Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
28/08/2024, 20:18
General
-
Target
https://drive.google.com/file/d/1HX6S_uPq_r5coCQZaT45P3rTlBx4cPXb/view
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 13 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1HX6S_uPq_r5coCQZaT45P3rTlBx4cPXb/view"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1HX6S_uPq_r5coCQZaT45P3rTlBx4cPXb/view2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.0.1223652683\81634251" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a23f404-b951-4e13-b2a7-6f9057d3ea5c} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 1780 183a67cb858 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.1.796528826\1890524298" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69319e23-fa54-4a5c-91d6-47bd5a7c459c} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 2152 1839b771158 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.2.377830462\849102499" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2852 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5891da-0931-4334-a7b7-437ecf05b1b4} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 2864 183a675a258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.3.1543731419\592251979" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e89e1755-6194-484b-a5ea-483af8cfe7b2} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 3580 1839b763858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.4.321204390\818815766" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4700 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20943152-ea19-4f4b-b141-d29535106e45} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 4772 183ace20558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.5.101532374\1149257062" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85517c9a-397e-4994-b4b8-0d2048f1f633} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 4896 183ace21758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.6.1112730207\1118419376" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b4c1103-ffe1-48dd-97cd-c0887bfc52d4} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 4772 183ace22058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4320.7.1349680553\355159792" -childID 6 -isForBrowser -prefsHandle 4700 -prefMapHandle 4796 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f28b2f4-1156-45fa-a2ba-178b754f55e5} 4320 "\\.\pipe\gecko-crash-server-pipe.4320" 5536 183ade3eb58 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ADIOS.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ADIOS.bat" "1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD5b653e4e4a2728aa81cf38d9f3e6cd062
SHA1c64eec0002d54b9a9554e0352dac793f4f4f8105
SHA256eff756436e516ef976b25ee7c22a6739056c051e0dfbeb08c81ee7593f40fba1
SHA51299c24f1308511090b88eaf470db32513b23c090bfc1f8fcd8a5db699911b3b40f1f83159666da7c71a9fd7e793fd638bedea87cddcf1ef5c21a9b9704328ebfb
-
Filesize
2KB
MD543fa41cdc8b8ad1dec013d0d589fffb0
SHA1e172369ae73f311b725f349aa281718d0d12f955
SHA256e188b79ff58448e7d8eb0345e05765b0268a57d0e75756e2d96437e2e82783c9
SHA51240ab6a89c801da54e3ec142016d84c0179b449e16a021dca0c544c4ed0ec9af2df5bf688424d1080a7c7b7955e692acc820c4bf077b408a48e8e44efd9f613f7
-
Filesize
746B
MD5b3f956b9a4348fa72c054e1b4a38c977
SHA1c443f61af164a926b745b71aea21a6d64e2c0320
SHA256b8b5b42d5f30621c4fbbc41d1818764fab2707af78881ed063874335d21808d3
SHA51223492da2b16235e87f5b36efeb5fde6d5348bd16898fb3bee4a753ef9f6749bb2792177c0750c54475a4b639e2c2619317c2edabe6d53cd11751b5fafe8c67b8
-
Filesize
10KB
MD55a6ce043a14374c0dfdae8a3b26b8f7d
SHA18fd9c6e58a0230d6402a9ca8d26a70abce22ba5c
SHA25613b77121a433e795853d15f747ebb35ca7fa6b26c218fd87df6e629d3c8cce4f
SHA5124c26d88a2343a3ae4ee2af7ed57b7e2afbc29bba23fe3f9cd43c325fc0b1ddd6fff394bb8c4862543a27e22873f73b33c8fa2411d8ed3d3ccb49785e4f9cbb5d
-
Filesize
6KB
MD5b2c1d30484959e7db023cc51ea52e55f
SHA13606e47caae558427c54a6e8406ba062723b304b
SHA256cd0afcc68d437ac519813f0c9ffa62d071d7f3cbc94879c24dc9bb76aa984098
SHA51213b26ba93091f95f7cb34aac40c511e0c2e7a4da7fb064824f0e627bc24a4b97d1acb2ce9b0b79d222cead439c686541748bd732f13f89b6e60f5066f178f126
-
Filesize
6KB
MD55e21870064290b4089c06f3f8520c1d4
SHA1f9a4411eb7a74a2d76207c0e182a56426bf338ea
SHA25647697e04650b7a533058f5c56768c1978c7d11f0e081609587a745be9e2bea52
SHA5121ee9b58e5a024acb78a74ca872c791620ff41717f7bc84837fc6f4a21e13d1194796689911cff711700420ff0263df0cc67ce567d1218c0604c9d4738af3a3c7
-
Filesize
988B
MD5efc503c30f1dac1769f59406b5e67236
SHA1cfad3b36f4a0eee115de129d9db9bed6dc470eef
SHA2568dee5c35b9c1837460f2c291d68eb826dedabf491f85b5fca968463113bd06dd
SHA51285e136e969e805263be6234754fc84561c9c77d1be4f3f900e671ebdb7899fe0a63fe1afdcef112e58526597498c7c1f1da189b21e5b86965a708acb1b33a4fc
-
Filesize
5KB
MD54299a93d59e8d03124cc2f2484122f14
SHA114aaac7ecbf54915267492d6eb667f0b354750c2
SHA2568caf57ee7667b770b190a9c63567b64d25e429661fd1ebf7b9f605b1cc50bc3a
SHA512a49eb6b2645822edf7e2d6cd9f3e8b75639eebf859cfb0b44e48dbc299130681cac975ebec9e42d080e0cad3bf846037709ac43001b19509e74590ae61f7742a
-
Filesize
149B
MD51d34a2a847ed1723be6c54678d5559a1
SHA1d828e065734d1b41a895097fecc51ec7bf0697fe
SHA256ffef20a3aaa359c688d9198b30b66a06272fed2ebf96e3874af7d8093f9733de
SHA51262b1cd4a6432b9a1f3118d7a8758c69f661a84fe2b8a19c90a36e188d2bd1e15ba7a87f2197480a0bd86ab39ddc547ee2087e46298c1e94d5e906d18ec4ee6d3