Overview

overview

10

Static

static

1

image.png

windows10-1703-x64

10

image.png

windows10-2004-x64

3

Analysis

  • max time kernel
    599s
  • max time network
    595s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image.png

  • Size

    7KB

  • MD5

    8a5d9ed2e28fbd931a184e41c1bfc448

  • SHA1

    656d42a076e16b272e98b0fdef7cfc97ab5ac007

  • SHA256

    92d59f918083649917c9e4d5cc01ac75f7527dd55e5adbb4dcea3f72e5d11daa

  • SHA512

    1bc48370209ddca6aa3ee4e2308a9a8d7e6943b0d206d8b18504c5e5c68e450668b6fc835f2594eec883c7413375209f38446856e4e9eb588ebd7ee8aaa50a97

  • SSDEEP

    192:SzG/fIsAVahNR5rwQK+wetFt1Lzi5+CnxQ032zD:SzgEaffNc+1L4vxQ0YD

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\image.png
    1⤵
      PID:2156
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.0.1541112203\951462454" -parentBuildID 20230214051806 -prefsHandle 1796 -prefMapHandle 1788 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85357b14-43f5-4155-ae86-6aa52060a793} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 1884 18e12b0e458 gpu
          3⤵
            PID:4220
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.1.113537402\1102067370" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2b3c914-b4a3-4f9f-8eca-8264400ded90} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 2452 18e05c88758 socket
            3⤵
              PID:4544
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.2.272590063\1896889927" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 2624 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73338b3b-f509-4eaf-9a49-e7b5e13e9bc1} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 2644 18e154dbe58 tab
              3⤵
                PID:884
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.3.1526302223\1801208717" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff43e98-a46c-451a-8a14-18db42158abe} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 3680 18e17989f58 tab
                3⤵
                  PID:2436
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.4.191736498\234629926" -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5216 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c01d4c4d-da57-4add-b63d-699295c74567} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 5256 18e1a178b58 tab
                  3⤵
                    PID:4660
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.5.786027180\2109714199" -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f576d9-6348-4483-8de5-f4e1c827ca88} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 5484 18e1a177358 tab
                    3⤵
                      PID:436
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.6.828784955\551054865" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5384 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f4ccd7a-c6fa-4228-895f-f8df51b842eb} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 5372 18e1a177f58 tab
                      3⤵
                        PID:416
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.7.1543753920\467777786" -childID 6 -isForBrowser -prefsHandle 4744 -prefMapHandle 1580 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd25a1e3-a87a-4898-ab6e-a3e3bc935239} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 5960 18e1b6a7058 tab
                        3⤵
                          PID:2880
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.8.330435999\1967877913" -parentBuildID 20230214051806 -prefsHandle 6276 -prefMapHandle 6272 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94f85b85-1191-4e67-b0c5-adfd7eb1c6a7} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 6300 18e1bbcaf58 rdd
                          3⤵
                            PID:5116
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.9.1996228259\160741053" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6288 -prefMapHandle 6284 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2a0720-cdb9-4a1d-ae74-9ce8547f0479} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 6320 18e1bbcb258 utility
                            3⤵
                              PID:1244
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.10.1398598035\1927031705" -childID 7 -isForBrowser -prefsHandle 6216 -prefMapHandle 6592 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {888cfa6f-271f-43d3-9800-7fdace29fc18} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 6628 18e1b953058 tab
                              3⤵
                                PID:3948
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.11.727578408\357652230" -childID 8 -isForBrowser -prefsHandle 6244 -prefMapHandle 6240 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8921f8dd-c28f-4283-ae7e-f49779854361} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 6172 18e1a771658 tab
                                3⤵
                                  PID:2800
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:4872

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
                                Filesize

                                25KB

                                MD5

                                ad1dc9034c658bd89d1fa5d5f6275dcd

                                SHA1

                                be54ffa481dc0bfc7e19df1aa31b0ab21a898fb5

                                SHA256

                                056bba28deefb134c71d012854f098bf402a559e751b80cafd949488d4d31f01

                                SHA512

                                58487ec859069ed2a00e475771ac811592eb75435fc2875d0830870ca87d29c36c2ea526afb87493c1234b898fb617c8adb8d4fe36b024fe1feabd702c265996

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\14082
                                Filesize

                                15KB

                                MD5

                                936982efd7e29a962367c444f3c71198

                                SHA1

                                706413885f2d5400092bb4bd0dcd9ec1905b2581

                                SHA256

                                0a2f8e15e12f11bf9e7725abf3bae3eb6219d901ff8a03c5b55143213eae930b

                                SHA512

                                cfe8e7a6eb3d31099bd931bda8ca4d6e7ab19cd3a8f0e2183d13533e257a9da5b77ffe4e5a3ad3b8fbf9e62b196388370e9af25cac10e9674f8912059ed1419c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\20237
                                Filesize

                                15KB

                                MD5

                                83769f2a81b4ec96b923766ecbb409a9

                                SHA1

                                bbaab659773b8d185449359e227f8220c5e8732a

                                SHA256

                                203a0070bf726f48afc2e5928720e91c67301e2fac3f804800beba00062a4c7f

                                SHA512

                                4e17f4de709f9cfbd558017fed8154fcb4bf1088ef3bfaa909079e45b0f3fb5e97e5fb1600f82a219afbe358c9e1cfd12cd1ec00c84c3d61ba5b5d5f974c9cb3

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                a77beed753deac8548198d25df7acc96

                                SHA1

                                fc001cb1214146a7ffb0f7fa4897923e5bf756a6

                                SHA256

                                f8abf5e10b4271741fcde0bf6c524342db8e18f7426dac842dbba3799d80e926

                                SHA512

                                7e95bed82331426a67bbea317a5564280ab7e621738ca7a2b3e31cb785d0168fca25d9c0700fad2c6ff83c179fd2feea54d5413a884866fb21408c5649d6817d

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                9cd89794975560a6c5d69ed9e988339a

                                SHA1

                                4a78871f59b8aeb28b9450eea9f657d8539768a3

                                SHA256

                                73a4cb46f36faead18cd4408152841f256f93a1d5eb8a904fa55807a5eb5774b

                                SHA512

                                f287b6d9da14e6c184a188f5f451e6eee538742a4257056313ebb1cb60c71bf1b17a52ad60a474218efcd761e259816fd15758dbb6dda12359ca7a3bf5957da2

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                fcf9a4bb68974d58075f457cdf973bde

                                SHA1

                                f574a9e9d636df89c8c98f6d0c27e1897c075c10

                                SHA256

                                d0040686d857d1b7be9c064a6ed9e0a9e071938fcc2b2913a88eb2eeccd55fda

                                SHA512

                                726b2e3b79ec86bf65f9afa711ba0a7343688a355b1a12b4cd1b0f993a0090993eabd700e2cf7a4107c4d80ecc755aa0bb796d0ac3415e55cfa3d429b48bae7c

                                Download Submit

                              • C:\Users\Admin\Downloads\5BKHTxm9.zip.part
                                Filesize

                                8KB

                                MD5

                                a043dc5c624d091f7c2600dd18b300b7

                                SHA1

                                4682f79dabfc6da05441e2b6d820382ff02b4c58

                                SHA256

                                0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

                                SHA512

                                ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

                                Download Submit