Analysis
-
max time kernel
17s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 19:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&
Resource
win7-20240729-en
General
-
Target
https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2268 lol.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 firefox.exe 1948 Process not Found -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\lol.exe:Zone.Identifier firefox.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\lol.exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2096 wrote to memory of 2328 2096 firefox.exe 31 PID 2328 wrote to memory of 2776 2328 firefox.exe 32 PID 2328 wrote to memory of 2776 2328 firefox.exe 32 PID 2328 wrote to memory of 2776 2328 firefox.exe 32 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2760 2328 firefox.exe 33 PID 2328 wrote to memory of 2504 2328 firefox.exe 34 PID 2328 wrote to memory of 2504 2328 firefox.exe 34 PID 2328 wrote to memory of 2504 2328 firefox.exe 34 PID 2328 wrote to memory of 2504 2328 firefox.exe 34 PID 2328 wrote to memory of 2504 2328 firefox.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&2⤵
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.0.1383986264\45290650" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1132 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5aa0cec-39be-4646-bca9-7f42402a8994} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1336 106d8358 gpu3⤵PID:2776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.1.1609135810\753952264" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b4d08df-6fe6-47bf-b488-a9b0d099a453} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1532 35e3258 socket3⤵PID:2760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.2.262101977\1097345499" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb01c03-275c-4e2b-878e-d2138d1ea660} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2072 1066a358 tab3⤵PID:2504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.3.265472674\1491460113" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2676 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad284041-84a4-4d8b-8c33-a84800520888} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2692 d6ab58 tab3⤵PID:1708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.4.1314924024\1961208842" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 26490 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {145386c1-127d-4408-b2da-7eeb9fbadb96} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4040 1b5f9258 tab3⤵PID:1596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.5.1014361544\1718143239" -childID 4 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad8d042-bc7b-4fac-ab4b-90bca684bfc3} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4136 1ed64858 tab3⤵PID:2468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.6.1119750077\1782316826" -childID 5 -isForBrowser -prefsHandle 4316 -prefMapHandle 4320 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05e10711-0121-4c06-a364-e2277a40ecf2} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4304 206f6e58 tab3⤵PID:2692
-
-
C:\Users\Admin\Downloads\lol.exe"C:\Users\Admin\Downloads\lol.exe"3⤵
- Executes dropped EXE
PID:2268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
Filesize39KB
MD54b43f748854f91d5d74c12150e691a0f
SHA118cf8c429c829922bfb5285a5e161f9a44202b49
SHA256b07404dabc0caf2ee2b8225ca0f3bdfa078e8cea0e55e6d5ca6cd506c11a64df
SHA5129989ffea02575b47da4efcfed1afe0f54fe03305dcd69117371e6d16dd7b124f301e99d44914f961c9b11ac65c612a754413268977e1cd6f6c4b3acca524894f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5093abc3c90e9b63d59bd17d2a3901c3e
SHA17825c99dd9284d9630d2c2e2662b688df40cc007
SHA256a7876064ea0f31e51ab159cec173c5ea42825fc4307bf5300f50c6be8e7131e7
SHA512045d12ae8bf16f2253a8881fc667b15b0342dd1dda1a35a6d3fce1d0256c0bf285b547016cd8e67a798081df304fff8cd1c48d722934a3a44d7d19a6a580ad48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\11b61fe7-17ed-400f-9f66-9ecc2403585e
Filesize13KB
MD5308af4194fbd606947c0f7f47bac55a5
SHA125fada8467d2196e29d0e39641d9c29c40562fa4
SHA2565ce2829431625446e8091b8f9db1dcae6dd1b4d381820fde3d4c3389e815a8e1
SHA512dcb1e96c04eb311e5dede616a16bc94d7b0d9128f46b19c834c2a2f8d3a6841fbc275da0f1475ea14dec47fcbce4e64ce1562b13fc6dd09aa37fb9c64429abf4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\22d60eb7-7868-491a-8e38-613361a11c2c
Filesize745B
MD5eab8813629e60d799b2f1fad18e9c996
SHA1d8a75e273db1d7fe12b2b6fd1e1fa10fed2349a5
SHA25631c4beea5bcaf0cf3f2f1f8870d553c6853f2c4961f06561555747fb85ff10c0
SHA5129228d50dd97d9dfc8343bcfd2d5c9b50a59f7a147a720185a86f00aa6814ed78d726fc7b001e634790e06745e28b656d02c93626ba95bee16749ae53c8f8a91d
-
Filesize
6KB
MD5f4b5dd54dd22d02e4dd4066355bd3dd6
SHA13c95c37f9d74f8011e26305f2560fe128ab00be6
SHA2567e366a6e9f50606ab455db7841a9480250afb6f0df59f1187c4788946792c3d4
SHA512fb8c2d38814dd3e724fba54657780cc0f87efeaa3b063b4739de6482db4ac7b798632f7f5e9abec7c81a3c727d470fa4cff273bf2fedf89ffdde6431d8aedcdf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5f5fb78f824913d7b86dc15356eeedf4e
SHA11d8e614eb0ff3f3dad747a474b75f0c6f801d29e
SHA2566248bda1b4caa4f806faa746429abb6cfe80d218fdda41d1a82af4ba4e54135c
SHA512afaee54954e643d3b36742fd729902d0a5e5573b3d90e683a8ad69b0540a82ddf15742c89aa85e2abd890f3ff5cb02260cb5b852d45bc1a6b3969df4ae8ef7e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5bde04b604a1580dd7229a5a5ef7a0149
SHA1614b55bd1e65593c6481d6286b3d55bba8405b18
SHA25652f549fe2e0968ac2bd70b297a50ce229525344f0c61a1fef4916ac658283117
SHA512bafe35a581f5ac4f460dfbeb21f95b44076d1d3b9c60396a717bc9a55f36757ce2df2533c795de50c372f1ab77b865e899a2c55510d293871a3452c9b6dc7737
-
Filesize
116KB
MD512cba2756b81789edd8e4413724115a1
SHA1f1439b494e6d14f2f188f35720ea98aa00166a58
SHA256fcfbb2826e6a4000820fc0c13ec6ff1c91e5f61c713daeea8f8ec7c93842b6ef
SHA5120d7bb0e1c4996a760203d9321248f3f2ad60f4e9ae84f4b4c5ce70e35a99d5fa09a43bc361bc181eea6c4d1d50b151262f1687a7a2aaa9e7e57c2689168dcd87