Analysis

  • max time kernel
    145s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/05/2024, 22:03

General

  • Target

    Browser/firefox.exe

  • Size

    1.7MB

  • MD5

    1415ff2562e8a4c595e99ff713a1ba38

  • SHA1

    0286f612a5572ec221e456ec145149078930c76a

  • SHA256

    18324f12f6e5858900e764340a24cf1f86b78041db68f3da062b9bca8ce6c7a8

  • SHA512

    4dc261ba9bb6476eedf0c050bbfc20f5a46d080dbe35665b0d9230608b0c08115e6d251de741e87d83cf4ab4304d59e3f2328af71196443f3b967d4492d8dc64

  • SSDEEP

    24576:M7iOs4gKM8fqEneVGii3OwaJpORKTCRa:MOOs4/qEneVGdyAwE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
    "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
      C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
      2⤵
      • Checks whether UAC is enabled
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
        "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.0.1631249123\1487568922" -parentBuildID 20240510150000 -prefsHandle 2312 -prefMapHandle 2160 -prefsLen 19246 -prefMapSize 243824 -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {c33ed8c6-3a3b-4d95-9884-e907bd2df4ac} 3916 gpu
        3⤵
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
          "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.1.318879471\1879080826" -childID 1 -isForBrowser -prefsHandle 1668 -prefMapHandle 1852 -prefsLen 20081 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {069167b2-69dd-49ee-852b-d46b72711c4b} 3916 tab
          3⤵
            PID:2668
          • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Tor\tor.exe
            C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Tor\tor.exe --defaults-torrc C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\torrc-defaults -f C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\torrc DataDirectory C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor ClientOnionAuthDir C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\onion-auth GeoIPFile C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\geoip GeoIPv6File C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Tor\geoip6 +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:510b100a45000e91609f8498f1f4e5a89eeb848ac0e7d27736aa093c3c +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 3916 DisableNetwork 1
            3⤵
            • Executes dropped EXE
            PID:3520
          • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
            "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.2.2130457654\1312317537" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 20897 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {cd90360e-fdb6-4993-93d9-eeddc0986df3} 3916 tab
            3⤵
              PID:1376
            • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
              "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.3.53409278\224759922" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3652 -prefsLen 20974 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {f9d99280-a86b-4160-923f-7e18e970600d} 3916 tab
              3⤵
                PID:4972
              • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
                "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.4.1413823346\437713956" -parentBuildID 20240510150000 -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 24113 -prefMapSize 243824 -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {42db61b8-f1af-47d6-815e-f0689a65f0b7} 3916 rdd
                3⤵
                  PID:1368
                • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
                  "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.5.1595948434\542238547" -childID 4 -isForBrowser -prefsHandle 2932 -prefMapHandle 4164 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {1c59cf77-e38e-4141-be20-4b10b5ab08c9} 3916 tab
                  3⤵
                    PID:2672
                  • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
                    "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.6.1887609612\652937032" -childID 5 -isForBrowser -prefsHandle 2872 -prefMapHandle 2860 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {ace222e6-1a75-4b3a-ac00-246f2e023f64} 3916 tab
                    3⤵
                      PID:3788
                    • C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe
                      "C:\Users\Admin\AppData\Local\Temp\Browser\firefox.exe" -contentproc --channel="3916.7.1264688062\1148788858" -childID 6 -isForBrowser -prefsHandle 4360 -prefMapHandle 4356 -prefsLen 22426 -prefMapSize 243824 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\AppData\Local\Temp\Browser\browser" - {fda15517-ed0e-4511-b0b9-528b9df0f36e} 3916 tab
                      3⤵
                        PID:1184

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

                          Filesize

                          182B

                          MD5

                          c58234a092f9d899f0a623e28a4ab9db

                          SHA1

                          7398261b70453661c8b84df12e2bde7cbc07474b

                          SHA256

                          eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

                          SHA512

                          ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

                          Filesize

                          27KB

                          MD5

                          14d88504273f8836e75a665133af2e11

                          SHA1

                          62c38047463db5a0bfb20ab4e0a8bb139b44e48d

                          SHA256

                          8b81f64ae5b7bc31e3d73f09dcc5bdb6b51b81bf3fc2543439b181eb2a574392

                          SHA512

                          8ff9218dec18a954817dbeadb7ec0462c6d46e96dcd0bc90856dd49c478e01579c814c7848272b46e0c80a23a4582d4a6513155e7dc2636f8c61c86af59e4777

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

                          Filesize

                          5KB

                          MD5

                          34cf753d2547cc7b4829c95546314d8a

                          SHA1

                          1719a1d8b3f4e7f267133131f3f2c314bcbc951c

                          SHA256

                          6f4b10dc169edef472f6305202f815653fdd56aece9aa1afcd039a69e5626316

                          SHA512

                          115eaec90ecb19acd1d62af10228b71162cb445a51500b9eb3967bdb5e506d636f436ff6d6376b526076c0d10df15a81b4e82235ebce3cd0322d1f94cc8e4300

