Analysis

  • max time kernel
    128s
  • max time network
    128s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/06/2024, 20:03

General

  • Target

    http://google.com

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "http://google.com"
    1⤵
      PID:2960
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:592
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4548
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5068
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3876
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3720
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5300
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5364
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.0.602265243\1606497059" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddcfc0d-1ecf-4a17-86bc-f9a1c7b25ae4} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 1796 2317efbae58 gpu
          3⤵
            PID:5536
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.1.1287286891\1733761539" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42cd7c2b-0047-4cb9-ab74-ab92f72520c6} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 2136 2316cb70a58 socket
            3⤵
              PID:5604
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.2.352719608\1914139912" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2916 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {982deec6-7f51-4635-906e-9920ec4d89f4} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 2972 2310309e858 tab
              3⤵
                PID:5932
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.3.915440285\782378991" -childID 2 -isForBrowser -prefsHandle 3112 -prefMapHandle 3044 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {652d516b-e46c-48af-bd35-63996ef28c28} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 1244 23103d46e58 tab
                3⤵
                  PID:6036
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.4.1464550254\1139732676" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4380 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e229cb1-9a63-4c27-8b57-ca1180172826} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 4396 23105124a58 tab
                  3⤵
                    PID:1460
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.5.1205623688\1146253311" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4972 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71adef4-4aeb-4f69-a53f-46574f1d3df5} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 4984 231054c8c58 tab
                    3⤵
                      PID:1184
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.6.1184326745\1111144559" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5036 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b793433-fc45-4862-ac76-f6aa59f81ce2} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5024 231054c6258 tab
                      3⤵
                        PID:3536
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.7.499875159\552155889" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6432c71d-997b-4d5f-ad2d-1ed8a0fae7ac} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5248 231061fc558 tab
                        3⤵
                          PID:5136
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5364.8.1001848602\1429355299" -childID 7 -isForBrowser -prefsHandle 5580 -prefMapHandle 5592 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bed01a8b-0134-4979-9a3c-29a715bf2531} 5364 "\\.\pipe\gecko-crash-server-pipe.5364" 5596 23107151358 tab
                          3⤵
                            PID:1812

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\83E9220200E1571B8A9D3BD22F093A31723DBB86

                              Filesize

                              215KB

                              MD5

                              20db472f05547bbd4c05ee88f3d4ae23

                              SHA1

                              8124558c976992514503ba149137c09214b5ec13

                              SHA256

                              4c1dae1761f31f3403b72f4fca7344087d6900fd19e13e92c75347972ee70c98

                              SHA512

                              671c378672329242bd6e3b0a6abb882896a04ce865156956f312e29d2dd14ececd42e3cd85f6045afe4c62fae609ef2663f8943cf7ff462eb921f474b3294be7

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\89S7I2E8\favicon[1].ico

                              Filesize

                              5KB

                              MD5

                              f3418a443e7d841097c714d69ec4bcb8

                              SHA1

                              49263695f6b0cdd72f45cf1b775e660fdc36c606

                              SHA256

                              6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

                              SHA512

                              82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF14E4C85B2B31A949.TMP

                              Filesize

                              16KB

                              MD5

                              16e9ac5a58ec8ba463a37104faa0addf

                              SHA1

                              7bb695e56e6ba22552fd012f49a99edb1f9dee13

                              SHA256

                              11694ad4c69ecb249e7e99948e41cfcb303321a1d308dd6a5ae9d40870b1018d

                              SHA512

                              86769065f578cea5c8a4c1e8bf43eff58da082a4a2c474d173a80563397d3055d4f0b92229668bea49be682a5a991b55aa73a67378d798c375e588d5e8f0a379

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

                              Filesize

                              2KB

                              MD5

                              e9270368b07b9b18560dba7a86174f96

                              SHA1

                              102607586ae8083991ed111ad83c52951b4f3b63

                              SHA256

                              4af01f25e4142619d49ceeb0ee5fbda7b658de9a457883920e1f4e7e85b686d6

                              SHA512

                              e549775c4e82b0a582cd0800ae42251eea9a3cd5803e160a9b70282d42c13518697158f72fa822f959cc9b88231a6a7e1b7f2e235a987f8908e056738a62e0fa

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\15424c16-ac7c-4d27-890f-06b40dc3da29

                              Filesize

                              9KB

                              MD5

                              973d9f32945f7fb2c06518662984b45b

                              SHA1

                              977d9ddb20fc7b0b2ded5191fba7c4f1062edda5

                              SHA256

                              28b7aa66c2c2d77853cade71e36522bc6b450350d48afe1d5df4d3203abc577c

                              SHA512

                              473f9f7ac5fa8e670afabbba1ac3fa0028052b6c71adc2b93452f3df69b7a1e623d68a95ddbdebd37ecc5dc43d48b945183e52c5a9a9b683a302d0f4dcb7eca5

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\9cd6c45e-69e1-4f1d-bf2f-26899afb35f6

                              Filesize

                              746B

                              MD5

                              0846d950b07a972d9f52e3dcb56a22be

                              SHA1

                              2b9209e9679e4c1d7537494b37261376a3bb668c

                              SHA256

                              0a6136da6df98d0dfdcafea0f9350fe38a2f1a0ec4945f2b4aa77ca315957644

                              SHA512

                              e87e2eb3328efa898a44db60bd4c34f549cfbf771f6b19e41783157a2e8fa8014c86c132ec2035fbb2f6b11b004db41afeca44284b1ff7777159af7cb169dfa4

