Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03-08-2024 09:27
General
-
Target
HorionInjector.exe
-
Size
147KB
-
MD5
6b5b6e625de774e5c285712b7c4a0da7
-
SHA1
317099aef530afbe3a0c5d6a2743d51e04805267
-
SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
-
SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
-
SSDEEP
3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {366b3e74-99fd-403a-b741-59f55c6b513a} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0b9011-c6ec-4e81-acca-f1743a2b3f7c} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3200 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab2b177-261d-4831-b57e-c18094258c39} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 2524 -prefMapHandle 2688 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {659e6c0d-e521-4075-a65c-e55b568bb427} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4676 -prefMapHandle 4684 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc9e8402-66b5-4fff-95d7-cff4ae8cbfa2} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" utility3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be27caa7-3528-47e3-b48a-e28c84edaeef} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa95ba41-c955-4276-83ca-c94bbf3e8b25} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5364 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9776eb-a6a4-4b2f-9356-e6e950619135} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6088 -prefMapHandle 5960 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d7fea0-8632-44b7-8d51-f18a87d8548b} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json.tmpFilesize
18KB
MD5e8ba985601f8be0a402d591e6ecc0729
SHA1b49d2558a593d9398dbeb5e136d3698565e2f630
SHA256a85457125571e904f41c24fc04ad50b27b5bfb749eda9df696d97b7c5de20fa8
SHA512ef0070825cde84ef99512540a7b44668f5bd892a11c9140e5f435ece8f7f6ea8df9682f7667c07a5d59210c120cdadcde9b921bba810ad0bb13ef2d649a2111b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD59448b025dea3216a5200884c373c4ae4
SHA1e728fcc3e55e18bd08a3366b2fdb52a760d08a24
SHA256d6d56ff1673eb40d191b89da161dfe5b46f2dfdccf2215b1a3c8e9f0664478fe
SHA5128bee3de6c0c5782a3024cc10892c9d8373ef4899db4623291c5911c9a18c0ba8a81cfb4c3800165a45c30ca6f5b0eefc35382586e1863d14fd0dba03d1e6a8e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmpFilesize
6KB
MD52769229d7caee640be6cb27581082c73
SHA195cd00b248eb2bcc92875d5c05725a044e10344e
SHA256fe338beb5dcaf913f3944fbcd83797fecfa70d5e70f34e6fac730ea0c0175a5c
SHA5121a41607d93551b93987c40f360b62d7c51913be3d446c09d1941d0ae4cf64e90c2b0c2cf63c79f44a55ef2f03ffac74e56a227914e8e614b9d304ab3ee5d18f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD53c8dc9bb4890d9f2f5d137d5afd82f44
SHA17df02f68a7bb451a661c85a55cfb85b668e31bef
SHA256a1d0b6ca872669f5731c8faba0f97d9a580c795639c00c5ca4825026f3f034a4
SHA512cdb4265ebd5151639a26647e6c1f8a21765f23643e99fdd4a96577297cd9ab06ec3159bc3e0841663792410db05bdc2d9417c8ead593a488bbd2b2a13b0ec2ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\1ff8d0ee-0340-4d4e-9162-e1fa95044401Filesize
8KB
MD5e9616a6f7f49cbe5568cc8946d6596e1
SHA1d146812e2f50a67eada13f414af7487a43c0170a
SHA2560a6ceae23e8ad0c93480d2e4878ca979bc9a5899cadfc8288e501f923589e1d4
SHA512442fd815a9e8ac3e08df1f5777c66bb338963406365436d373e01e112c3cfb9fbd83c2b8db6f46ae4aa79e60973676f88c8215c30cab9a777c7ac961420bd027
