Overview

overview

3

Static

static

1

rs1.php

windows11-21h2-x64

3

Analysis

  • max time kernel
    159s
  • max time network
    160s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-06-2024 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rs1.php

  • Size

    98B

  • MD5

    cd79b7386e0833ee3bcec5b2408f0ea9

  • SHA1

    ee22de898e1bd8772d881169d3812a1224825883

  • SHA256

    ceba7f1b4b52ba06721337dd9d4b3789b95459c5a0ca3facee1faf6b0f79efd8

  • SHA512

    c3b527716669e50d9a90dfd0b06f62abce2da87d74e21758137c596525a0cad4a1215f52c65925bc935e6272488767eb03b16e2a4f6b1ebcfa40b8e0047e02c1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\rs1.php
    1⤵
    • Modifies registry class
    PID:3360
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\rs1.php"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\rs1.php
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.0.57064210\425373890" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {031bcffa-a462-49fe-ba0b-c55b0eb148b2} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 1684 1f648d31d58 gpu
          4⤵
            PID:464
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.1.956829829\923427450" -parentBuildID 20230214051806 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36f1f91-7b89-4ec7-ae94-8260fd68a79c} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2368 1f63c089f58 socket
            4⤵
              PID:2320
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.2.139031690\705831550" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 2852 -prefsLen 23028 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebfc4d17-5abc-45a7-a1a4-75c5909d2b6a} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2880 1f64bb41558 tab
              4⤵
                PID:1084
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.3.167853861\831763699" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3412 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f83546d3-9b15-45cb-9ff9-8f505022b631} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 920 1f64e23e558 tab
                4⤵
                  PID:1436
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.4.998589257\68981394" -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 5124 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4fdfb2-60c1-4ab6-8cc8-db47e57cc2a5} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5248 1f64fb9e458 tab
                  4⤵
                    PID:3548
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.5.246011188\1840902447" -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4113cb38-e1ed-445a-9028-18269f97dff4} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5376 1f650220958 tab
                    4⤵
                      PID:1016
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.6.710807036\725535015" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {719db7d7-478f-43cd-908a-3e5c414df910} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 5568 1f651115058 tab
                      4⤵
                        PID:3316
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.7.1222097200\2106099660" -childID 6 -isForBrowser -prefsHandle 3232 -prefMapHandle 2880 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f913c5-7d07-4404-892a-5921ea3145e2} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2804 1f6492aab58 tab
                        4⤵
                          PID:3280
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.8.890016393\897646752" -childID 7 -isForBrowser -prefsHandle 2812 -prefMapHandle 2512 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a4d5af1-efca-48b5-9607-05e70b5102d3} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2680 1f64fc3a358 tab
                          4⤵
                            PID:2260

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7n4npafm.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      35KB

                      MD5

                      465aa614ec04c98732833179bfa23819

                      SHA1

                      6734f0c64ac33b16236a3a35363e708aa1cd1098

                      SHA256

                      1cccdea33604f646060071aa280ab972a2826bb6ed02b3b77719a2b8ad230ed1

                      SHA512

                      f25ecfd8c77f13664a95b5107a35e608c42c081f95b97cf812da967e4da45faea161f0f79e577edefb215c5fdda2839249e78830822a9bd25dfe4a9fd2483098

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7n4npafm.default-release\cache2\entries\303599AEF1510A4F8A5E2AE7E1B200BB5FAC07ED
                      Filesize

                      40KB

                      MD5

                      12f3484be0ca62803dd2b3cc14429ddd

                      SHA1

                      b08d32f8d5c589c217e936e04956d12ffe317006

                      SHA256

                      6d2163d5554e17b94dc23e6fa4ddebfc4540a73e253468678bf5f0dca8010485

                      SHA512

                      739120b5aec1e3101ce8076eda60a885691f1e6327eee601eb67f900ea5586f9ab97caaf72327f997cccb6852e255c524567d406eb0ec3b607b0f53e4396d54a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7n4npafm.default-release\cache2\entries\E68C845991E664E3FCFDDA0D59B817A2A102F220
                      Filesize

