67edf175321f92df454c58fc64babaf1905a2843b0fe7105a3d5c6146c0e9898

Resubmissions

26-07-2024 09:06

240726-k2ts4ssbnb 10

20-06-2024 20:05

240620-yts4havhph 10

Analysis

max time kernel
1778s
max time network
1778s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlobalProtect64/.install4j/i4j_extf_6_7caten.html
Size

532B
MD5

461873fe67aca4fd4ab23bf0b38b6473
SHA1

abbd5c231806b0cfc8d1d0c86aa3e8675692a86b
SHA256

d16fec6375adf17ab7ecfc384139dbe676182fdbd53f92d84179a4d41e19affc
SHA512

9d71fe4cdeb4a37754c57ed1ec3f5b2338c187216adf7e7b538573b18c579521df1918716f4fa336a835b06c1e9cb32c913de07a8d991acdbde7112ac9b255ea

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2132 firefox.exe
Token: SeDebugPrivilege 2132 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2132 firefox.exe
2132 firefox.exe
2132 firefox.exe
2132 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2132 firefox.exe
2132 firefox.exe
2132 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe

pid	process
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe

pid	process
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 2132	2056	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2832	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2832	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2832	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 2664	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 1984	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 1984	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 1984	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 1984	2132	firefox.exe	firefox.exe
PID 2132 wrote to memory of 1984	2132	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\GlobalProtect64\.install4j\i4j_extf_6_7caten.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\GlobalProtect64\.install4j\i4j_extf_6_7caten.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.0.788417924\1942050607" -parentBuildID 20221007134813 -prefsHandle 1296 -prefMapHandle 1288 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cca0f9f-8c46-4435-8d23-452395897d34} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 1360 117ee158 gpu
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.1.2043780942\762416291" -parentBuildID 20221007134813 -prefsHandle 1548 -prefMapHandle 1544 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eece79d-a8e5-4063-98da-1522b1c1ff0b} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 1560 e72858 socket
    3⤵
    PID:2664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.2.261942253\1237747030" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06139753-71fd-4fc0-9228-f6f233f6b78f} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 2244 18ad9758 tab
    3⤵
    PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.3.1544469780\1216378965" -childID 2 -isForBrowser -prefsHandle 2836 -prefMapHandle 2832 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5a2f98-1309-4908-abf7-cad1fdc3387b} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 2848 e62858 tab
    3⤵
    PID:2168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.4.1513823927\2145573042" -childID 3 -isForBrowser -prefsHandle 3488 -prefMapHandle 3620 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6075cca6-f873-446e-a4d7-2d58753098eb} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3624 1cf17a58 tab
    3⤵
    PID:1088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.5.2070870875\885103619" -childID 4 -isForBrowser -prefsHandle 3748 -prefMapHandle 3752 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00fd225d-4387-486a-849b-0fb1db79166b} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3736 1ec71458 tab
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2132.6.1682539222\315939323" -childID 5 -isForBrowser -prefsHandle 3736 -prefMapHandle 3920 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 920 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8a948a0-aad7-49b3-8220-0153fad95c0f} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" 3908 1ec72958 tab
    3⤵
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uu0g08su.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
a6feb1e7cc00225efb160103fb3a8719

SHA1
723fe4fb64770ef44e010f3c9cfe51d81d1b5829

SHA256
0c3f5339428aac649154723a1c156aab38e1a584adc03e502c82286e3d8d4139

SHA512
87e2e537fbce8bf0d40ffc389c41e1b5f396e655d2d2006a7361790a2c8465382177213afe5dfa599fd42c320fcd0da46c52993c7808efe359a57558d2c5cb11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uu0g08su.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
16KB

MD5
a32b572d938e8213def0bcf77755ff67

SHA1
64985a322b982dade5900af92675fbe5e65b3a79

SHA256
c0b0cc5707a40eafead693dae40a00c6fca6387d88040b99bad92cd1c9b22848

SHA512
c5127fafcaafc60c4472f85c91833b9dc3862d3fb856a938435d5696d5f9b357c5dff8155f7a3cf504335621c23d9ec49eb956ae2436fb02b01aa885474dddd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
988a18d089899d525a6182934921bda3

SHA1
e265fd06d2975c5b8985e95f64ebea841a2c6379

SHA256
72aa68e33c6e1168e2284fea63e35f71411be598102dac20f59dc80a48d23e1d

SHA512
d6da926e9bc8e0bf4b36a449e69ba7e69bedaad1958c4ac2468facc00b1b355af7be7a13bdd01daba5d7e187becfc60fd0d2504de868f7ca989da9c030e7865b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\bookmarkbackups\bookmarks-2024-06-20_11_oEUF5pt2HOrIENROg8vkqw==.jsonlz4