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\78d69bd7-9f02-4a6d-a244-1b3dcaedd4caFilesize
671B
MD50951cdf6592f6389d0fed12f25820335
SHA111ab648da35e889d8d7e14e4d47ba839df98cb30
SHA256ef036cd61a1c1f5c9ebfebfec8be69541a76c9b9a688cfb421f3ee96c85297ea
SHA5128bf53a4aee8c288af97eedfd3b69c9dd5e2fcd610e50427f330abbaa3374ddc9efece6445d985715f1fbcac9696dab7c2efb24663dee5f4424ea0d8565edc437
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\9463aa57-7df6-433b-9fae-aebf8286c1b0Filesize
982B
MD569bdf3f731e03ce8eb99336275e69ddd
SHA10d2aa1d7d434f85023a01b069d166b4ff0c64eab
SHA2563af1f4c52a18b9973a1e560044e1664e146afaf104c2e2479b0108725434a438
SHA5123a5cf7f052f465b8151dd3c35e64075b168c47da946c0bdefceec5526392e86db4a296fe3e49b287e60add9f90f926d4ca80c09c56f6701a316e4d0a2ca2a8b6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\cc3aa95d-fa60-4010-9310-7f17047f19d8Filesize
26KB
MD5b46fcb1e935125c30b5be260d95d1b19
SHA1263e4d727e4d326707ee1b88aee34dfcc7515b72
SHA256747d080cde6636a30fe9f1318406635aaea48c79b6421a4798f29ea10942883b
SHA5128c5f6ab76c6823f64a65d7d7dd7cae02e995ac5e14fd078284e4d759f0b92f910169e6e1bc6b31c12d5c1a74ce70cd00a2fed02d7eba24bfc39b3c74fe68ede5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.jsFilesize
11KB
MD53697c4c973a483028735df384cdbd146
SHA19126f6bb678309d2491440ec2a553953ec3cc37a
SHA25643df1796cda678fe1b6f12fb04c96c3c0ee8fcdd4fae99daf227fa5f3933e71c
SHA51291004cc2c365b0b21c94646d61d5bd78e3dace56fdaaf791cfa7128452c222f924c754bdc3786e0cf3986f52103121b936fe6b878a8bacd9c8c5b1214e889a06
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.jsFilesize
10KB
MD5ce0ef443e58a48fd3dad46e1b6849e9f
SHA179689b2b2826c978222b8b29956f582ca500a2cc
SHA256ee3c238fc3fb9ab84381e9a5e4ccf5364e18eb77090803c9c67b35b5de3fb052
SHA5121df80bccfaf94a855222cbd41a58a26353473261a5714ec3e7e2c44c8258ccf4c017a4525474fe7a3741039689299f87561f44159d344f92115aedf004b33eb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\default\https+++www.ebay.co.uk\idb\2728594770keeryovtasl-.sqliteFilesize
48KB
MD59b38eebe679664032b8058632fec550a
SHA1213b3e731b740c3b8ccbd45e38171e80dfb5ec34
SHA256ae66317b881b30e2d9d4bbd21973458771f5dce3f78531f4642b82df0d6c2ddf
SHA512f2a25c8d45710714222b32ee26ae211ee0b36aa2d7e90bceb18b5380b2770e6e26d715d9527c6962b340d8e45d498484b79d062db414eff1b39bbe621fa68a07
-
memory/4660-5-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmpFilesize
10.8MB
-
memory/4660-14-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmpFilesize
10.8MB
-
memory/4660-9-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmpFilesize
10.8MB
-
memory/4660-8-0x0000029C74540000-0x0000029C7454E000-memory.dmpFilesize
56KB
-
memory/4660-7-0x0000029C74570000-0x0000029C745A8000-memory.dmpFilesize
224KB
-
memory/4660-6-0x0000029C74050000-0x0000029C74058000-memory.dmpFilesize
32KB
-
memory/4660-0-0x00007FFFE8BA3000-0x00007FFFE8BA5000-memory.dmpFilesize
8KB
-
memory/4660-4-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmpFilesize
10.8MB
-
memory/4660-3-0x0000029C70520000-0x0000029C705DA000-memory.dmpFilesize
744KB
-
memory/4660-2-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmpFilesize
10.8MB
-
memory/4660-1-0x0000029C55CC0000-0x0000029C55CE8000-memory.dmpFilesize
160KB