79907648beb01a39a141640961cf63f203e57b4c8207a242c4179a72d02354b1

Resubmissions

11/08/2024, 07:57

240811-jtlxvs1fkq 9

11/08/2024, 07:53

240811-jree1a1enm 7

11/08/2024, 07:49

240811-jnwvwa1dnj 7

Analysis

max time kernel
149s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara/Monaco/fileaccess/node_modules/bytes/package.json
Size

959B
MD5

5e3137feec27c5d88693e0cb2ff95d3c
SHA1

d8fe3e70eb4ecf4bf58385e4b27f89b7ce656a28
SHA256

99b21c09ce812dc76a06cd87c4753247cb9615c6a8501c5a5a9d9caa22ea2d12
SHA512

4b4d89317e1a1caae6924f234b75e15bd2f8bd026d316152e6cf3ffac53553bea2995076a8a365f26a96730f36170d115ac35aae6d0888f621f536d795b89a2d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1328	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	2640	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe
1328	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2364	1328	OpenWith.exe	98
PID 1328 wrote to memory of 2364	1328	OpenWith.exe	98
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2364 wrote to memory of 2640	2364	firefox.exe	100
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 1500	2640	firefox.exe	101
PID 2640 wrote to memory of 4292	2640	firefox.exe	102
PID 2640 wrote to memory of 4292	2640	firefox.exe	102
PID 2640 wrote to memory of 4292	2640	firefox.exe	102
PID 2640 wrote to memory of 4292	2640	firefox.exe	102
PID 2640 wrote to memory of 4292	2640	firefox.exe	102
PID 2640 wrote to memory of 4292	2640	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Solara\Monaco\fileaccess\node_modules\bytes\package.json
1⤵
- Modifies registry class
PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Solara\Monaco\fileaccess\node_modules\bytes\package.json"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Solara\Monaco\fileaccess\node_modules\bytes\package.json
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f13e8067-da21-42b4-be93-416055312507} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" gpu
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb2099d-f5b5-4f00-ba81-0a900fd0237a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" socket
      4⤵
      Checks processor information in registry
      PID:4292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3352 -prefMapHandle 3324 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {212d2d3b-1ae9-42c2-816a-bb1abd614a24} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
      4⤵
      PID:4488
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd90c866-dcf4-4156-be86-da515496f725} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
      4⤵
      PID:2584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29d7831-d260-4108-856e-38662ea4dc09} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" utility
      4⤵
      Checks processor information in registry
      PID:5768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 3 -isForBrowser -prefsHandle 4700 -prefMapHandle 4752 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {799f31cf-4755-497a-bf58-a83c97050b16} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
      4⤵
      PID:5844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63ed37b6-236e-4f5c-bfa4-3027e35cd141} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
      4⤵
      PID:5864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 888 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d2eb368-c14b-4c5a-8de0-536699deffa6} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
      4⤵
      PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fc4feac3d04902614927d721e9b3673b

SHA1
c6e147d60bc31c02e5c92fd9b08a9d5bfa65b25f

SHA256
ad48fd8ca3793ba851f15fb915fbeb8b581754228d7a64598dfb3fa8429e0689

SHA512
3c79945cd6456796a0432202ecef589b02a5fd6e78dddc11f75b3502ae29f9203b965be83708421fa4aa6cc18905e29d6f86db6401cdaf67858fb1289dd0a4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
05f3fe2259efa32de3951c7e841e6067

SHA1
c74f00b31c71d43bbef039900e1b51165c7f23bf

SHA256
6758e081f68072b379890e8359f6c16ab70880e0e131b0397ee98f7e1e53d6bf

SHA512
e288789d2aae8a933bd39ebbb21c4d3d2ed7d6ab0ea3a7b0fd2037fcbfac114143422d81a492b165c1a96984d22f7c6647877980f313c1a7cdace3af87da9b24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
0947873eb9511d8125295c10210bf955

SHA1
44eee63814fa98cef01f6ae78de3ff3222a58bc4

SHA256
f115554e2da9ff2c4ed73f747bc98437a1632a355e91dbc002076cfa3a6e664d

SHA512
2567903007a8afef3fb09efc54bad538a047eb9a7f1bba450d7f9df3b65188d067bf0489d48761d744b4d98e5cd92e074e984e5500e4ec6c3b1dfe899adaf606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\2393810e-5c5d-4901-8513-299e65ffb4f1

Filesize
671B

MD5
196970b4fe1a18e71170969d453f7bff

SHA1
b00349e739f7be66ffc44c36238205916f5c002e

SHA256
433578aec1695decd908e3f8631703159814c8e6190164b07619bb6b3b7e5174

SHA512
c958dfd3e73420d1f909b965d05326f5877a1abbd082796ae372132019776a05be1f8486f4e5163a1fd6542d52abe79ad8f16af688060f5c364ecd1ea0e3ede1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\eb6dab02-0cf1-41ff-a6eb-444c2d5f9332

Filesize
982B

MD5
6861738aa13c91a1d91f486690a23e84

SHA1
eac02a5e9427968e08efca77c8a6ff74050152cd

SHA256
b39324fd6597dc54ddb9fa5b4ce24ddd0e06a2ee4d5ecde9ead77d5a74602752

SHA512
bdace3a5e46812b2d0987a48e4029064f185cdace6863c6cde5d165965c336148b0d5e54d44e5bd88b694b3384694cd08c64b6a689228275bd19eed8b4ffd63e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\ff4de20d-c727-4d04-adb8-a0efb8b3e141

Filesize
27KB

MD5
57e83e972adbff87defba98dfcff9a35

SHA1
679720bd53328f90f1e15d18a2b55f4438de8605

SHA256
a8c2128fb748ee5b8b22e21e8ce4615f6c613d26457985c0085975893d32c0b3

SHA512
6c470c382a4a0cf59a21eef73fc07d0036e6b28d4efbc749e4c006ba1a7e37ce1389b29eade57ac6727e585457a69d6dc1dbfe895ae438f30a10a480b21afd0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
163cf4f5aa21a9428a094191b2aa1114

SHA1
2714d3f1f683d526d4455ed35eb999a60b4f3004

SHA256
ca7c2f7af2c9c655f5c94a37e8a113058f2af8aca8580fd4d8595a7e9baa5423

SHA512
aa13c66d1b00a75fd9a5f93b247cbc6843000a4c4bbdd231d2078e7a0783f7e539b91873a0c0dbe17216769800e881a5de4651a909aacb296920d33570037781

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
6b004454e2b2b3ae81526483bc1fc03d

SHA1
0cc575e5424f72fe53bf3e082e8ec071d0a72fb1

SHA256
b92b75bde5b9e2048d681063b85bf0137da6c532c26557cd88f863d867a57e2e

SHA512
c4dd6790edc454d70988a6e97da6e9a662113bb41a221168ee3313205d24ee72ea59aa0b52f7a7f1001c73e4e8bfaae3fddfaf87301093f1da9415c65dd37884

Download Submit