4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/deviceregister_shared.dll
Size

226KB
MD5

8baaaeacb97679fb495e1c4f902f0a68
SHA1

29185b00e4c56ff8cc22de64c1407809d60348f1
SHA256

7c2a74c4be8d524a121e78e763c05c7b5cb58b524119ac8897c493e717a1d42a
SHA512

49f864332165c0229f0588fa1fd56fdc04bb005be1b61a9367fac5f45c32783e2e633c8acb64c3a921d41d9b79ceb3315813aa409a8f725cc7193958bf4bb8e0
SSDEEP

6144:5Nj2oPjbpV4hliZ7xsFARHtw+WY0L1TBWoBvF:6KV4hliZ7KFAb+L1TIo

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4648 firefox.exe
Token: SeDebugPrivilege 4648 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4648 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3876 wrote to memory of 4032	3876	rundll32.exe	rundll32.exe
PID 3876 wrote to memory of 4032	3876	rundll32.exe	rundll32.exe
PID 3876 wrote to memory of 4032	3876	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 5100 wrote to memory of 4648	5100	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 4132	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 1260	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 1260	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 1260	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 1260	4648	firefox.exe	firefox.exe
PID 4648 wrote to memory of 1260	4648	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\deviceregister_shared.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\deviceregister_shared.dll,#1
2⤵
- System Location Discovery: System Language Discovery
PID:4032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf32d280-2ddc-4173-b014-b5c05bd82d31} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" gpu
3⤵
PID:4132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 25791 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4fac58b-dd74-4404-a85d-5701c5b04b5b} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" socket
3⤵
PID:1260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2816 -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2932 -prefsLen 25932 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edd42c14-34a3-4ea3-a887-c26a4a205e00} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:2084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4224 -childID 2 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9433ce22-b018-4732-b8f4-6e600edcfc11} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:3112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4880 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a1969b-0eb7-4bd4-90bd-4ce185e45191} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" utility
3⤵
- Checks processor information in registry
PID:5272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5376 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1993332-b925-4f8c-b153-317d409ef65f} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:5744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5672 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49265fea-e505-47bc-b2f5-671b41024304} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:5756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb71fdbc-3afd-469e-8621-a3a028750f1c} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:5768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6228 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 27158 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d8b1fa6-0a73-4abb-9b84-bb8e48e39650} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" tab
3⤵
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\activity-stream.discovery_stream.json
Filesize
25KB

MD5
976af377fe6256bea18739afd897dd9a

SHA1
91cfa1836bb2bdf8b491f52c5c04d99556494b3a

SHA256
26db1f8c83bea81bd0e592788f540dedcd23b6257989f3950336ce64a035d4cc

SHA512
4a91af8bd6acb7be12c4e5916f1234f7821a5ecda41610f8e9ae02b718695b255f37c0f372dd1ff335305055d01efd1e85d27dda72fac586252028ca1d9a4be5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\055BBB905A5045D20CA3FAAD45FCD316C5072EEB
Filesize
219KB

MD5
8c259d3431c793e98454852f596c165c

SHA1
65a4e49ffd45527ade6d5c077d42637388e37222

SHA256
e93211487a65804aa8d28d33c10e6bf4bf5eeac956fdb9468fae02303109d9e6

SHA512
e4bd3ba7ccf9b166a052d806e7e22f961226521f140c8fe7b8fd3355ad08b9dcdbffa55dc5fec01704f05684c11a0e3a6535353f7058f4143b7e11d4be6a6638

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin
Filesize
7KB

MD5
878f25e28a9f60a2464085304ea611bb

SHA1
db1c944d6433b3704960666afa5d9e603c51e630

SHA256
d07935ec236bb80ab8558d653f19de9a22ed5a8abc870fdf2a23039dbef04cac

SHA512
a40a94e27a4edff1e181df2a031a5f233835f3ebe4f3014932af0d5dbe487454723c6f232ddc18ceed4f0ce4049e42d5384d0831c050885fec690c9331438f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
ec665112783f75c9c4946e567d1dfec8

SHA1
bf3449cc8d07eb45a1beddf57bf2a8180ad2fa8a

SHA256
34d9323afeee70b4f470d5ceb280c79d049cfe135534d6a0c746436bcf70f325

SHA512
d0be2f2d45ff9c1fcffb09ba93dda38938add528e8696eea4cb55a4e503370f976884e0004120fa38e078bf318f236e69ad4e413b65a72abe9240d2216614a01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\1357d30c-10d5-4da9-a71f-6798fe363981
Filesize
982B

MD5
a039b8968d0efb020261c77100035ed7

SHA1
11012116320970e72c930a8cb0754a325300dd3d

SHA256
dad938831a9219d7ab02d11a3f079b85987976b3398b2a79191011497a53a7ae

SHA512
26a5f670cadcc1f5210bbc4a470702c59a00965a279f290bd0b93feb2a8287689b4b4c8d345c097008a4bda456dd1dbc667a7190d370789da28800a639c8f2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\6c433292-78c1-4c30-a4cf-f780d761a8d4
Filesize
27KB

MD5
9e4b2a4fa290ed4802e7bbc7bc515cf3

SHA1
a469b5ed245ac6d292d72a08813d0805b284e96a

SHA256
4eeb972841bdcaf97db63d23c1bf800eb663ace58e9877d02dc4064cb785edc8

SHA512
1cdbaedfc6b3593cfd00af472950aaea7d1134e9d97895296817e25edd808c403959b5a3d67be4763d98437e60855f5636a78a5fcc666e5be3a6f0d02b95ea48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\cfe4076a-c028-49ac-9b94-777bbe4b5787
Filesize
671B

MD5
b05361233b8106bb51394b1e06b7da71

SHA1
b516a8ecaeb609134e153b24d97234ad70e4b09b

SHA256
87c4995b0a8311aee4063eb26fab43550efc886de184a44ab0b38273044507e1

SHA512
76ad4f8ca4128d88af63118f90f2efe20918d220b440080e82dbf45bdf5491dce45e05ce49cd1411b94b290280f04799b62c33aa29b63a99b8f2036416c1446f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js
Filesize
10KB

MD5
cdc6d2488e4183b3f2ed8e030f050aa8

SHA1
0a4d3450571dd3f73bbeaf472930e60071345b34

SHA256
44fcc0f9d5d314718dc12f3747031da12597497a844d12282c9b58eb7438ab20

SHA512
b9642a0d5b664d78579aeb0f1d0e671d6a78b7cbd7a04b6c1ba019e2b9d06910b40c05d34411fb557e9a27526c3ff00590f804e47ecc684baf70ee820af28e96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs.js
Filesize
8KB

MD5
89e8be6b938a1641816d4a9853f8a5c3

SHA1
1839d0c4cebbeedfcb61084ce8f42ce1adfd5dbd

SHA256
0ee9fee904f7af3f66862c82bab866f23396ee4290b2dee3600a90a7b23287a7

SHA512
9faa25c7535afd18413a050c77127e5596c84ea58e2170a3617b282c93079da6a432566f1b6d15761393741d483fb4a3edc9f4505babf398ab69e684f01088b2

Download Submit