Resubmissions

14-08-2024 05:00

240814-fm2g7axbnf 8

14-08-2024 04:53

240814-fjf23s1hqm 1

14-08-2024 04:50

240814-fgndda1hnn 5

14-08-2024 04:30

240814-e4t9rs1gkl 9

14-08-2024 04:29

240814-e4k14a1gkj 1

Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 04:50

Errors

Reason
Machine shutdown

General

  • Target

    https://google.com

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 63 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://google.com"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://google.com
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.0.691304674\2030878292" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00252f8b-4d08-40b9-91af-bb25e06b5d7b} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 1304 105b7c58 gpu
        3⤵
          PID:2508
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.1.559472135\449152266" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c10c97b4-9fd6-4d0d-983d-6455160a2dea} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 1504 d71c58 socket
          3⤵
            PID:2584
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.2.1527357378\222757503" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f512c52-acfb-4731-b541-4e476be733b1} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 2112 1a1bf858 tab
            3⤵
              PID:1548
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.3.1947601479\93021401" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2631b20d-b8d3-4ee1-a1e0-f3b7e10b90da} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 2912 1cb45758 tab
              3⤵
                PID:2472
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.4.715738488\876194340" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3636 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f88349ab-3c7a-4484-a259-aaafb8e994b1} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 3656 1b028158 tab
                3⤵
                  PID:2984
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.5.423569981\1453037219" -childID 4 -isForBrowser -prefsHandle 3752 -prefMapHandle 3756 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ce7c85-62d9-460a-bb58-ab72fe49d2ab} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 3740 1e563558 tab
                  3⤵
                    PID:2068
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.6.15588806\2043691391" -childID 5 -isForBrowser -prefsHandle 3916 -prefMapHandle 3920 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bbaf495-0030-49da-8735-8e53bdc2597f} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 3904 1e563e58 tab
                    3⤵
                      PID:1840
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.7.244941036\389153597" -childID 6 -isForBrowser -prefsHandle 1072 -prefMapHandle 1080 -prefsLen 26882 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0690b779-3cc3-4fb6-880f-027a0e39fe7d} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 4472 d2de58 tab
                      3⤵
                        PID:376
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2676.8.1331837147\1126868366" -childID 7 -isForBrowser -prefsHandle 588 -prefMapHandle 3024 -prefsLen 27147 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13bb6ca3-e6ec-46c0-9a0e-6616599006ab} 2676 "\\.\pipe\gecko-crash-server-pipe.2676" 2408 1cb6f858 tab
                        3⤵
                          PID:2408
                    • C:\Program Files\Windows Sidebar\sidebar.exe
                      "C:\Program Files\Windows Sidebar\sidebar.exe" /startTaskman
                      1⤵
                        PID:3552
                      • C:\Windows\system32\taskmgr.exe
                        "C:\Windows\system32\taskmgr.exe"
                        1⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:3664
                      • C:\Windows\system32\LogonUI.exe
                        "LogonUI.exe" /flags:0x0
                        1⤵
                          PID:3832
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x5ac
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3208
                        • C:\Windows\system32\LogonUI.exe
                          "LogonUI.exe" /flags:0x1
                          1⤵
                            PID:3424

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

                            Filesize

                            22KB

                            MD5

                            6871ab61dc1fdf2dc708bd62250cce62

                            SHA1

                            a9439ac70f6f96a116e9ffab9da94bcc523fe610

                            SHA256

                            5ff676b3a7ce639b35eb6d6ea4f2bb3a0ce82b068341302b3208bf93bee32dc5

                            SHA512

                            64333c6c421245ecc1f04e0487d081a549c9d048bb2ea918f06a6b58ae203fd102c35e7fce9ccd0fee4ecb3fa13e28b58655104514a4d6ee0d49036a90af6938

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\C45EB0179CFFFC7B4CA1E522C371AA6043DFB334

