Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
03-06-2024 05:20
General
-
Target
http://https%3A%2F%2Fwww.zaubacorp.com%2F&data=05%7C02%7Cmaria.davidova%40iongroup.com%7C94ee2210d1144ce9cadd08dc81c8b635%7C768fe7d4ebee41a79851d5825ecdd396%7C0%7C0%7C638527946406245129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=rohPLQ3AmZM5NsT%2Fgt2hIbX4oAr0iAD4P5E7bKFlMlI%3D&reserved=0
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://https%3A%2F%2Fwww.zaubacorp.com%2F&data=05%7C02%7Cmaria.davidova%40iongroup.com%7C94ee2210d1144ce9cadd08dc81c8b635%7C768fe7d4ebee41a79851d5825ecdd396%7C0%7C0%7C638527946406245129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=rohPLQ3AmZM5NsT%2Fgt2hIbX4oAr0iAD4P5E7bKFlMlI%3D&reserved=0"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://https%3A%2F%2Fwww.zaubacorp.com%2F&data=05%7C02%7Cmaria.davidova%40iongroup.com%7C94ee2210d1144ce9cadd08dc81c8b635%7C768fe7d4ebee41a79851d5825ecdd396%7C0%7C0%7C638527946406245129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=rohPLQ3AmZM5NsT%2Fgt2hIbX4oAr0iAD4P5E7bKFlMlI%3D&reserved=02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.0.1701221284\889955670" -parentBuildID 20221007134813 -prefsHandle 1812 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {154d154c-9118-4315-886c-59fd8622af84} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 1980 26489ed9358 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.1.1590612973\974560832" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc29fecd-c805-4281-8e20-888968f069c6} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 2380 26489dfe558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.2.452911851\544034956" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e4e27e-2a1e-465e-93a8-e9d61ac8e779} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3208 2648dd94858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.3.1265249470\1315262492" -childID 2 -isForBrowser -prefsHandle 1184 -prefMapHandle 1384 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e02dca2-2cc6-47b5-b297-fa2964ac1db2} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3520 2648c7b7558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.4.847431933\1597113491" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a65498f-ae98-4f32-a91a-fd0f9e324469} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3800 2648c9b4358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.5.601500843\951657980" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65233183-c9a0-4489-ae07-2d8b43f736e9} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 4916 26490227358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.6.1957423261\2070583245" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb7ef545-b905-418a-bd26-de817d89e138} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5056 264fd36ee58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.7.793489876\921172887" -childID 6 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad8d7e7-14c8-437c-ad24-1a5e2ad7062d} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 5240 26490965d58 tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD563ec78e5b20375dd98b51801b923bc38
SHA1bb44ae983d3547719c49fda5a93d2203dc916e2c
SHA256e35b1c28a8ca5f15ae00756f8ca35a9b90f3036730c429e238c83822f81d1c7e
SHA5126fa3f88a0f984558fa98aff238ded69e2e3b6d142ae6b286bdafd8a5f3b86101adc4c9d2959a27730ff9c96fb80742a487ebcd0750b40e76a8f8033a64936ed4
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
3KB
MD55a539ac78f58151c2ef959e2b63a7335
SHA18117cd86dff26c06c1ac73daebf719c16901855f
SHA256e518bcf9ca1ccfa3e224cef4767d629dee0b8744eb88fb8697037c07a3e6f5f7
SHA512aa9838bb1c809ca52e23604107f2a5b22c77294ad8180b1c81c93ea05b891fcf289aad1d428ab0f2fde6ce5842aff0fc670489ea8c02ca1ff73280e4bcf525c0
-
Filesize
2KB
MD520e7e5b6f68223a26c81503d238e13d6
SHA115f6717d40f2f9f5fe56a566fede28a5437dcf3e
SHA2563d94973572093e6609c7231e3a32fcebdf8b93a0738fed05cbc105ca21f4c346
SHA512c93c0ca7723d235f838ea43b1ea0ab5849968b1c9c3bb6fc8ce9407d9bbe51a9fbdf919cdfb24fa7e86dff89cd5bd163408089f9edb8d0bb4dbb93f4aaf7134b
-
Filesize
11KB
MD51a47d4662ce6e80b4d2cece8a3acbfdb
SHA12ada8e52845799bd3dff0f6913c7dc53f258f64f
SHA256d830c985cac5a8285d50c2ff4109133398d18e82b99526a017f0c2bb85506c51
SHA512e4534ceebc222fd50747de3bc406fa6e0c8a33a6c05e8d0bb78a25463854aa8cc222b02797a9349c6cb624445fe1bf1207019c0ee71e1996d9e52baa9614d105
-
Filesize
746B
MD52c44e18f7baeb7ebebd09c34a568e4b0
SHA14e817d3729df9bc557b211535b692e808577e3d0
SHA2569e1aa02b3f522ab8da5e5d0e1cba085883a4cc8bd11a627591407d61ff093c71
SHA512d7d2926dcc3c6f77d6ce266352b13d3f61c282d4e8f890200ad5ffb8ab4f911169abb1848681fb9d6e20c7b280745e184b07e9701a481c10d42b32e7c69fc5c4
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD501a892e2fe62c0383060c7967f698d1d
SHA154189fd4455b574a99e900bb1641cf2ff36aba56
SHA256d4947e372f846d19a02b25f8c3fbe47862279990612baf96b24119a839a0ad31
SHA51294780733a424c8d0adfac61f0477e0d2cbad1ca7f02d4d96768bca5548c15a691dee52e0b7e27795261f5395d6433f87fce678b54ead11f8d78f419bb76b003b
-
Filesize
7KB
MD5589cc397aa2aadd44d9c7cdaf9e82ad2
SHA16aadd81b2b0fd811d379be324e4ae9aa3ab19d3b
SHA256fabca7e7f5d0f86f11079835de2a00b7290888993cfdfce11485c1e754e30b5c
SHA512a44e2dd587fbdc99e20b4f8d183329fdda870711e6ad000fe9a32e60d8bcdf3f5ef8b18fb14c8f515d0fe56696b0d6399fdb81636000edbe058007d1a769fbc2
-
Filesize
1KB
MD562c003d58478bc0c732da0d7dd7f90f4
SHA16441d4a952b0c03c040c235964e3713cb2fed50d
SHA2561921785fa9ce89bc14270a5055ac3d005bdf0795a15b809da92061ab50543e6f
SHA512d8762e87574794a106b4fba8c3adb562517dc858bf313bb6bb44b0628d6fbac13e75969b86859ed33ffe8fdb2e32c6349d196f6120b296ee5434d86e01a93ce2