Resubmissions

24-06-2024 12:38

240624-pt9xkssdkh 10

24-06-2024 12:27

240624-pmqv5asaqa 10

24-06-2024 12:25

240624-pl5b5avhmk 1

24-06-2024 12:08

240624-pbaprsvdlr 8

Analysis

  • max time kernel
    42s
  • max time network
    43s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-06-2024 12:25

Errors

Reason
Machine shutdown

General

  • Target

    right-arrow.xml

  • Size

    942B

  • MD5

    082515300dff3450faa8780515be7d49

  • SHA1

    5c26504a54ba6d7c9dd2b4eeb3c2b4232a4af9b1

  • SHA256

    a95a3d988edb17d894e845c6b4055e59ed773bd2d7e10bdea43a9de3bb498100

  • SHA512

    c35a439b2a0232336c821c6bb883936b71d92ef58b1698b605069577fa81bfb444a6b1c40084d6b6585ca4f961b5e3a5bb5fa8c39988dd17a53ebbcef326abc6

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\right-arrow.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:164
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\right-arrow.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:424
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.0.1054478420\1124804240" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23e07361-630e-42d6-9bf2-29268d60c7da} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 1796 28ba2cead58 gpu
        3⤵
          PID:60
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.1.1158699927\1824999929" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d36195-3a76-4bf2-8426-6e2b7e1328ae} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 2152 28b97c70458 socket
          3⤵
            PID:2132
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.2.2112309129\1533503041" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2692 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94038bf2-5be4-4400-9b6e-59d705c962f3} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 3024 28ba6fa0458 tab
            3⤵
              PID:4588
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.3.235729933\436869210" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d5d1e79-436c-4a44-bc4a-276ae5793bc3} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 3488 28b97c5f258 tab
              3⤵
                PID:2492
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.4.1723300149\701384088" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 3780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72f77cf-38d8-4456-8ab3-0dc851288696} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4336 28ba8d7ea58 tab
                3⤵
                  PID:4344
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.5.934747232\1901634182" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4880 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3924e66e-b2f7-4a89-861b-9a1457c7a934} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4924 28ba8685858 tab
                  3⤵
                    PID:2248
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.6.294181499\423523544" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f3895a1-5867-4e41-a9d6-876b5234c12f} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 5064 28ba9539f58 tab
                    3⤵
                      PID:5024
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4252.7.117640317\2143118486" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c70c3c-74f9-4823-a29d-90710afb87c1} 4252 "\\.\pipe\gecko-crash-server-pipe.4252" 4924 28ba9538758 tab
                      3⤵
                        PID:1704
                  • C:\Windows\system32\LogonUI.exe
                    "LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d
                    1⤵
                    • Modifies data under HKEY_USERS
                    • Suspicious use of SetWindowsHookEx
                    PID:2280

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                    Filesize

                    471B

                    MD5

                    06f5f3f6abfa0faa19dac83b5346ccb5

                    SHA1

                    28c8b2b412b44c21726132ce9f51aa9e2207f328

                    SHA256

                    1f08ea567a623c9f9015efd9b209b823cd5bce6d474256440ffceb4f5ccffd8e

                    SHA512

                    dd94f4ddc9e6cd90f1f4ae6c9175d16a6687329b2d1b928d24510229001a5539966b5ac1685d527606084a2cadc1ea856d14209c2e61b7434a699a293ebba448

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                    Filesize

                    404B

                    MD5

                    8a5a62c74b206c905de1a00c29753c19

                    SHA1

                    188417437a3195db3d2a852f6beb62e524f7d00e

                    SHA256

                    60aff1bad9444c3883945bd225846667ef9dfcd4731455802740a1f1f53f7d3f

                    SHA512

                    48b799f9ff51279120f781520ed8bd9786f0b4962e2589784d6d51e7e710aee4122f194a7777ab2da8b91fef29f8406c233ac19309160c93945ec6f07694305e

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF82B.tmp

                    Filesize

                    15KB

                    MD5

                    1a545d0052b581fbb2ab4c52133846bc

                    SHA1

                    62f3266a9b9925cd6d98658b92adec673cbe3dd3

                    SHA256

                    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                    SHA512

                    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    ca644aec2bb3fb9abae96325f8868e82

