Analysis
-
max time kernel
60s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26/07/2024, 20:07
General
-
Target
https://us02web.zoom.us/j/81763113284?pwd=Z2hNYXRkaC9qYnh5YVcxMGFXazNmdz09
Malware Config
Signatures
-
Downloads MZ/PE file
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://us02web.zoom.us/j/81763113284?pwd=Z2hNYXRkaC9qYnh5YVcxMGFXazNmdz09"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://us02web.zoom.us/j/81763113284?pwd=Z2hNYXRkaC9qYnh5YVcxMGFXazNmdz092⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecafef8e-a1c8-4ddf-ba5a-223ea2e77f3e} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7718fdaf-94a4-41d0-8a6e-60180a52ad79} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3128 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6173837-dee2-4a68-817b-5a63f4b77a81} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3912 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f0e8af-36cd-4744-aff9-fa940fa93653} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 2788 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5526c7-633a-4e2d-81d1-11021d2d7bd0} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5256 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73e10983-2c6c-420f-a0f3-324493ac1f01} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9098aeae-c274-4795-a714-493cca347e56} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f92b94f-9f72-4bd7-8a21-69f4da2b7dbc} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5c9f7146e319d4419d761676ff0e06c34
SHA1c142dc9f485626f8844922351761d8fbf7bea254
SHA256e1506f6932eae2a30bae2442ecb4d0a2d52ede0d73e653e4ada42580feec8ef4
SHA5122b8bb0c8400392123f863659e8410b88ac632723f6f33273df54a32611efc6f574e60686b914e346d3c06a0e8953901aa76b7bb6c5da7984e831d82bdfd0e533
-
Filesize
13KB
MD5a29cadf7b8ebaa35e60a967b8ce4950b
SHA173a8e503fc7429e5094b588c7d968521d3ad9b97
SHA25683cbc129bec148ea813fb4ffffc29a5f2995fd7a2c20b6bb781481974cb13209
SHA512d27b46b98ee32d295c51fdc60f2a8f4d0f3aeac0bf151d10d5470a1215e9cbdb093347668b20caabec9adbfa498204bae8bf129a8a17841b6aaa6687ff5f89b4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD598f0d1644ec16c1184f1d9901f441642
SHA1596af206b262992e0e88607390da266f1d21bbec
SHA256ee4ca384eca0fabf1129e25b4ec2df1f64d6935379a1497a2c5fec171ff020c0
SHA512f4ce47c24148f5c3799696fd0c2aeb6b0cfa8b54b6e0eb61f569a846e0517a4c0fa177eb31f66093d11d9615678479acd723b284c551829fdc083a342047e263
-
Filesize
15KB
MD5c550a3079bc77655d439debd59da9fb1
SHA12bed03450e68786814dca9485ff6a90d610a9c1c
SHA256fd4dfdc64c2b9c8edd0d9cfcfe51cd2a5dff2cb1059239c2212e223329b024f5
SHA512d9b609063083d5fe1011cb05f222c3b3322dc1e8ba107b0397d039a7411f569790616a0575c0efcc8dcd3785bb6fe4c7ee7bd97af9d2d218ecec2c962acf1e56
-
Filesize
5KB
MD5c39fe856688097e4c1097ca2406834cc
SHA1a0dbbe1eeae156a2ea68b3cda8f7a40b805ad890
SHA25671c229e6227a57325a4fda5dd70824a1d201841044ec33f981b9e6208e964a1c
SHA512b9dc90cfa550912049d66c39cf3eae35d0880cd35a945ad2794a0538b3ef795efbf68062ac7eb88106bc9d6371f99698897e52f35697ccd8515eb293b8391819
-
Filesize
15KB
