Overview

overview

3

Static

static

1

qr.png

windows10-1703-x64

3

Analysis

  • max time kernel
    20s
  • max time network
    23s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-06-2024 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qr.png

  • Size

    17KB

  • MD5

    9f60d430dc6b28306d76e2554edfa870

  • SHA1

    f8c05d86527b4eebf50e71ef7118670ca5a1bde0

  • SHA256

    ee61bea11d22057f4adb3880846d3acf3421f89faee5ada99a32caf6dd9dbbbf

  • SHA512

    34c2881dbf20bebd67312eb5c883a8e3bcf78b606463eb86e53f79e0db998166464a7a38c9c6be61a5fb67b67d8e280968370a16143acbea31c1cf4d488d7746

  • SSDEEP

    384:977shBk1BSEAZ0wbeebHzVkOHN9tmZeup8n4zWlq3b6qZH3:97SmP5wbeckOt9G1iLOuqp3

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\qr.png
    1⤵
      PID:2348
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.0.1183386740\1144880064" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd98da6-5d9a-4936-a495-3bee91bf4daf} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 1776 22cc45f6b58 gpu
          3⤵
            PID:4896
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.1.825332490\1903247571" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9197c-b3bf-4533-98cb-a58fb0d30ddd} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2132 22cc4131758 socket
            3⤵
              PID:4680
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.2.1726508041\2133992152" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2832 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {246de0b7-dadc-40aa-a25c-26acb7c51218} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 2644 22cc889f358 tab
              3⤵
                PID:4832
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.3.570603429\1725436924" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {717c8def-20fa-4d56-bc63-dbe323a21454} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 3496 22cc953d558 tab
                3⤵
                  PID:444
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.4.535595940\1269588763" -childID 3 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4929e758-7344-46fc-9ada-401e177650fe} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 4160 22cca8ed258 tab
                  3⤵
                    PID:692
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.5.1367378012\1917703934" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb7cdb24-eca3-4f51-bf96-d34c6fd977b0} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 4952 22cb2260758 tab
                    3⤵
                      PID:1744
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.6.116256794\1255523935" -childID 5 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb332932-3dc6-4af6-b22b-3e06e4502921} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 5076 22ccac5a858 tab
                      3⤵
                        PID:4468
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.7.1727090958\1386789234" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ac5ecf7-9d24-4ef4-9c50-49b4316f8e51} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 5268 22ccb236758 tab
                        3⤵
                          PID:4516
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4780.8.1413554477\284461827" -childID 7 -isForBrowser -prefsHandle 4388 -prefMapHandle 5116 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b03871e-e705-4db5-9b08-0f3d2f668ecc} 4780 "\\.\pipe\gecko-crash-server-pipe.4780" 5596 22ccc585b58 tab
                          3⤵
                            PID:4512

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        9d2e6b66ce77475d6f8fef1d30dbe36b

                        SHA1

                        c35f4a24ea7c50e65e3d4e572f76224316fb0af9

                        SHA256

                        db2180d7ec124e47a6043724d5d9977125371165dc6d77ab40da36ae554d35bb

                        SHA512

                        3e18739212478f3386ee0d9c59e67569caf5dc3a9b16085ffe52804df9df3b12917d6d225d778a306ac3203b3bd4b27141b955433938ee632678b2c5e93d6fe8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\78a67d08-5f3d-4b9d-94e8-ae0116f6d266
                        Filesize

                        746B

                        MD5

                        085506a08ead445585c4cc3c41c9217c

                        SHA1

                        08417d9cf4bddcc07424c590dd55a65b5219a7a0

                        SHA256

                        f1d1ac78bcb93eb7432a8e4ba4fd0d11fbcca7e7fd7dbc6afeb0851b19499a7d

                        SHA512

                        d8fa908cfb27d8d6fa8975863f518b9f50b0227a6e5ee8e15354646789ea9babaac82216695e938de8c2d000c6ff847438209365b4286adaaaba0c3b9c006c40

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\c90c6e28-8fb5-407c-ad81-a6efaea71723
                        Filesize

                        10KB

                        MD5

                        005fd220754aa602a9a42adfcfc49cb8

                        SHA1

                        84ca8378308e4d3e34df2b8dc08f1417f7021d57

                        SHA256

                        6e13eaad8e1158b33b77c0384991c07a51f00100d927606bbcd179f6e7137154

                        SHA512

                        0cea696089a7fb6e7eb5036dc09948d0c51c6430afe58ae8067e6fbef38c98a52f548aca0cbd3ebc84aab711e409f62c457ce099eb674cfeb19290e4d43a8324

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        e77d33c68c849945b7cb34b3189dec1d

                        SHA1

                        701ca7eef86348f42667f7b456a8a085fd192b3e

                        SHA256

                        389c94eae9b644e48fae41dfcf6a2d84767e5a48aa07623e5a26ff82168c2a8c

                        SHA512

                        cb43e221b5d56eab6f24a1edf4c682e3cba0b85cb6bc0dc871f16649d722ec3d122a1e9ef567c6293721e01187a6d021f8316961080a506ccd69cd7e87d43160

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        fe2dff2b140473371f8d703649e7c53f

                        SHA1

                        409a732aaf856b2061c86c712abf45deef9f53be

                        SHA256

                        1e2f9cb521af0f037a8c86c7a60b02232affea3a3358b698c349e632f55963d0

                        SHA512

                        08464f7cdac86ad04ea13bcdce702046e51c9f182808b84f67a9e7dd0f29428d751ad2bb6486fe8e7235c6b50033f7391db227e23ce468705df69acebe0a6530

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        0ed2663971e8051b2bcb574926400fa8

                        SHA1

                        467756bf41c377bdb07c8be10d5391f1df1d80a7

                        SHA256

                        0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

                        SHA512

                        e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

                        Download Submit