                    SHA1

                    30a05301022e61dab5e87dbae5a801b84480791d

                    SHA256

                    4264c16c5422b44da443495aac1c04aeeeacb35d0574c1b8539ad7d5e4a0ecf4

                    SHA512

                    d8949780803e4d8f580e92815ee37f370580f98f21eadb4f5ec3bdb67dff993c1fc5ca2089d2f10d16dcbcdeb026897c2221cda9167ffde79fa2bc1f9a924883

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\004d0617-f08a-44dc-9647-7f83ca73f0c8

                    Filesize

                    9KB

                    MD5

                    b4d207886d776e78dd12578d27b128d2

                    SHA1

                    1e921a0bd33415910e37d983ebee1635a3da2ef2

                    SHA256

                    d4800b050e5c65bcad2defe13c19bc3012ef172be8898af72a76ec557eea11ef

                    SHA512

                    58ee3ea27c5a9ce8dd2053e02e66ae3548c15460cbc22935fdc3fd7440e9448c8edf029fdc980a7baa52d0bf9851193cecb27a27d48e298cf506a967b7c15063

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\f4f5884d-01d0-4c03-aa4e-afc684ec2238

                    Filesize

                    746B

                    MD5

                    d593f2018cee75e045f84c2088bac8a0

                    SHA1

                    d9cf01a7b492ca45bfa665295e06cb7ff06b7fe2

                    SHA256

                    1442175078c5960768b81978fa777deff795ca33bf5d846717c52d3e0c73fb51

                    SHA512

                    5eeebf40f5d49199a914a30546559e1fd12b56b1556a16231656a888a44b9119961f424067d9863758a17e864a621e4057fdf0e7f02fdac536e54628a73e92ea

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    83b3b98827797640fdc37bb180622bbe

                    SHA1

                    0d22b992ec53bb0543657794ea5b317094b401b9

                    SHA256

                    53efdebd7e248bbddcb019bb6d53260e3b37dfb2db0d0fd5f22b6f0547015d88

                    SHA512

                    dc259e6308848dadfbfe6be56c8b5168b61b4197b9b28fe76324e1963930ebbdeb174f50185b8a435a7f7ddee48e0121e5164c565f03bed308e19bf00c0714f5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    96b495a39ea1896ba37f9721f4272a89

                    SHA1

                    5c74734903077040d3dc91df2e240fd920d8d70c

                    SHA256

                    257cef0a866c703f9610e0adddf45a82bee4c10446062722af975ac1ddaa0ebd

                    SHA512

                    a1a8c6646626c305350edf53381fc585ea6342b6cecf39bc04f63dd6812ab0bbe065a2d1032c637b8eab4f585426d564eb449322917ef70db4a3f9f23c4128fa

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

                    Filesize

                    855B

                    MD5

                    2d06e69f9488724a57b2f9e918a5df09

                    SHA1

                    e288a9c23e70727027bf57c3a264bc60d0137258

                    SHA256

                    ec0a267a7e44defdcc4f4f2182e2064dd26462cd60c9135e5424c3b1646aefd8

                    SHA512

                    c3fcc80b1dd1aa03c488f729f8a872cd576d90c03ffbc7655aab0e7e31ec11f3331cb85cfed9bdba134e841e56a49a39a3776142a24ebf07d4aa909a2a4d4710

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    184KB

                    MD5

                    0d0013d9708d9fef539adc917f5b87f6

                    SHA1

                    5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

                    SHA256

                    f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

                    SHA512

                    851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

                  • memory/164-6-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-7-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-15-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-14-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-13-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-12-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-16-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-10-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-9-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-11-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-8-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-0-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-5-0x00007FF9FB7C0000-0x00007FF9FB99B000-memory.dmp

                    Filesize

                    1.9MB

                  • memory/164-4-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-3-0x00007FF9FB865000-0x00007FF9FB866000-memory.dmp

                    Filesize

                    4KB

                  • memory/164-2-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB

                  • memory/164-1-0x00007FF9BB850000-0x00007FF9BB860000-memory.dmp

                    Filesize

                    64KB