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

                          Filesize

                          5KB

                          MD5

                          65f5981cb41f4306bb9d68c4d51e322a

                          SHA1

                          b4cfb0972ce4919c3701b00d5bab276d48caf13f

                          SHA256

                          ae1f710b853c63b385e507b4c0b45aeb85c8fd298a1852dce62cecb468ff04bd

                          SHA512

                          a1c9cce23e202a2b3891b8693be261373dea5732d2ec84a901724ed9ebd0285f55c0b82cfae239f9776cb05149e8e09707860cad2f3cd11016d94b3243089ba1

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

                          Filesize

                          1KB

                          MD5

                          213ca6a0a157dbafd2e557512e219851

                          SHA1

                          6409fac97042a7daabb3c14127dc34d01489d6a5

                          SHA256

                          7031b84e0b47bf190103de20ea1c4253a731246faf13ae92745debd993ec447c

                          SHA512

                          2619452043690e00a9150fd3c572ac1573a88fa304db8ef3e145686361bf96163aed7007f010ba5312eadc81f3776e111f28d6d940cbd8c908b7d8efdc5abb8f

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

                          Filesize

                          5KB

                          MD5

                          96c5cbf45b3c744965d6d615e698816a

                          SHA1

                          17df0b8510897e1f966396fe8a764de307c706e5

                          SHA256

                          18fbca53caa33794ca9432ac6d5fa2d8a702dcedd2de411074e3755eec55822c

                          SHA512

                          d8b794160e175d8ee581dd60734c187bc0c1c1cdb4ec7a413bd007ea867ad8d124d4c99ec0592619c9637bbad1a116ba4086edae9846242ba3bb23c5145415bc

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                          Filesize

                          160KB

                          MD5

                          1c2009b24b385892b3713117f36c86e0

                          SHA1

                          88b064b81741c54f557b3b011bce1d80c9646478

                          SHA256

                          c41d58df00bb2c3b21f61365c8e19be9ea81ddd0d8a2026b20723afea81d5989

                          SHA512

                          074246f0a8709cc9b856f5f4e3c3326d9c8e8a6868812e84c93c7d162ea55e8e1f1e3116c9d358fdbe598e22f28967b9cb72bf8aee18adb5214dc01202c51acd

                        • C:\Users\Admin\AppData\Local\Temp\Browser\TorBrowser\Tor\tor.exe

                          Filesize

                          8.6MB

                          MD5

                          47539d0337e97e22a728afc2638d461f

                          SHA1

                          d97b37079543b33b9b605c787945f809aed66fd6

                          SHA256

                          262e52c5bbaa9bcd2dfcb4cf7da83a1efa95ebd0299f82031ad31a6ab19405a5

                          SHA512

                          3810ebe80173d41785a42459fc5c4a8a31e56294f2c03fe99416925a34d242b88023565057201c9b6dcbdb97c8396d8305a723c0e31bb5b560b031b299672d4a

                        • memory/1184-248-0x000001720F730000-0x000001720F731000-memory.dmp

                          Filesize

                          4KB

                        • memory/1184-286-0x000001720F6F0000-0x000001720F719000-memory.dmp

                          Filesize

                          164KB

                        • memory/1376-87-0x0000012658400000-0x0000012658401000-memory.dmp

                          Filesize

                          4KB

                        • memory/1376-279-0x00000126582B0000-0x00000126582D9000-memory.dmp

                          Filesize

                          164KB

                        • memory/2668-217-0x000002581AC50000-0x000002581AC79000-memory.dmp

                          Filesize

                          164KB

                        • memory/2668-74-0x000002581AC80000-0x000002581AC81000-memory.dmp

                          Filesize

                          4KB

                        • memory/2668-73-0x00007FFF33610000-0x00007FFF33611000-memory.dmp

                          Filesize

                          4KB

                        • memory/2672-234-0x000001CD72900000-0x000001CD72901000-memory.dmp

                          Filesize

                          4KB

                        • memory/2672-284-0x000001CD728D0000-0x000001CD728F9000-memory.dmp

                          Filesize

                          164KB

                        • memory/3788-238-0x00000120009D0000-0x00000120009D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3788-285-0x00000120008A0000-0x00000120008C9000-memory.dmp

                          Filesize

                          164KB

                        • memory/3916-230-0x00000205922B0000-0x00000205922C0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3916-80-0x00000205957A0000-0x00000205957B0000-memory.dmp

                          Filesize

                          64KB

                        • memory/4972-280-0x0000021ADD2A0000-0x0000021ADD2C9000-memory.dmp

                          Filesize

                          164KB

                        • memory/4972-99-0x0000021ADD2D0000-0x0000021ADD2D1000-memory.dmp

                          Filesize

                          4KB