Resubmissions

17-06-2024 13:15

240617-qhd67swfnq 1

17-06-2024 13:08

240617-qc774awekl 1

16-06-2024 16:06

240616-tj8nzstenm 1

16-06-2024 15:43

240616-s5yv8syfpg 6

Analysis

  • max time kernel
    104s
  • max time network
    106s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-06-2024 13:08

General

  • Target

  • Size

    63B

  • MD5

    e2ddd6255938ecbfa936089f3c10bf8e

  • SHA1

    7fa7561ddac8accc6c8518dcd35717d07d5e14d1

  • SHA256

    816b3695c85a99b291e7e687ce62139191815af187cdd116a0c80f2b3c1a4ea8

  • SHA512

    613b38d008c3c91ac1df72d1c9e4f6f333667ed4cd56c38e92e3faf77d27584c85bb818a02ebf71f8015157157e04d30b0af01b4397d585b9f9c882ef7d5bbe2

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
      PID:4904
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.0.689119137\1019743242" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9291b56e-b40b-4cfa-8840-fcb89fa0450d} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 1780 1762b0d8158 gpu
          3⤵
            PID:1148
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.1.751840821\62974325" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d98382ee-f88e-419d-91e8-d54f393e6d3d} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2136 17618d72858 socket
            3⤵
              PID:4996
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.2.1100696165\680342438" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 3000 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c23240-3400-422c-8ede-b9dd3b87cb57} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3012 1762f296158 tab
              3⤵
                PID:2088
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.3.1504115490\1377760741" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28dc23fc-d786-4d4e-8e45-f7389aa03cc4} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3436 17618d62b58 tab
                3⤵
                  PID:4316
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.4.65562903\1285842976" -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 4292 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {865d135a-66c7-454d-948f-94b05bd1d3cd} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4204 176310dcd58 tab
                  3⤵
                    PID:2856
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.5.1833540846\1216546084" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4884 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa0ac411-b446-4dee-ade9-defd0ae18045} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4896 176310dc758 tab
                    3⤵
                      PID:4920
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.6.1156728284\1163337655" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58490c78-57b9-4bdb-bd90-a6cb49d4744f} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5024 17631d20558 tab
                      3⤵
                        PID:624
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.7.2033912483\2078195493" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {509cef31-e0e1-4661-9ea7-39fb8fc77620} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5168 17631d23858 tab
                        3⤵
                          PID:2752
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.8.1751554676\1436003139" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a24cb8ef-7c2d-4569-b80b-5a65a71307e1} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2712 176326c5658 tab
                          3⤵
                            PID:2592
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.9.171858002\354092368" -childID 8 -isForBrowser -prefsHandle 5236 -prefMapHandle 5644 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be336ac-ead9-4147-b800-4647221f5097} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5240 1763295ce58 tab
                            3⤵
                              PID:1096
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.10.894199190\1805755188" -childID 9 -isForBrowser -prefsHandle 4720 -prefMapHandle 5440 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3123f07-984c-4104-b2bd-450a2fcd6cf9} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5128 1763295fb58 tab
                              3⤵
                                PID:1464
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.11.1903990002\209747989" -childID 10 -isForBrowser -prefsHandle 4612 -prefMapHandle 2516 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {220f05b9-0476-4b3e-a261-3334b0a80ab4} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2544 17631d21158 tab
                                3⤵
                                  PID:652
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.12.1392905276\586770428" -childID 11 -isForBrowser -prefsHandle 4896 -prefMapHandle 5216 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8121858e-bbe9-4751-91ed-cb237ad2de32} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5912 17618d6ab58 tab
                                  3⤵
                                    PID:3392
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.13.1409916777\572184830" -childID 12 -isForBrowser -prefsHandle 5148 -prefMapHandle 5372 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f4d06b-49ea-4c56-bf80-d3f84aa9573a} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5436 176313fba58 tab
                                    3⤵
                                      PID:2912

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Discovery

                                Query Registry

                                2
                                T1012

                                System Information Discovery

                                1
                                T1082

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\C6A6389A9162CEB2E1F41436B370871FECA58F75
                                  Filesize

                                  60KB

                                  MD5

                                  92b5e4bb17f9bfda34e6acbd081a4d7e

                                  SHA1

                                  db1846dbf794cfcef270a03070fd6cabea8af138

                                  SHA256

                                  89b347c0e4dbce8a942cb38dd6b1599bbbb8694cce2e1c2ea7cf4ed1eeb36752

                                  SHA512

                                  018e35a2d9b6073d930681124d03282aa3afdc66ee3564974cdc98531539df57a3d235c58c9a6f020ab0cad4dd71fc87f2f546b45e30d1147837ae03ca75360e

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                                  Filesize

                                  2KB

                                  MD5

                                  10464ad2c2586756a68778733e96b3c4

                                  SHA1

                                  10dc279032d5aa0bf4a583b38ca4a5d76c83bcb4

                                  SHA256

                                  7a11546577b34bcb4d9b39ba97de39ce1bd292e55ff1101348e636d1b550eb17

                                  SHA512

                                  c3cc6d38ef816d1ad104f0ec787550add37aaa916bfe4ef95dbe75d1081b6c949538ccbcb9750810f09cf5b8298fad4e87f5851baa9ab5921d81750dd35b3254

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\88fab366-d716-44c0-a173-8e75c8624150
                                  Filesize

