Resubmissions

16-06-2024 14:53

240616-r9bqtsxdrd 7

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 14:53

General

  • Target

    publish/OpenAL32.dll

  • Size

    1.7MB

  • MD5

    ff08ba3a9dfe6bd0b26f9055094c9550

  • SHA1

    2dd9130b6dd4c49864635b1b7cc4a93ebcdd5e17

  • SHA256

    5a42440a18a75ce588659158d74d26ab1850eabd34f3b25abd969a56d871db42

  • SHA512

    db7eba84f7545740bc267298fbdcb70bcc820e5b7f1b2a38a5e0396d2c5da62715f5338f52025477a5bd0160389f1e27e12370a7829c8070d430d7838494b9dc

  • SSDEEP

    24576:Vp4Z+cv92VrcRfw5K89ISay/D1IkYl57p+KGoq9gHvfnj/pC:VDARY5t9gy/D1ItHaiPP

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\publish\OpenAL32.dll,#1
    1⤵
      PID:2736
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.0.547805855\780381356" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd314ea0-77f7-4ec9-82ae-c83535685ead} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1300 110d5258 gpu
          3⤵
            PID:2716
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.1.384545285\723266756" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4437d488-6a0f-4cdc-8f6b-9730d9103b37} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1488 e72558 socket
            3⤵
              PID:1960
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.2.1369094977\297156278" -childID 1 -isForBrowser -prefsHandle 940 -prefMapHandle 860 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {511d9549-60a4-4a0e-8087-a0e581c2c8e6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 1068 1a295958 tab
              3⤵
                PID:1448
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.3.109809501\730388042" -childID 2 -isForBrowser -prefsHandle 2412 -prefMapHandle 792 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b5108bd-4a64-42ee-9e48-12917552096d} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 2516 19b96e58 tab
                3⤵
                  PID:1264
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.4.789885443\1881749684" -childID 3 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f990641a-02f4-4707-b984-846e2aec60a6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 2916 1cf09258 tab
                  3⤵
                    PID:1760
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.5.1298130800\950700441" -childID 4 -isForBrowser -prefsHandle 3720 -prefMapHandle 3708 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e9e9e0d-5e1d-4b26-aef1-e4810442334f} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3724 1e7f9558 tab
                    3⤵
                      PID:3068
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.6.1911048926\2086154872" -childID 5 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6549d5f2-c2f3-4ab1-824d-d4b1a40f3eb4} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3820 1e7f7a58 tab
                      3⤵
                        PID:560
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2212.7.1662221346\1913926499" -childID 6 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b07881c-ae8f-457e-a73b-25913ebd9ea7} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" 3996 1e7f9b58 tab
                        3⤵
                          PID:548

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
                      Filesize

                      13KB

                      MD5

                      cc24e5541e7dcadd4b1b56b90894f1b3

                      SHA1

                      ddc2f5cd5da64fe74d007af5eb39a95f20831d48

                      SHA256

                      9a514dbe5f17f59608462d039071b3eb375411c10ab53c60c478576a6d857620

                      SHA512

                      883d985f06990b8213fb6fc1b12d82a9bc6ac1786ed0378192e18b25d8cef0d624c7c8699d5a04ee63bc1a0191eb0673119401d0b5c39a87ed44d16a1ec6b48f

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      f27e6e94b63cb1c9def17773e48035bd

                      SHA1

                      43f5cd90395c6b855f7493a08d1c21521f5f5bac

                      SHA256

                      68cd11f02d1afa65b3a952b1339dddb473aeecb16d430f977bd78be325a94769

                      SHA512

                      f411fd7ee806698856cdd48d22ec18554783b292b675db0f72d41f3d000f6ec3975d928b2fcf2985ed2dd8208db60ecab6f3d7b950e2424c9bc538e5a7e07d0b

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      5576579fa9b1a279a7e849915ef947c5

                      SHA1

                      d36587ab99ae5cf2afefee7a21e462c2702fac21

                      SHA256

                      26783fec36b9b3f434c1e125c1931fae733bb91aea32f4c48597c8d6fd450f9b

                      SHA512

                      6bd35363e07fc14132f6457afc1cfe06e3a769977c11ea9a991920346a732858aed47fb50bff9facca7ba644ce7f0c4e27192898a9622bf88a79aa5d663875f1

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\3867796c-8d0f-4109-8cbd-2e3d2e0424b2
                      Filesize

                      11KB

                      MD5

                      b065df1f41b785b22a5851c8659b5edb

                      SHA1

                      d2ac3f7f769425ec9ecc5f68a7b7ff973193fcc1

                      SHA256

                      8b52c2c0474d0fa6c08d9e1769039627a14c05e1fed8d5cce88725565dc642fe

                      SHA512

                      0ae531b9084d5db497b8ab74b13463a37f8a4567d872f2ff3167b046acefda89fb651b65d82b789fb5b015a5d2132a43e95bc030fb471f651687098d0491cac6

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\8303a883-a4c8-46e1-a8e0-4182c429b2fb
                      Filesize

                      745B

                      MD5

                      a28cd5ad22e98d1fe2aaf88bdd879e43

                      SHA1

                      174c08d6743dcd9725269bf6808b068d7e438cf8

                      SHA256

                      67fe6e8ff7c9b6ee18e409e07381348391e61837686cf1eedd1a5250a30e2493

                      SHA512

                      b51635a0d32189eef59443cc367acc30cd44d95aecf134cea15bd1c571025c6cc2dae0daf0741c30996ca65e58ce076e697a2199d35deb26e90decda4b84362d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      c190bbfa9735ee1732dca0f19fa55289

                      SHA1

                      a014cd68055f6356f33a450a7ca9efa25868f2e8

                      SHA256

                      030d01c8b7c2f5e44b3b970edb1c4af10644d281096b763d8467a456107d6ac4

                      SHA512

                      13a47b00e293402a3d288e6e41b2defacaf8e4e1e63f60884d47984b6c9abe5ba863da109f69f67adabb5c831b42618ee676ccf92d42d5a66e0981531f4524a8

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      03b69c1c5b905e918e2ee4dd356531d3

                      SHA1

                      d9a83eb96b0bc844cfc1fa3b29299b141694ca7f

                      SHA256

                      3bdd3f6dd9141ab5ba192ea2ea4ccbd566ab89f6d8ff845ee4ad9e11477e27e2

                      SHA512

                      60605323743407d74498672faf6e4fe73ad6b81366b0f3870d74d8327a2cecd8a9d07591bf663ae54e12d9311ab3dff6467356b9baa287061001c2058bcc2295

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      a2ffce9200aae731041efd2af9dc9b00

                      SHA1

                      79f47c99dbbfd8f103309538516887265c087adb

                      SHA256

                      c9757e1d7b33333d4306f9e3478f7fbef91b208a7e6a684b38a07b510adc8930

                      SHA512

                      dcfb64d8ca2fc018de57d4662db6ba0195f4c3f9bcc6f570b784571852c2039497adb4b7edf83d6b461ecb68f779242619076903707ee31f891474d552664dfa

                    • memory/2736-0-0x000000006F000000-0x000000006F235000-memory.dmp
                      Filesize

                      2.2MB