Resubmissions
02-05-2024 18:03
240502-wm2qysfd96 1Analysis
-
max time kernel
46s -
max time network
36s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-06-2024 13:08
Static task
static1
Behavioral task
behavioral1
Sample
UnprotectEnable.xlt
Resource
win10-20240404-en
General
-
Target
UnprotectEnable.xlt
-
Size
466KB
-
MD5
afd9055c611a881d6d8f29a94057579d
-
SHA1
22904d3a386f715b80f466043ad3abcf7cc3d63a
-
SHA256
1ed95a0768790ea01e30e1de07f66f36d7ef402d177ea32ce24004c80611658d
-
SHA512
f93e2b5607b771faac3426c13036f5c96fdbf78e71ceca094c19b365962f72c39b7fe3f0d31907fcaea350f5599efb0dc85bd5dab796a3bae30bc08840d3dd56
-
SSDEEP
12288:hs4pOgLLxoIjHwHosk9jnoxgAahLCVLZnWj4zJOz/EgT:lCIzwHhktnoHaRCVLoj4kH
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2840 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4812 firefox.exe Token: SeDebugPrivilege 4812 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4812 firefox.exe 4812 firefox.exe 4812 firefox.exe 4812 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4812 firefox.exe 4812 firefox.exe 4812 firefox.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 4812 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4328 wrote to memory of 4812 4328 firefox.exe 78 PID 4812 wrote to memory of 3492 4812 firefox.exe 79 PID 4812 wrote to memory of 3492 4812 firefox.exe 79 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 2360 4812 firefox.exe 80 PID 4812 wrote to memory of 1528 4812 firefox.exe 81 PID 4812 wrote to memory of 1528 4812 firefox.exe 81 PID 4812 wrote to memory of 1528 4812 firefox.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\UnprotectEnable.xlt"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2840
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.0.1141007606\98718854" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c78970d-cbc4-4ca8-a294-24c3bb2d5b23} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 1792 1cc1f8deb58 gpu3⤵PID:3492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.1.902748310\1172220682" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4fb0e7-490f-4530-86e6-c7b2a86bfddb} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2148 1cc1f7f9b58 socket3⤵PID:2360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.2.329029068\1517647693" -childID 1 -isForBrowser -prefsHandle 2704 -prefMapHandle 2712 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75dcfe04-944b-4a41-b78d-bb24e5968c99} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2788 1cc23adcd58 tab3⤵PID:1528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.3.1321124159\1597949353" -childID 2 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {033e27c0-cad7-4b6a-90f2-58228ef31d02} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3348 1cc0d66ab58 tab3⤵PID:1336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.4.1893762328\1169764986" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45ad7d89-dd2c-42e2-b97b-349a4b7fbec6} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4408 1cc2237b558 tab3⤵PID:4900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.5.441070390\320784120" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4860 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2aae28c-d1fd-4624-8609-ec037ce60f5c} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 2644 1cc25f6ca58 tab3⤵PID:2816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.6.1648125749\370663925" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe2bbfb9-7dd7-497c-bb60-5812ff1afb8e} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 4996 1cc25f6ee58 tab3⤵PID:2724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.7.955671659\729053132" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc7bf424-9598-4ef5-b82e-a8971f35319d} 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 5148 1cc25f6d658 tab3⤵PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD54895f2b48f7436fbf57f13a9bf63db98
SHA1be66c2b0fe57fb9b90d4bd10cdd1170fb095dd81
SHA25637349075e7a08f6e60f773b13f4d42a9123accaf17e2ba16fbc3e884437e8c15
SHA5129e7a0c1e24abed407e55a0173e453ed0e37d00cafffcf54832d03a9217d2c34a9d470971d2278bca046f41a0c4dc08f63a5ca40ab6dbc37a58ee13b029fa86e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\3f585354-5da9-4f9c-9415-a25f4d6385b3
Filesize746B
MD58c4fdc3f782384262f08a5119201a0d3
SHA1e8ede8d8c1e4a6aafc7aaaabb865fca5139423f4
SHA256faef87499af40e4a4d7066406ab4e655c6d4217d3b618017308943b256974b4e
SHA512576560b378765bee7703d9fadff25555bcddc97d034901fa6182b85b3793ca48de8904fb4764065df38de6aeebe4ea2e358b5a50bfc78c833e316e4d6f83c6dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\bf3ef7f9-9418-4f01-ba84-49e321a538d4
Filesize10KB
MD50f2daddb7cc6e6db91a015eb1439d8a0
SHA1a7c2b31888222befc519329c645588e06997bd3b
SHA25649ba00311169939b80e1255d6bc873a6ad7230176cfb4e69dbfe5b02119cb336
SHA51215948c7223a10c362b60ad5a0a6fc2fc188493430911d6443037755aa9029c2d57a263bde790df8b986a3f245ab4c6f2b610994de115f779db4acd2f63357f7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50d0013d9708d9fef539adc917f5b87f6
SHA15e071e6b4d8abf007c8bb78ee948caf5bb0439e1
SHA256f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b
SHA512851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388