                                  746B

                                  MD5

                                  71513065e1d0e99a9cceb257d4931599

                                  SHA1

                                  15893c1b968d8410946a121565a397e88417d000

                                  SHA256

                                  1134f2c8c4e6128a7d1827ee12e7e2046ea896be0de688990232e3bd3fe99ba9

                                  SHA512

                                  11af49d4635e560c66d67411a5f345c221e42e3ea77a46d55ed573c070d4b8b1c28f6c8482dc2157b05617c2ddb13865361014f91aeecbba5b310e4ec9169816

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\a0e6e835-ca75-4f55-9ae2-780e0e9f32b1
                                  Filesize

                                  9KB

                                  MD5

                                  3f698368c29d501cb3f789ab4f08393e

                                  SHA1

                                  2842f54989a8695b438c454deb807467566490d2

                                  SHA256

                                  bd898468d88520ac993fc421711fd65b46a23aa0aaca56a2131d27f77f0ab83e

                                  SHA512

                                  4c498fefbb3220045e8514d8ffd9a003265c4fefe64a177720a2d706c9da80794ce5bc57e149ab6dfd8541b54c376a5bf450409c74067e0fab0d613188e1be3e

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                                  Filesize

                                  6KB

                                  MD5

                                  478836b04b9fb120414ee59e85eada5e

                                  SHA1

                                  0d00c5ba35dbe0a84fcdaefba70ef3215c3cc279

                                  SHA256

                                  d1d6262ed0e563c70f6c539d2b43377227bfca8bf2435a0c82f1856b70bd64d8

                                  SHA512

                                  f3fdaea5f3fe6542a8bb55a9d924c66808babba93788ab85d4b89ea70ad30b590805d1613283e9ca1c7933eaeeeed6ce4135896beaa66503ede0faf810653e71

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                                  Filesize

                                  6KB

                                  MD5

                                  50433e8d492d172add29008fca523458

                                  SHA1

                                  3874415dab8f58874f407ed4d9771ea483eecb9a

                                  SHA256

                                  7c3c7e1dcf55ca5a9d033814aec04a16e27343b3dd4755e3073670660d39e478

                                  SHA512

                                  e2a00c254e2f4c87f55eb6e33cbdf6aa9730ab11d26da5c67d3fff2ba440068023eaee6a70a14b16ad3c0a7c65dc637b44416e66af25bee76b708a9f6472a8d0

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  3KB

                                  MD5

                                  5efff1838092f4c23774bfd14f5e24fa

                                  SHA1

                                  e45d167f807358421540bba5bea7b27083ccc59d

                                  SHA256

                                  2cf2f52e239750e7bf59e2632e7ab28022f943e29380e82d4bd85cb9f38ad34b

                                  SHA512

                                  3746c321aadb892ff538f2e7c71f310296bfbf5538871289d23c65ce311ca7a02458a5ec882557ad6f08b83e19e551a10843388dec382d5e7b05e52f28f55615

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  4KB

                                  MD5

                                  7b018a3cdd056b8f69004ebabfae3328

                                  SHA1

                                  9469fc6f89466f28e68269f26549174a7849e1a2

                                  SHA256

                                  922eae8fb3708b53cbec5ef529e7268ad65fa8412b7968d37dcce215cd1ad0f3

                                  SHA512

                                  112b0038414150c49815434441bd45cdb573209ad7dd9dc3cfd8933f5c98fca5ac25dd503ec368178ca011c819013728894cd8399f2937a71c40f2cb2e1e616f

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  10KB

                                  MD5

                                  d291ed9198fa681dc4092ba37b9e76a7

                                  SHA1

                                  7e135f75a5428f3753c202cda2bfb8434e001feb

                                  SHA256

                                  41bf4894381835dda527dd99d36c06a247fc5221333aaec845940ddbc2399700

                                  SHA512

                                  28fc6f389a420f0ecba8f0d857a1a2288b5266760af69052a05bd59529d10a167c119511a547d2d246e624fb25998a7efe35cc77909ba8ed2536f330ff0f1f3f

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  4KB

                                  MD5

                                  5b9becf1181b72ef03df545468bef497

                                  SHA1

                                  f7d9cccea2518a9a1a7d34eef3ec72ac0dbb9d81

                                  SHA256

                                  45ad0bf04229e785b9b782eb0c465bbace3610981af557892eafb6cfcca51032

                                  SHA512

                                  9db2b7db8ef5729a39886d6af932791f602f69842d39fcb430a37cd025034d3d43c21ef46c60cf6878c63465e80f8a86f4318cdad4ae4440f887246dafbc04c4

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  7KB

                                  MD5

                                  ca058f4c81f414b3ff68feda0a6aebc3

                                  SHA1

                                  3e3d52034322a6896dcf69c29f90b9c50468d1b1

                                  SHA256

                                  ca0d6934fecb2314bce2ff74618ee0cb029cce8ee0aec7bf2f3b32f4f407f968

                                  SHA512

                                  7330041c7c1a653ed148ea6ef5a10987e0c578e691e991004a5e2ec8bdb00b078382f45a276f558507843c87a68aeff431398aa436e87a9c654dcb8b8cc40d20

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                  Filesize

                                  184KB

                                  MD5

                                  0ed2663971e8051b2bcb574926400fa8

                                  SHA1

                                  467756bf41c377bdb07c8be10d5391f1df1d80a7

                                  SHA256

                                  0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

                                  SHA512

                                  e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898