Resubmissions

12-08-2024 19:22

240812-x27feswaqp 8

12-08-2024 19:08

240812-xtbnsavflk 9

Analysis

  • max time kernel
    17s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 19:22

General

  • Target

    https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1271767857734221844/1271767858141073459/lol.exe?ex=66bb2c9d&is=66b9db1d&hm=6ecb3a274001883d9565202be676f968730be8052a12527b2907a913acb6f806&
      2⤵
      • Loads dropped DLL
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.0.1383986264\45290650" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1132 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5aa0cec-39be-4646-bca9-7f42402a8994} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1336 106d8358 gpu
        3⤵
          PID:2776
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.1.1609135810\753952264" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b4d08df-6fe6-47bf-b488-a9b0d099a453} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1532 35e3258 socket
          3⤵
            PID:2760
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.2.262101977\1097345499" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb01c03-275c-4e2b-878e-d2138d1ea660} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2072 1066a358 tab
            3⤵
              PID:2504
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.3.265472674\1491460113" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2676 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad284041-84a4-4d8b-8c33-a84800520888} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2692 d6ab58 tab
              3⤵
                PID:1708
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.4.1314924024\1961208842" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 26490 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {145386c1-127d-4408-b2da-7eeb9fbadb96} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4040 1b5f9258 tab
                3⤵
                  PID:1596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.5.1014361544\1718143239" -childID 4 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad8d042-bc7b-4fac-ab4b-90bca684bfc3} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4136 1ed64858 tab
                  3⤵
                    PID:2468
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.6.1119750077\1782316826" -childID 5 -isForBrowser -prefsHandle 4316 -prefMapHandle 4320 -prefsLen 26571 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05e10711-0121-4c06-a364-e2277a40ecf2} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 4304 206f6e58 tab
                    3⤵
                      PID:2692
                    • C:\Users\Admin\Downloads\lol.exe
                      "C:\Users\Admin\Downloads\lol.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:2268

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  39KB

                  MD5

                  4b43f748854f91d5d74c12150e691a0f

                  SHA1

                  18cf8c429c829922bfb5285a5e161f9a44202b49

                  SHA256

                  b07404dabc0caf2ee2b8225ca0f3bdfa078e8cea0e55e6d5ca6cd506c11a64df

                  SHA512

                  9989ffea02575b47da4efcfed1afe0f54fe03305dcd69117371e6d16dd7b124f301e99d44914f961c9b11ac65c612a754413268977e1cd6f6c4b3acca524894f

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                  Filesize

                  7KB

                  MD5

                  c460716b62456449360b23cf5663f275

                  SHA1

                  06573a83d88286153066bae7062cc9300e567d92

                  SHA256

                  0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                  SHA512

                  476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

                  Filesize

                  2KB

                  MD5

                  093abc3c90e9b63d59bd17d2a3901c3e

                  SHA1

                  7825c99dd9284d9630d2c2e2662b688df40cc007

                  SHA256

                  a7876064ea0f31e51ab159cec173c5ea42825fc4307bf5300f50c6be8e7131e7

                  SHA512

                  045d12ae8bf16f2253a8881fc667b15b0342dd1dda1a35a6d3fce1d0256c0bf285b547016cd8e67a798081df304fff8cd1c48d722934a3a44d7d19a6a580ad48

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\11b61fe7-17ed-400f-9f66-9ecc2403585e

                  Filesize

                  13KB

                  MD5

                  308af4194fbd606947c0f7f47bac55a5

                  SHA1

                  25fada8467d2196e29d0e39641d9c29c40562fa4

                  SHA256

                  5ce2829431625446e8091b8f9db1dcae6dd1b4d381820fde3d4c3389e815a8e1

                  SHA512

                  dcb1e96c04eb311e5dede616a16bc94d7b0d9128f46b19c834c2a2f8d3a6841fbc275da0f1475ea14dec47fcbce4e64ce1562b13fc6dd09aa37fb9c64429abf4

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\22d60eb7-7868-491a-8e38-613361a11c2c

                  Filesize

                  745B

                  MD5

                  eab8813629e60d799b2f1fad18e9c996

                  SHA1

                  d8a75e273db1d7fe12b2b6fd1e1fa10fed2349a5

                  SHA256

                  31c4beea5bcaf0cf3f2f1f8870d553c6853f2c4961f06561555747fb85ff10c0

                  SHA512

                  9228d50dd97d9dfc8343bcfd2d5c9b50a59f7a147a720185a86f00aa6814ed78d726fc7b001e634790e06745e28b656d02c93626ba95bee16749ae53c8f8a91d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

                  Filesize

                  6KB

                  MD5

                  f4b5dd54dd22d02e4dd4066355bd3dd6

                  SHA1

                  3c95c37f9d74f8011e26305f2560fe128ab00be6

                  SHA256

                  7e366a6e9f50606ab455db7841a9480250afb6f0df59f1187c4788946792c3d4

                  SHA512

                  fb8c2d38814dd3e724fba54657780cc0f87efeaa3b063b4739de6482db4ac7b798632f7f5e9abec7c81a3c727d470fa4cff273bf2fedf89ffdde6431d8aedcdf

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  f5fb78f824913d7b86dc15356eeedf4e

                  SHA1

                  1d8e614eb0ff3f3dad747a474b75f0c6f801d29e

                  SHA256

                  6248bda1b4caa4f806faa746429abb6cfe80d218fdda41d1a82af4ba4e54135c

                  SHA512

                  afaee54954e643d3b36742fd729902d0a5e5573b3d90e683a8ad69b0540a82ddf15742c89aa85e2abd890f3ff5cb02260cb5b852d45bc1a6b3969df4ae8ef7e9

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                  Filesize

                  184KB

                  MD5

                  bde04b604a1580dd7229a5a5ef7a0149

                  SHA1

                  614b55bd1e65593c6481d6286b3d55bba8405b18

                  SHA256

                  52f549fe2e0968ac2bd70b297a50ce229525344f0c61a1fef4916ac658283117

                  SHA512

                  bafe35a581f5ac4f460dfbeb21f95b44076d1d3b9c60396a717bc9a55f36757ce2df2533c795de50c372f1ab77b865e899a2c55510d293871a3452c9b6dc7737

                • C:\Users\Admin\Downloads\lol.pt_3wJ1Q.exe.part

                  Filesize

                  116KB

                  MD5

                  12cba2756b81789edd8e4413724115a1

                  SHA1

                  f1439b494e6d14f2f188f35720ea98aa00166a58

                  SHA256

                  fcfbb2826e6a4000820fc0c13ec6ff1c91e5f61c713daeea8f8ec7c93842b6ef

                  SHA512

                  0d7bb0e1c4996a760203d9321248f3f2ad60f4e9ae84f4b4c5ce70e35a99d5fa09a43bc361bc181eea6c4d1d50b151262f1687a7a2aaa9e7e57c2689168dcd87

                • memory/2268-138-0x000000013FC60000-0x000000013FC83000-memory.dmp

                  Filesize

                  140KB