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

                              Filesize

                              6KB

                              MD5

                              a579249f347d4690d1662ad9b799671c

                              SHA1

                              8853267c0d6ef3c15dfd5903cc8361ecdf378ded

                              SHA256

                              c59ea3f1e39f6e22276b29c5ddaecf98c7a919608294e6c4328d08044c5cb589

                              SHA512

                              2acfcd2ac7fb2a058ab5664d077f9011640cdf4d8f3aeecdb330b341b43dd006b09d646567eb991fe47b753300e946043121e6aacd6acf2de4740e9347d9b57b

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

                              Filesize

                              6KB

                              MD5

                              72aedd8ce1195ef383f8bb76d7a1cec1

                              SHA1

                              1562ce9bc9b5a7dad89ade1b0927480e9d8c3eb9

                              SHA256

                              f76f8a9d75cc4680ba6993d744f0dd97f67e60144526fa1b3245277dfce03b14

                              SHA512

                              a8feb45bf5c85e9b7fb7dc56daf31ea8b6fe3042d323dd17f3f1d71344583cf4c76227b174656ef55f2ddd8e6c3945559657af7c0dc9f822c73bab785a3c923d

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

                              Filesize

                              6KB

                              MD5

                              27594ca2480915c8387fffbb646053c1

                              SHA1

                              7f4659342d1828905e73e0cdca655162639ae7e7

                              SHA256

                              2c2aadfbf20b1e499e97b47b71e9c60e0ee6151d0ced001e40d1499ef9978edb

                              SHA512

                              46fa789db444364709c9b7c1caaa2d73c6f6bece0735e9e06baa78da64dd416501166bf1b6ed7c6b16aa696bb1dd6d4ad1862710731fd9a7d58571d1e7cbba66

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              3KB

                              MD5

                              4e84cdae3278a46e75235699953ecb31

                              SHA1

                              2ea9769f4b2e3895fe69b656c437db9ee2a43d05

                              SHA256

                              929c9a9a8a00202a0fce4f7e53bce9a1dbdff0c77eadedd5fc8baf9231990f1d

                              SHA512

                              95f536030e72927a70ea1de3d2c2eb45b98706085d1555741965ba07c7f377b9dfc16c3091a00320dbf4bc1f4ad6e6319080223db7088f4cd62a49ad24afe8e2

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              4KB

                              MD5

                              88fb666239582f758e17d42cf44b6e8e

                              SHA1

                              d5c23d393d0c9ed065396042838a62e3d7eb5b79

                              SHA256

                              dbf6f167438cba190c7deb2073cb4e5f6c7d37859702fc39d9f5f9a52680bd8f

                              SHA512

                              06466124032b5b9571ca8471dd3209ddbbc7fe6954d843065ca5c1b4cdc7d50c8476abce9904cabd56ac8cd986bd3d3e20711a43c23f477ed657a8c74f15e6d6

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              4KB

                              MD5

                              5771b23799727a93b75b7bfc2e09f99c

                              SHA1

                              617f66fd495fe6b31a408ba77a352e128dab94ec

                              SHA256

                              87c6185b500cdf83956f434f7ec0e1fda2576fdd2f2aadd5a229a96f963489c0

                              SHA512

                              5a9fc1425a69f7d4eddb78c9794234c84fa1b4862f51c4dcd1bf885716dbb17017bf53d6c1d13673784e9a0263396e3e1aa4d2087a0112914e96c6c746265f11

                            • memory/592-0-0x0000023A98C20000-0x0000023A98C30000-memory.dmp

                              Filesize

                              64KB

                            • memory/592-145-0x0000023A9F8A0000-0x0000023A9F8A1000-memory.dmp

                              Filesize

                              4KB

                            • memory/592-16-0x0000023A98D20000-0x0000023A98D30000-memory.dmp

                              Filesize

                              64KB

                            • memory/592-35-0x0000023A95FB0000-0x0000023A95FB2000-memory.dmp

                              Filesize

                              8KB

                            • memory/592-146-0x0000023A9F8B0000-0x0000023A9F8B1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3720-92-0x00000237E1650000-0x00000237E1652000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-128-0x00000237E18F0000-0x00000237E18F2000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-64-0x00000237D04B0000-0x00000237D04B2000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-230-0x00000237E3290000-0x00000237E3292000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-90-0x00000237E1570000-0x00000237E1572000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-266-0x00000237E5BE0000-0x00000237E5CE0000-memory.dmp

                              Filesize

                              1024KB

                            • memory/3720-290-0x00000237E5FE0000-0x00000237E60E0000-memory.dmp

                              Filesize

                              1024KB

                            • memory/3720-309-0x00000237CFC10000-0x00000237CFC20000-memory.dmp

                              Filesize

                              64KB

                            • memory/3720-312-0x00000237CFC10000-0x00000237CFC20000-memory.dmp

                              Filesize

                              64KB

                            • memory/3720-68-0x00000237D04F0000-0x00000237D04F2000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-88-0x00000237E1550000-0x00000237E1552000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-236-0x00000237E3300000-0x00000237E3302000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-173-0x00000237E2750000-0x00000237E2752000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-94-0x00000237E1670000-0x00000237E1672000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-84-0x00000237E10F0000-0x00000237E10F2000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-86-0x00000237E1310000-0x00000237E1312000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-80-0x00000237E1900000-0x00000237E1920000-memory.dmp

                              Filesize

                              128KB

                            • memory/3720-66-0x00000237D04D0000-0x00000237D04D2000-memory.dmp

                              Filesize

                              8KB

                            • memory/3720-71-0x00000237E0800000-0x00000237E0900000-memory.dmp

                              Filesize

                              1024KB

                            • memory/3876-45-0x000001F63B200000-0x000001F63B300000-memory.dmp

                              Filesize

                              1024KB