Analysis
-
max time kernel
222s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08-08-2024 09:05
General
-
Target
https://drive.google.com/file/d/1fE8eG9O_1Uu_6imJ_ItTiiP1r-Hu2OtK/view
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1fE8eG9O_1Uu_6imJ_ItTiiP1r-Hu2OtK/view"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1fE8eG9O_1Uu_6imJ_ItTiiP1r-Hu2OtK/view2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db2d0f95-7d38-4133-b86c-13b8ab7c7bd3} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c578778b-1c3b-4208-9e53-8b7dd2d37783} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30003316-964d-437a-9cc8-67b813147d81} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3108 -prefMapHandle 2808 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4325cb5-58fa-46f1-b972-c313095439da} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4428 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4392 -prefMapHandle 3664 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8845b6fc-396d-4a88-b5f5-398c4018c9c2} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 5172 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52d06c-70af-491e-8da2-e4b442d8689e} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5100 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {436bcf5d-b906-49f6-994b-79785c9dc590} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efce40f4-748e-4a24-90d7-67a6abcd9b41} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 6 -isForBrowser -prefsHandle 3812 -prefMapHandle 6016 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89cf1b66-fdba-4489-8ec0-775a630fa20e} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "1⤵
-
C:\Windows\system32\chcp.comchcp.com 4372⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\find.exefiNd2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get Name2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\findstr.exefindstr /C:"Intel Core Processor (Broadwell)"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "1⤵
-
C:\Windows\system32\chcp.comchcp.com 4372⤵
-
-
C:\Windows\system32\find.exefind2⤵
-
-
C:\Windows\system32\find.exefiNd2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get Name2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\findstr.exefindstr /C:"Intel Core Processor (Broadwell)"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5b69a6e9ed146acb871f91f13d8b24e59
SHA15fab7f54acbf841e12b61e22d5232bb27ee8b497
SHA256018e8bb1779810381d6bf8636e93ade7b02bc439a73987ad12945bd082665e97
SHA5125cca9bc406771736bb841a75aff388ceaee2792c6ef87c7d1c7958360a092fe87fe4f0f8895d5e7bc4436cde0148eb2a753428d0b0dfb4334c4681306102934e
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
8KB
MD51ef037c5077f8e54861ae9c10c5e2a4e
SHA1027c34ca3b68b40c892d974941da12c82ea84d26
SHA256521afdf9e8ede21f25f97cc511a5c26cc9fe23287f01215bbb18e183abe93441
SHA512ad14061cb3cd0043011269fb19e8db62f192dce509384d382642d8f626516bf89867250d78fef094238143696add25d4df0c48d0da276dc35df628ee6e5a1959
-
Filesize
22KB
MD5f81456952db8f29c8f91613519593812
SHA16c96fceca5cf02cff77be0ffa401723b23349912
SHA25680e40ffcead487d5e47adb6d2b2a9dc7cf6ef035724237d42f8e1f8b446a22f7
SHA51264249b4c7cc502dea426d33d98995e38c3f3b5fb1d6711fccad2ab9a6754639bf07bde67a96753ad0a5aa6f950eb60e9ea2d4e96860763967d015b13a28faf71
-
Filesize
26KB
MD55edbd63daa6796695bea6adf466f00ea
SHA1824932e22d5a5b27000215108614e64ef5dcf780
SHA2561bde2f661a0455bb4bc063aefc77984940058c1080e3f3f1ad9ea2a5e06c2f68
SHA512efc41fc57416dc1b91934051900b963693428f630e09728319f2b4744e9cbbbf300b40d34b8416b1461fd23e5b3043a3018b1a4300cb8f1b5c99a2c853ade430
-
Filesize
5KB
MD526b142a7a05fe05004553660fc626ea0