                      15KB

                      MD5

                      a705ef6bce892a44ad4044f6d3d7c4c8

                      SHA1

                      61308da4b840999e343f12c399dca534461b37af

                      SHA256

                      1983cacfe2d9d906ed2f586b083d4c969765ab80f3b442d9ba98fc5a5bac29aa

                      SHA512

                      a9a31303073e598b1926271a26138e6f1471b5ade2834c6cfb36f6f47cbf9c30c899217ca969c2310e396ac5292d27bef171288e4dc5ccefc01f7407ef9829d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      ed411bb6bb645883805d46958caf9efa

                      SHA1

                      9748b6f57a666f86a2ee77e508ed49760770f318

                      SHA256

                      da8a42b12a0ef6acbb22afe915efe67136d59ded9d68186b6133e62f13553bd0

                      SHA512

                      11d162076bd77cdbda5aff2dfb1deaf661c28562e7aa8675deae3350276560261b6e8275f6f0b78137d63d8502a51e2b37a9a5fef2ea01ca5d34509529d53459

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      c530f79f2b77a53aafc12e3596c5c5ca

                      SHA1

                      0c2c5f589437da5b100d192d5ed632ae75f3a083

                      SHA256

                      a36fada42622c56ec66968c39d997176976ea3aafc89fc993b122ea279485158

                      SHA512

                      bdd3ede2c063458d21e962aa691741d35e3441b1238b4df6112b779a060dde0e769e82a20b329a1edbedf3eecb702ffa70db439bb163a0782948324a0f43afdb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      7d620c358abcca2412a1bd76034d4e04

                      SHA1

                      158b5a582e6b044253d89267bf80701103566464

                      SHA256

                      2548160abc3e6bdabeaa984e0291f514a12c51de5ca98ff59a46601a03d635e0

                      SHA512

                      e2dab6dbfca87f3c348271a3c53d9af27a227a9c8d47a03ebcdc9fa190d569a858c589f276ea257e90265baf7d10d940b144c8ce75d2cb23af509f66972ba4c7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      dac4bbc664490606c8c505d65c555054

                      SHA1

                      fb982ff9fb5a499ccc36bf5fef650958e35186fc

                      SHA256

                      fb8fe68ccc9d608bb84e770713a7d9a9370db045f810de9c31dad15fdf2c2c91

                      SHA512

                      aac6a3005984fa918038338aac01151b7e1c25eb1d2582063b24b932f35b9d8091cf9e95af1e09ec204d9a4747b69b6998bb481975eb64aa0fddeaee0c668287

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      80d036cfc69d62a3152af65e011346c6

                      SHA1

                      afd13ea5e78a85a82605baf8f05cdb215ce05fae

                      SHA256

                      7086d2fe7d528ba6b1f5e3c45aad37211df6d5d1cd82173ebc8cbaa919bd8c5e

                      SHA512

                      2f4a7fe9f94651c94addb32d0e9fe70bfc06a6d47c0a67392a7e4ec3a615ab67986cb470f4e5cd4112dc9e128ee6faa323df016af6dd11fd660c4b774795cd39

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      6b1805674bfec6c8d11a741299519379

                      SHA1

                      ec5581a55c20e5f3576fb121bd6467ec5c662cf8

                      SHA256

                      7c887d9ebf045b9f22d90cf791c787a05edb20b03d49681aaded2faac1f62d2a

                      SHA512

                      77c86f0d6df0fa648888b3a799589bf511fa629a0ee2593aa6dc044c6f37504f54776ad519b875c2fc77dd42c4f18ab5eea4a39eb52e43532697a8f3e9478d37

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      014bb1ece62bc3f8f8b976b3a4147363

                      SHA1

                      3a039b9a1ccd0d90a4413f483bb34d159be8f57a

                      SHA256

                      ea4cadd26e0036174836870ece1a5932779c427ac8ab2e5e35e300654a3f939f

                      SHA512

                      270c05aecc7b886b04373d8146663287b3145181340e943b69fdcea0814d724031d5f653c779572cce08353d06587a44a76bf913b04db0a1ffb26f0279017765

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      5afc66b20b7496ff21e5f7fd04177cd1

                      SHA1

                      98f10c99cea8f117842c04d58925305a75606371

                      SHA256

                      e57a38b19530b160a96b76fd90f36940a37332f1783850e901f59982dc5c6d16

                      SHA512

                      676fc931b678160306a04c909f2992da0c3cacfd81a6f1456ef5f89b5a239ce7c2a95b117f1fc63931294c944ed21b13fed6b07c15ef83b6e1d994921094a857

                      Download Submit