Resubmissions

02-05-2024 18:03

240502-wm2qysfd96 1

Analysis

  • max time kernel
    46s
  • max time network
    36s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-06-2024 13:08

General

  • Target

    UnprotectEnable.xlt

  • Size

    466KB

  • MD5

    afd9055c611a881d6d8f29a94057579d

  • SHA1

    22904d3a386f715b80f466043ad3abcf7cc3d63a

  • SHA256

    1ed95a0768790ea01e30e1de07f66f36d7ef402d177ea32ce24004c80611658d

  • SHA512

    f93e2b5607b771faac3426c13036f5c96fdbf78e71ceca094c19b365962f72c39b7fe3f0d31907fcaea350f5599efb0dc85bd5dab796a3bae30bc08840d3dd56

  • SSDEEP

    12288:hs4pOgLLxoIjHwHosk9jnoxgAahLCVLZnWj4zJOz/EgT:lCIzwHhktnoHaRCVLoj4kH

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\UnprotectEnable.xlt"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2840
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.0.1141007606\98718854" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c78970d-cbc4-4ca8-a294-24c3bb2d5b23} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 1792 1cc1f8deb58 gpu
        3⤵
          PID:3492
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.1.902748310\1172220682" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4fb0e7-490f-4530-86e6-c7b2a86bfddb} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2148 1cc1f7f9b58 socket
          3⤵
            PID:2360
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.2.329029068\1517647693" -childID 1 -isForBrowser -prefsHandle 2704 -prefMapHandle 2712 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75dcfe04-944b-4a41-b78d-bb24e5968c99} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2788 1cc23adcd58 tab
            3⤵
              PID:1528
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.3.1321124159\1597949353" -childID 2 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {033e27c0-cad7-4b6a-90f2-58228ef31d02} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3348 1cc0d66ab58 tab
              3⤵
                PID:1336
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.4.1893762328\1169764986" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45ad7d89-dd2c-42e2-b97b-349a4b7fbec6} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4408 1cc2237b558 tab
                3⤵
                  PID:4900
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.5.441070390\320784120" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4860 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2aae28c-d1fd-4624-8609-ec037ce60f5c} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2644 1cc25f6ca58 tab
                  3⤵
                    PID:2816
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.6.1648125749\370663925" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe2bbfb9-7dd7-497c-bb60-5812ff1afb8e} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4996 1cc25f6ee58 tab
                    3⤵
                      PID:2724
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.7.955671659\729053132" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc7bf424-9598-4ef5-b82e-a8971f35319d} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 5148 1cc25f6d658 tab
                      3⤵
                        PID:2788

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    4895f2b48f7436fbf57f13a9bf63db98

                    SHA1

                    be66c2b0fe57fb9b90d4bd10cdd1170fb095dd81

                    SHA256

                    37349075e7a08f6e60f773b13f4d42a9123accaf17e2ba16fbc3e884437e8c15

                    SHA512

                    9e7a0c1e24abed407e55a0173e453ed0e37d00cafffcf54832d03a9217d2c34a9d470971d2278bca046f41a0c4dc08f63a5ca40ab6dbc37a58ee13b029fa86e5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\3f585354-5da9-4f9c-9415-a25f4d6385b3

                    Filesize

                    746B

                    MD5

                    8c4fdc3f782384262f08a5119201a0d3

                    SHA1

                    e8ede8d8c1e4a6aafc7aaaabb865fca5139423f4

                    SHA256

                    faef87499af40e4a4d7066406ab4e655c6d4217d3b618017308943b256974b4e

                    SHA512

                    576560b378765bee7703d9fadff25555bcddc97d034901fa6182b85b3793ca48de8904fb4764065df38de6aeebe4ea2e358b5a50bfc78c833e316e4d6f83c6dd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\bf3ef7f9-9418-4f01-ba84-49e321a538d4

                    Filesize

                    10KB

                    MD5

                    0f2daddb7cc6e6db91a015eb1439d8a0

                    SHA1

                    a7c2b31888222befc519329c645588e06997bd3b

                    SHA256

                    49ba00311169939b80e1255d6bc873a6ad7230176cfb4e69dbfe5b02119cb336

                    SHA512

                    15948c7223a10c362b60ad5a0a6fc2fc188493430911d6443037755aa9029c2d57a263bde790df8b986a3f245ab4c6f2b610994de115f779db4acd2f63357f7a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    184KB

                    MD5

                    0d0013d9708d9fef539adc917f5b87f6

                    SHA1

                    5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

                    SHA256

                    f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

                    SHA512

                    851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

                  • memory/2840-19-0x00007FFF27EA0000-0x00007FFF27EB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-228-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-4-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-10-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-12-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-13-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-11-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-9-0x00007FFF27EA0000-0x00007FFF27EB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-14-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-15-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-16-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-17-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-18-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-30-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-21-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-22-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-0-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-29-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-2-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-7-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-20-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-28-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-27-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-26-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-25-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-24-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-23-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-185-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-186-0x00007FFF6B5F5000-0x00007FFF6B5F6000-memory.dmp

                    Filesize

                    4KB

                  • memory/2840-227-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-226-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-225-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-224-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-31-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-229-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-8-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-3-0x00007FFF2B5E0000-0x00007FFF2B5F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2840-32-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/2840-1-0x00007FFF6B5F5000-0x00007FFF6B5F6000-memory.dmp

                    Filesize

                    4KB