SHA10a2d277ae11c7f997156e82969041ef20f05a0ae
SHA256af139723936f86ad5b1aa99e78f4c451fab1cfeac55efff5fbbcd3bfd0d08625
SHA512267043acecb6d3efc3fdaebca125dc9f6217f333a1c04d0bfccea30425fbb048f9189d0e5ff54242f2b95f2d4c2d3d50c16489c9fe0d97020164e06bc840cfe9
-
Filesize
14KB
MD5871b2a277884c21c5ffb05273068523f
SHA1036aef3d0282f6de55196fa6553cb09f63ac2f67
SHA256b3c5979f0bc730ca1a6321a0262697b324b9b7a32fcec7ecf4be7df5d0856a8d
SHA5125c3a4bf1e67d41637ad75eff2a94e6656f0300f03694f34644fe2770ddb8f3bfbff0feb5f9e3757fa77b6f38d3beefa81dd6b58b521a4bcce922a7eab3d26610
-
Filesize
27KB
MD59c59cbfb2c663a8c6827d449e5629498
SHA10c82418250411ba1fa9e892e284be3a633456908
SHA256ea69df9ec63fa7a7df277d4f2759d9ed97617d66eff835514a280432f4bc3227
SHA5124a5d46292f598ade47dd28fa30f4a8cd23796fbc53b85c89f289ca0fee2c72ed326108b16fd0dd1aa97ef33bf0d325e14afd77b2ced2310c5b8a0f2001303e8f
-
Filesize
2KB
MD5a9dabbf41df20363675360ac5663c066
SHA1d23fce8bad99434474978e7cbf46b2612b521f32
SHA256084a405aa3b53cdd27860835c0120cb87d02e348e9b3d33487e7220a0605f838
SHA5126283c2d41bb6acd70d878f1a1d9b4a87d4a42019f38bfbb63b87132b7c2d4efecc76a8dc85087ec7c3048b16a65cceee73d485f22043f251f1d0db1f3d67e504
-
Filesize
671B
MD5f75b6a55405e47dea68440bacdf014a3
SHA125d3a95e8e9a4c80a09bcb4fddd96728fe42d5fe
SHA25604ba71171922bd2b0c52b77775b287478693cb5ba720e081c69d78aae918ac29
SHA5121e556360cd20c95aa65bde914b1ae174393c5275eb0dfa5041782535ec89566a090237d11d16499f70e8b06af53b7cfc4bb549917f5485ab1783dcb1730583b3
-
Filesize
26KB
MD581ed5b1a4b52da7e03d50326f919f054
SHA1563adf28186a3a51286b1d469828e837de234cd3
SHA25648fb53777999616bb0ab89e6acd88da3fae10fe787483ca5797f1a99195b50cd
SHA512a4c70d48c029784e68dc5553000c64d984d828d25d14085e9739185e6d7bcefd24a7faacfb1e0f9f91ba986907e92b9525a723733c8a43895fad8efc2cb5d9e5
-
Filesize
982B
MD5c97295ea531f5a638be922a52d29b73e
SHA158d617227ae4816d5f954ed30b2974757abefa9b
SHA256db7346a153b74cc5d058c59ee50d0be014e45d55f7cd5dd4dbb4089af3962347
SHA512b1aff87d63a18d1e2eab95a5673924ac5722426408aa6625e50997dc72790d85a95628b1ecc497ef65b2c2781f781cb34c9453e88960d612fecfaad1d1032d3b
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
11KB
MD59f999a295c08c44600be4b2128e2d898
SHA132268f6940d5f9c4ea57d501dfa707f205be5a9c
SHA2561fb74b9e9564d6b8677b6114fa9a448bc7a8a484d0573b8b6b077c27318e3481
SHA51268461fa4b223b1bfcab9a984ca9d8c7d5eb68a7e705913138824e92c07672fdd45d4762136e987bed09fc272644d0f24dd9f1f1d94af4f6b2ad9a134f86443e9
-
Filesize
12KB
MD511a1b26066fec1a56bc8220e4dd2cb96
SHA17a4cb54a14c2ed6a4a56a4cb604861342e092010
SHA2560c7e4e17a7ad174ec9af0879404ed738316dd89b139c4d13e8b9d9833fb71411
SHA512dfb65c00bbc49e951d5f3122ac04a5af17fa3fd5eb1e2846eb64e49d2367fbb85e17cd520f6d88de303e2e7f2be5cf256b2424fbe91e8802e09f98acd5b742ee
-
Filesize
11KB
MD5e4685538bd3f043e0e5e9e5516bbdae2
SHA1b11dde74086cddc5a42443cef00bbe3aec8d775d
SHA2567e6042da6dda8d4577b57514fb426ae225a5a26d42a8509fffd440d9d602b48a
SHA512d34d8ff22f369361d8c70f071b3e20c00e9d152abe4808cb95042c294ddbda92058e4cfdda7a946bb43a9b1ab2873630e81101c925decef11b4fdf0116dd3cb5
-
Filesize
1KB
MD507ad3e1cfb033d006040e7d9943b133b
SHA1f623b90b32c6e1d6159b1f6b186771c49284a066
SHA256b9bd127a9ad62c32d49e67bec2f0f645f85ff67d0519fb742c32bc604595d142
SHA5121e29ebe6ed63bdf9363daa0cd7283951ad121ae4c5fe12daed2552e13bb67732fa88b6b820fd60333e94e8c06d81bb786f9c1f6e1fbbb66d4b357b396279b0f0
-
Filesize
2KB
MD5d68912f20ffa0808c602c531a695027b
SHA1e2d1110bbc45c4b492f36e2577242632c635fd8d
SHA256fda88bd74a1adc2d59e0dec0ccbc426c06f826b0b5e28fc572c4045df580add9
SHA5125f9f652656c94af742244d025c7a13fc28e49e6510990e2719564b1b9c0698b48eb3e0e9d13ea1bbc973eeaea1a85a9b81b6e4e73b0364b9a4dfb276558a1e9b
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752