Analysis

  • max time kernel
    99s
  • max time network
    102s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-07-2024 12:57

General

  • Target

    https://teams.microsoft.com/l/chat/19:[email protected]/conversations?tenantId=f4e2d11c-fae4-453b-b6c0-2964663779aa&lm=deeplink&lmsrc=email&emltid=8751cdaf-ee9a-486b-a509-11eb17bd4870&linkpos=1&emltype=New_Activities&linktype=New_ChatGroupActivity&cmpid=missedActivity

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://teams.microsoft.com/l/chat/19:[email protected]/conversations?tenantId=f4e2d11c-fae4-453b-b6c0-2964663779aa&lm=deeplink&lmsrc=email&emltid=8751cdaf-ee9a-486b-a509-11eb17bd4870&linkpos=1&emltype=New_Activities&linktype=New_ChatGroupActivity&cmpid=missedActivity"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://teams.microsoft.com/l/chat/19:[email protected]/conversations?tenantId=f4e2d11c-fae4-453b-b6c0-2964663779aa&lm=deeplink&lmsrc=email&emltid=8751cdaf-ee9a-486b-a509-11eb17bd4870&linkpos=1&emltype=New_Activities&linktype=New_ChatGroupActivity&cmpid=missedActivity
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.0.2019944841\130573519" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4549330d-4617-46ec-9ef9-243621faddad} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 1760 14b110ec058 gpu
        3⤵
          PID:4168
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.1.1573248809\911253883" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {177dbf53-8532-442d-8b86-b9f44e91ba51} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 2136 14b10fe4058 socket
          3⤵
            PID:4676
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.2.750813335\1886217906" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2900 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02477c8-2d0c-4962-b13c-193966bbafef} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 2896 14b14fd2e58 tab
            3⤵
              PID:1028
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.3.1900080622\42091911" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d247b9-d65c-4d3b-a0a5-5869c2cb1900} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 3468 14b1650d258 tab
              3⤵
                PID:2272
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.4.667941216\1227224539" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4680 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a35382f8-b20e-4846-9654-5efc9a6fccdd} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 4620 14b17786558 tab
                3⤵
                  PID:5000
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.5.1416257318\494002902" -childID 4 -isForBrowser -prefsHandle 4804 -prefMapHandle 4808 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75562e62-bdf3-40f6-9b3e-03e842ce42c0} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 4888 14b17788f58 tab
                  3⤵
                    PID:2700
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.6.1237128490\2131838844" -childID 5 -isForBrowser -prefsHandle 4688 -prefMapHandle 4796 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {589fe60e-2fd0-4b5f-829f-756c448fe448} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 5024 14b1842ec58 tab
                    3⤵
                      PID:2912
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.7.1057258960\723329769" -childID 6 -isForBrowser -prefsHandle 3668 -prefMapHandle 4120 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08670781-5210-4c25-ade7-71bf3c4bb33f} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 4024 14b198b3958 tab
                      3⤵
                        PID:3556
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.8.28454022\1603615888" -childID 7 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e94845b-a2a8-401b-89ff-95b7b77bc2db} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 5444 14b1aa49258 tab
                        3⤵
                          PID:3760
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3644.9.1639190256\998851819" -childID 8 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1128 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c719793-4a34-4eec-85de-0ec5de05cfa4} 3644 "\\.\pipe\gecko-crash-server-pipe.3644" 5196 14b1aa4b658 tab
                          3⤵
                            PID:1464

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

                        Filesize

                        2KB

                        MD5

                        d13ddcac1589c223d83f8122e4cee892

                        SHA1

                        366c762fbcf7907ff3c3d66e73bdb07e51ab0525

                        SHA256

                        ca6d8bcc01f8bf819bc3482f6e7e87dfb975d41da5a69c40cebe5b6c4b6e8bb2

                        SHA512

                        b03ebcbca7af2c475d8107ccb13da4b2f7d050d1809f9aa6b2ebdee193dc8ccfa59e724d97c5dc2f8ecbf8ed7e7ce7b3801db6bc28b3dff3c9d5d91571ebadd5

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0f936414-b222-441b-9ea7-a01a9c699de9

                        Filesize

                        10KB

                        MD5

                        edbe8ea3f95fd972ace0127b3681b374

                        SHA1

                        e1d8f51e9ff7bbff3c7489d0bf9e9816bc929069

                        SHA256

                        3aa12fbc084a4d9b25c51a6356b6c2b2b90220725a7f72f1e060961f68c8fc63

                        SHA512

                        e151bacf41f0e63774e2afccffa4d324620f7abcf8b03d4e1c9fb66b400bac7a44453d954206df5e0870b72865dc9b85c759a66223ccbaa2fd487dc3c6e99d11

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7c35f2fb-202a-4be2-8901-1c2bcc1d8813

                        Filesize

                        746B

                        MD5

                        60067ddbc18d96c8240e0a23b90e853b

                        SHA1

                        d4a7d73889674007238e51bc0697b13e9979d908

                        SHA256

                        3e58b6a7a4ef029a8bcb0693d973d0a3627850642f1c69fd2d0b86fe15306081

                        SHA512

                        72499da653477c9241b9e1712bc0fd3e377e1aa5b28687a8d3e64e7d3c118567785f6c0386063c94d81f4ea98283e06881cd9cefcc4c9f2ea366ae2927afacc5

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                        Filesize

                        6KB

                        MD5

                        b87e864caf728eee4518213c548db0c3

                        SHA1

                        d976bbea781724c372d8002059ae5bca2f24b6e1

                        SHA256

                        a5a716e798b18239c5f0e12a7d255298cd618d1dfda7c92bb9c8a083c94109a9

                        SHA512

                        8b791197f695c6b3f6cf57b964d074902cef6bbdeb9cfc4a20d8390af26ee568bd9bf4981c91ef78581aa58b6afce322cd49aa3c70610d13a22a09d42458db79