                            Filesize

                            218KB

                            MD5

                            be800710b4abb78eb3f20cb196468a50

                            SHA1

                            b10003d954eb7f3b738edfe6429b233a78c093e4

                            SHA256

                            3a2b2de8e29b3aab86e1beef3f6469caf5b6665111a43c2aa5eddc3d67be360c

                            SHA512

                            961fb51b748492d2e60fe18816005df982c77c13f8fd129742fe95199098e853aabbd0c9baa02dae325d4f2e950a47a15b6569d3137d47f215c091465f7cfe69

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

                            Filesize

                            4KB

                            MD5

                            550928a2d87733cc2d00e96513d33659

                            SHA1

                            9535a23cc6bf3c332ccb0dae9a093cc4a55c7a5e

                            SHA256

                            7cd62c81b4798f50cf53713d07cee5f3976029f5a49b62455853f2bc053748e7

                            SHA512

                            b23e3180287f541e926ce43fc4569bee2de451acdc4e7746e41f018748ba4cae14b423e64ab6a22784773ce24706082f0de1e4773ff17b91aa2464d140e486fa

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

                            Filesize

                            2KB

                            MD5

                            857312f5e0ed398ffb3471cb2eb788fa

                            SHA1

                            e66ec809320bfd28a336345eb47ca2fb62a6a77a

                            SHA256

                            9b12bb4e032fd3e65f4de623af2f92379be0355dcdd2e76276a178de33729c15

                            SHA512

                            ef17b161a4ba57b897d3ca4c1cb4a5ccf2fdafb97ce38acdfd97f7bda6951570df3df19333c51648581f6f965482cf62d6c8f27c024ebd3d13144793b1fcd024

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\2a0f7950-1b2b-4aef-ae57-07f00bfb290b

                            Filesize

                            745B

                            MD5

                            46d91efddc42d892495f38ca923692a0

                            SHA1

                            2d6c2551d0ce671c589e1652d4f2638335421857

                            SHA256

                            15d77460ffbcf33f5151693574f0a426b2714e2c2adc22b5634e60cfedeb68db

                            SHA512

                            cf09ecddf9a0c3a32eec5c3bd855b40dd10aa826564b6a595c6902f63538eebeaa8c5c793c110d8cd4f056eef9b7296f4ee3cbc69050a404fb735909e19e9c33

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\ac67957d-c24c-4d89-b547-e74af386597c

                            Filesize

                            11KB

                            MD5

                            a3586cd8b16d1122f7b116078cebb225

                            SHA1

                            b453388263245a9c1d2de17f8c68e1ab83116fff

                            SHA256

                            c29023152212acad502b3752b8f6b5864c290dcd9b9c1c3da6a6b4e44a8bb22d

                            SHA512

                            2f5ebd43239254bc30973cd6d9572e1356dd00c27c87a77c49cb9f03a22931b37d0da16fc0c89024fd05030b586c5e7af17434621913d6ea154914dd00b798cc

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            918a1bcf2ca9635faf120538aec0b94d

                            SHA1

                            6d8376c3a718133ccf14e7fec4896a6b8fff4a98

                            SHA256

                            38998b80655703c8d517051ab2e08c4657765a4617437719a080aca41cb6f831

                            SHA512

                            3852403b8c9a924c12bdf4e49305b5d2266b2f2f5943551fdf5f01ee911f740a36af4de78cdf292d9ebba83d2eb535788851815b0e775b71fc4c84ea99248b9c

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

                            Filesize

                            7KB

                            MD5

                            8b544cfa57ccf0238786d9d3bd41622c

                            SHA1

                            21bbc3ebc709e16c8afb5686920eea8250be2222

                            SHA256

                            beadca23e2d1e9af090344f42d386f751cbf8e1ae5c5f4badf1003670341a2af

                            SHA512

                            525b4c33642660e0f94238b0337dc5c6364d9cd90c9a2872b5fff9aa357c17a59fa8848fc20666eefb5f585992e3a42f80fb72ce92653add6fa1c296c18d9489