MD556e1a8000d33ad082a13497695ec0313
SHA12a3e3de029f8ecffdafb14cc1786077be99acfd9
SHA25663ac80a2ac6ad88f4ee10eab09fd42de56e0b74f4acb976db6c127885e0f77af
SHA5125c314e1158d0a871c76bff3c23340d9d2ee7e5e2a98bb51d7422ac64fc97f0b1ec8b41730970c3d64dc9bb424d9c121657f87dc56a2d46cc9da06eab5afd550b
-
Filesize
27KB
MD539d2db9e37693dff2e575ce6e405d764
SHA1475658ab1f176764b700b0b3b5d69ffb56de5dcf
SHA256266513bac8b73c64d88853d538aafb4fa0973be40ddcc00db9c4d1306c5ae04e
SHA512919695e0a2d00551fd2b4bed611346f8fbe66125c328316003ad30f7e1a9a061223ac3ffe226efde272ff9ba07c9c5255cd7c99bcdedac65efa8dad0afab9591
-
Filesize
671B
MD590b164472bce2207b4547e7d17c65562
SHA13f66a426e2d5fc0b2c001cbf1d7458e28dc831eb
SHA256dc2e06a1dd4d8a822759126cb0f8350276f1422fb5022ab2e42cac2a6cbd5d71
SHA512b89b632b6d4ff9b631f9ca72c16a8860a29ac4e01be72906944ed621ccc4c82e3dc2d40e1796404f9e71ffbcffda8544cf6ba436d3a3da0a8af18e67f7eb8943
-
Filesize
982B
MD57a2fd342076c680314a6df98fa41f2c6
SHA15e22676dd090ecd3b5e3b202109d60db7af517c3
SHA256821bdb08f6cb9d2718e4e2ad747ec8e3a6614f2e31c72b1e85f7f793b2d38959
SHA5123e45bca7444fdc0fec00ace69e0808820b7017271a79948067d3eb56d503ccff977e6b6e640ff8fadcdf74213075257635cb112e30a9bf7f69bb00330a04b7c8
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD56d94725742951871884308966783fe50
SHA1ff2d9dad3c40eb6fe1f12761d7d01ae3fdce3759
SHA2567a55ad1951a77f2ace7a8f42deed49880eb35fa432e8b05b22013f2320d9bd7d
SHA512a32c5f896e551afb9cbce383bf1a136954b1a097ce13d78017a87abbd2bf292e5f0edeb45ecde45dd9dbf9364df18c35ec0bebae1ab44dc866e111c1485b1f32
-
Filesize
15KB
MD5f652a47578e6664c787f67751e1dc59c
SHA18b26d1ec1364adc2332bcebc4a3ebe2fe454a8a3
SHA256c7c7c3de12c99045ecacb4078350b0f6f51f1e5fea57cc18761a382ab3da0998
SHA512a04549b1c17a8245228ee286aa821d5d3a769c11590065c09b9ce7f4314a535d0cfaec44e83f7ed0878ad2c1f6aaa21f860f4a0c3151f7ded3dcc983d22cdb72
-
Filesize
8KB
MD54d3a1773bbb20337d46bfb33d1884dc2
SHA13e08db3506170df020427c0b141004490d6189fd
SHA25683eec706961f184d933f8b6e77044bf9401d270f0e51b9ddb7af6c9078dee4a8
SHA512020ab4d29434616986646c7c4daba180886723f8bffc4a9dcc7b68c7bd3fe4c3562cf7b780b11de7e909b265600d60c73591727681f52363c469f728970b73fc
-
Filesize
10KB
MD5bad590e9ecbd6eb533006a5088c29dfc
SHA12a02e85624d2ac23752cf9a14b7bcdecc395c6c6
SHA256d13247cab8cdf7dce57cad1f2299e539ff9dc6bad561021dee4d8e6a507077ba
SHA51216147b5f132b364df8415fafb50b3006a153037f025bb8c8cdb221948b49c713840f2a7b7d8b613dac08e1399ffd7b9d1d9c41c10883a5402248e58a2ac02c53
-
Filesize
2.1MB
MD51e89b8c6d79bf88816af6bd4d627545c
SHA1e7d215cb7a09f18aedce3c89f336e0bc3f804b10
SHA256ea97b59ce0eab00e072c683315adca6cccb5ca1e14143f2ffe860b861529e921
SHA51232b37b4ce7b1c35e6f5b7de039836f4de65afd97c1afa1c4c2f2a39b14eac8c31be618a6c9fa15fceaa77f70766bb7b9adad7f49991fbbd8de056f804529dfda
-
Filesize
134KB
MD55c11965e950dded901ca69d3fcb45f29
SHA1d5384143284aca4a44bd066b7954540c039bde89
SHA256158771e5eec31ece554a8a386c6e0cfd9f602ce069e3e4f2fb6d50d501635bab
SHA5127aa7313992f4b2d1f80512369ed5b856ce9afcf5434a8681726833d2d4de2e5dcdded07afdce136ff78418aca4913329d3a8da26504001d4279ef0436a2837aa