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                        Filesize

                        6KB

                        MD5

                        7aa12dcf283babb2827f053ed96ea234

                        SHA1

                        edef0e6af371fe42f595d2f582e919fc5ca69d50

                        SHA256

                        6a1be60d80e2015f3189c8b0433db4d0577cbd41590f4727766d662916f5394c

                        SHA512

                        18f5f3f7611e8a85f619aa16f803b425ae89ec46d9b62d5f7d50285c10955e42876cbc93d841d6d4110e569b51221ce0a8487526097072c02d0d29e4c64ac98b

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

                        Filesize

                        6KB

                        MD5

                        d08aaff00f555040a68660d9b6ca6c86

                        SHA1

                        6074f8af2407ed5a437340553cec7afb19225e0c

                        SHA256

                        03d660e2d11d284a2c59ae1925daf52e8367a22665e7cf97fabb46ec6fc79bc6

                        SHA512

                        e3121001cbcf457e8f3593d4e572889cf2f7f360fe27f5d53ce79c7ba56b561f33458dc1ac655af6caf559abb10df0cfa9cfe962fbc40eb699b3328263eab13e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        21KB

                        MD5

                        a4635d731c63561070a0a86551c25949

                        SHA1

                        8b98fc612ae4b54c3743e57339ca300241298101

                        SHA256

                        010adfd5bb541220631f945167be40aad4892dbcc8545000ede6ab4d1104ea7a

                        SHA512

                        b78b2d73a4e298de2e96c79221e4da376d0f1268513bf69460c5863fbc6cdb6678b87cabd3961a904a3097cfc3deaf382223e5cfb2cd6a0a714cf76a373cecb7

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        9KB

                        MD5

                        230ff626b4c9814806e722d6f84f5527

                        SHA1

                        7e317b08e2137e5fb3fb40ec3924f8fedd31ec97

                        SHA256

                        f962a62d5d9df864321de14446085c67d080f60d07f6f433d356406312392f10

                        SHA512

                        f803ea8ce6e5a2ed09a59afa7408490ccefec04ddf54f413b8e615beed8caa486c12a696498ab4e2e5108affe919cb36a57fe6fb95793b56c544c985b38eb1b9

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        38KB

                        MD5

                        8a6d55a0efbb62228185e6c92cdd4ebe

                        SHA1

                        3e2c65f44c0cad4d1863e969325b13c6930c6812

                        SHA256

                        6ccb1726a4c2a7c4d108f53829b9172ce87a2dfb8f088774202996e235fbcf8e

                        SHA512

                        c1a132e52cc9f706dd66c46d3d6dc100c1c8680bd32916baabf5f3154c18335c3b0eb120f8c7ee0c74455429536dea0cdbba21aba31e0ecd74ab518f5708af5a

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        15KB

                        MD5

                        9c4cee0c71028a65cd884e22c9c59eca

                        SHA1

                        b9d13e21b7a8d0cc2643c1ca9e44c27e4cf4f99c

                        SHA256

                        ad680748b0590678c84ff87d426a7b59b24935b7caf8a5fc33f0156474c5197d

                        SHA512

                        901baaf33641e07d584e96843dd8be48d423dbd9dac05f8e8b59663d21794bc6d6302f3f8f4d94385b67d0434572ca65e5907c09cd831409b345510f3ca1f125

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                        Filesize

                        17KB

                        MD5

                        c5cec31c16d546f94f7b3d255327d0c7

                        SHA1

                        48e9dd60f6ecab0fb7dd77dd1c45e9f617bd5ce7

                        SHA256

                        7e3a545b95c3e70b01f234f8b82ae81b7ba764d93ad11e9e3689d281a8252219

                        SHA512

                        424ddd5029e59cea6fb1cdcd2feadc819171107e2c744882b354682ca8a982959baa636d6d965561f7b11c05b8a57e896fedc04833f49d913c5419cbae48a24b

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++teams.microsoft.com\cache\morgue\224\{9bb1d986-7742-4741-997d-63e9858321e0}.tmp

                        Filesize

                        275B

                        MD5

                        6640e5bb01d1b158210fb6cba7784d8b

                        SHA1

                        2df34c7d513ff05cc7277b09ac7d50715dd88e67

                        SHA256

                        5965b729670ac49de147f771bfcdfd73977debef4f235e2cfa33787684954193

                        SHA512

                        013cd12beb70082b7a800ccd33a811bc2311b15216e59a8d23919e5de98165fafca956468f5a2cd4cb9a4a99c25ceeb413f03a9a94916c5cfcfb2bcb18e30ba4

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++teams.microsoft.com\cache\morgue\59\{b5b73d58-ceab-4798-b95c-794b11015d3b}.tmp

                        Filesize

                        564B

                        MD5

                        61e7b05c89240ee4e5922400ecaa1437

                        SHA1

                        2a812b5be986ab0614c471407dc8b46c68f22df2

                        SHA256

                        9789268763fade9cce6470ce8497c18b685d538b828fba3c9c8118c82b7651af

                        SHA512

                        a0e824370bdec76e606b636c50cbb137c82a99a89579e80056c93e43fc00ebfbede2453529be73e5f64997137b367be59d126ff7eb228f1c9e11b0d25b24aadd

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                        Filesize

                        184KB

                        MD5

                        acb98d3d4e718735b97cfa91dc502aeb

                        SHA1

                        169e52e36b0118c591b2c7c4566f7d24bb48a1fe

                        SHA256

                        d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5

                        SHA512

                        a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227