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json.tmp

                            Filesize

                            259B

                            MD5

                            c8dc58eff0c029d381a67f5dca34a913

                            SHA1

                            3576807e793473bcbd3cf7d664b83948e3ec8f2d

                            SHA256

                            4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                            SHA512

                            b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            25782717361476b6dd5bf8b4acd89e94

                            SHA1

                            b3ad2dbeb9b65ef371c1e04b8cf93016cabe6253

                            SHA256

                            453d498f5b137158453ed4105a9b05c0ae124ae910ae85198df9a5c97e5b9dc8

                            SHA512

                            8f4933c22f2ec82e9a2b6d2bfda0421060a24c899690543f00636c949952e4225fe6fd2a1ee138ea8480b4b8e0b86a5db37e0a7adca67885f246c5b24a459068

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            932B

                            MD5

                            44e92c7cafe3448ec27f5f8f4626b1a0

                            SHA1

                            49ce93256b016cab0df808c349b4a8eabfbb4a1d

                            SHA256

                            e33b50774e99769efc523e49d63b3853ebc812acbb3f7a9be26024bbcacda69a

                            SHA512

                            d65394962478c8eaaa41d48db42a5f021c9ff170d7ac9b960b4dcc040d2ef78c571123847d90bf1680923b0d68248ece6c7b486d110554218307157eee7483b0

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            8KB

                            MD5

                            bd22cbe32ec0d55cc12993efa20d4065

                            SHA1

                            7ac291f9a896074761cf06f7b69f1123d8973588

                            SHA256

                            6a57708bc82afc21c957130e4ff3f39c0826164b0a988ac8f54a938abd30f50e

                            SHA512

                            134de475d24acbf3db35e16ed222623106fa65cb83ca0311fccf6989aa6dd325e7878aca579b2361176e4e9714ff241a49c2532a2c112dc38fcdba63718e6e8e

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            8KB

                            MD5

                            adeeee9c43daf676a85431b1bafbb00f

                            SHA1

                            e3fedf10114b0a4613a5175d81acdb75f0299a58

                            SHA256

                            aedc56a79c4a95702e2759799d58f5e53c0257aa1934f34c55f0b5ff650ee20b

                            SHA512

                            148fcf857055fb5014dc421f7a1efca376f93732a1e170a74a986fda512b5ebcb438f4df0bdca4a8412b5d37d24cefa3c37ae24c12010aaa25e6da2d7665e986

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore.jsonlz4

                            Filesize

                            8KB

                            MD5

                            272c5120e8d796307f8f770b756b7469

                            SHA1

                            5e4303ff161177dc03a9b57e7a3a66d3c5e92e3f

                            SHA256

                            7787b0619ad57c95813f525447f5cd0cf7ddc74176b080ddbe1abe064e80dd80

                            SHA512

                            8a315bec1e31366949e91fa85e0f44c755209412f7c55505b3b97d8523f04eca3e5e837a1fc8c4ca326b3dc894ae1c602628c542083126a56abc1bb47fc7a3e7

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\weave\toFetch\tabs.json.tmp

                            Filesize

                            10B

                            MD5

                            f20674a0751f58bbd67ada26a34ad922

                            SHA1

                            72a8da9e69d207c3b03adcd315cab704d55d5d5f

                            SHA256

                            8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

                            SHA512

                            2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

                          • memory/3664-329-0x0000000140000000-0x00000001405E8000-memory.dmp

                            Filesize

                            5.9MB

                          • memory/3664-330-0x0000000140000000-0x00000001405E8000-memory.dmp

                            Filesize

                            5.9MB

                          • memory/3664-339-0x0000000140000000-0x00000001405E8000-memory.dmp

                            Filesize

                            5.9MB

                          • memory/3664-340-0x0000000002130000-0x0000000002131000-memory.dmp

                            Filesize

                            4KB

                          • memory/3664-341-0x0000000002130000-0x0000000002131000-memory.dmp

                            Filesize

                            4KB