Filesize
964B

MD5
b996bbbec2708dfc0a5caddf1dc95ddc

SHA1
d5f391f2f0b435d186bce31db9fc8cf4053ff08d

SHA256
98b35792f9757848f66b2637dc31f89292a60df5c4ba311392620a4809209a0e

SHA512
2f967732f83c512a3dbeaaa194f3882eebd8891e2f69d186fb2e47bc8512352eca830c244c4e3e0e08b28809d5d2e9d409dd65f34a93254c11c7c7f3e16281e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
675db8f1932e124523042a8dcd96e29c

SHA1
1cb6ecfca210a3da2e23655d558066a040bb9d00

SHA256
bea75ad40e2407371f25caac743e968c10cba2012ca00a4bc55b4b505f82d4ba

SHA512
e47f14ac82739a58267de27b0d2c0a3acd051090be819a0eda98e12e912d7483869bf86b975a6a56b0eebb23102ff47ba3fb9d4bb571dfd207ef6b4620e3bf68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\6f4e17c0-a07c-4161-9895-cad5acd5c93b

Filesize
11KB

MD5
c0a441d8c49f511df35e4943db9c5ce9

SHA1
ff18e60ab6353e62cb2b16a3d80ae10e41c10462

SHA256
699764ef2b77b4441057d961d2b480cb0457a1ace55d3d8428b1927149d10e46

SHA512
371fad57b76af6de277a9c3fbd892303492e5fea1576e46e328ec3aff2b21413277cdfff6966f6d55392253a2e91bf4603d55f37125c5a0cc4e31fcf2d27d297

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\d19e9b69-d840-4be7-973f-2df073b5faa9

Filesize
745B

MD5
337e1afb262ba5749aa8865a518ef900

SHA1
cdc8cab10bbab492243bcdd1f277885a1fe19261

SHA256
f7993768bb290fc0e9dcb754ab0090ad2e4b03d97bb6c92928f19497be5fbd05

SHA512
6cf5b5d4f9e05d2b88e2c17865ea81221bd7e1e519075611e5d4f806ba44c0b1c22132a0cffd91640e50933429966407e34cba291d0767174e47dc2a4dbab5b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js

Filesize
7KB

MD5
7ea4408b5db0887005bd567b5c0fe972

SHA1
9fbfd83ebae9cb49308743c29f9e8311a60f20aa

SHA256
93dada11f8aa4baaffcb2e1620126c38e0a9d7f36f0f54ca68324c020b8f8599

SHA512
29c47e5a55ccbf673f211f0e24fd099dde4761799010f58fdffbf1705f2a1222c778da7d76e11b465569ad37c29c665c265f2b21d0d4fb29aa228f13c01c22b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js

Filesize
7KB

MD5
3e625f184b20acbe201be413eedad236

SHA1
dcaafaabf51deaceb86ca1de237cae78791e27a4

SHA256
f2f6f4e16792a90e248f6bb37999b4d491e0c64bef0c2a165115370a6c804a70

SHA512
acfe0d5cfa94586406bad39cb1d9fb022345d13866b546ff4258588446f9913f62b164e0e6e076942705dc130ec3489a71089797b8eeb70968e5e282c5dea6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
52a744dec8adee849fda5d8b70ae7057

SHA1
c8e68f15af3eb4401e69bac80e64e1e2d7d9c24e

SHA256
eed3044492db14f504d698585873a4a91933fa14f5cd068401008eec6b70ba1b

SHA512
784f388d20e0df4a3ef0950a5999a1adbe95fc6e8ea1ad9e2306429937d366318fb88df44a4f732cd5b97281a7dc5306f5c17b7b606fecdb095930698c62a946

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\targeting.snapshot.json

Filesize
4KB

MD5
6fea19a9e3ba4cea7d44f76d719bbe88

SHA1
3253c7c36d06de3145fc2484c42002efce617368

SHA256
c8da8bb9226521bee20cb11d16f4e035d1c5719f5a09794393916f03779613e5

SHA512
da6eced5ff85a6cab84fbaa5284b1f251baab5953d635555b4183db6ce9206a60af78234f356d6de0177eafff6e50764c167911af6c9a6be30787fad6d0326cb

Download Submit