ac6d5fa2d8a702dcedd2de411074e3755eec55822c
SHA512d8b794160e175d8ee581dd60734c187bc0c1c1cdb4ec7a413bd007ea867ad8d124d4c99ec0592619c9637bbad1a116ba4086edae9846242ba3bb23c5145415bc
-
C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize160KB
MD51c2009b24b385892b3713117f36c86e0
SHA188b064b81741c54f557b3b011bce1d80c9646478
SHA256c41d58df00bb2c3b21f61365c8e19be9ea81ddd0d8a2026b20723afea81d5989
SHA512074246f0a8709cc9b856f5f4e3c3326d9c8e8a6868812e84c93c7d162ea55e8e1f1e3116c9d358fdbe598e22f28967b9cb72bf8aee18adb5214dc01202c51acd
-
Filesize
8.6MB
MD547539d0337e97e22a728afc2638d461f
SHA1d97b37079543b33b9b605c787945f809aed66fd6
SHA256262e52c5bbaa9bcd2dfcb4cf7da83a1efa95ebd0299f82031ad31a6ab19405a5
SHA5123810ebe80173d41785a42459fc5c4a8a31e56294f2c03fe99416925a34d242b88023565057201c9b6dcbdb97c8396d8305a723c0e31bb5b560b031b299672d4a