Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://drive.google...

windows10-2004-x64

6

Resubmissions

03-09-2024 13:20

240903-qk85csyfnf 6

03-09-2024 13:10

240903-qejbraxdqm 6

03-09-2024 13:07

240903-qcsgmsxdml 6

Analysis

  • max time kernel
    28s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1960 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1645f51-27eb-42c1-88c5-bc07d114ce35} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" gpu
        3⤵
          PID:2760
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2384 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a86b18a9-3c7f-43bc-9392-5e207931b987} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" socket
          3⤵
            PID:4056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2976 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a40b40f8-bb89-4b99-96ee-8a253950694e} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
            3⤵
              PID:2704
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2732 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9adb5697-cfd5-4473-ac01-b48154305352} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
              3⤵
                PID:4908
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a61c0615-d0bf-48aa-99fd-458ae50e76df} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" utility
                3⤵
                • Checks processor information in registry
                PID:3200
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5288 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fd71498-1268-4cb1-87ac-b3b84774b3a7} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
                3⤵
                  PID:3104
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5312 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c19bff-2e9f-43fe-ac4c-a4da9cfc2ea1} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
                  3⤵
                    PID:4428
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5660 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {489962a5-9a49-4e63-891e-0a18cc604997} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
                    3⤵
                      PID:2212
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 6 -isForBrowser -prefsHandle 6052 -prefMapHandle 6140 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4d0f54-d6bc-4029-989c-f7c256ceed93} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab
                      3⤵
                        PID:2232

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
                    Filesize

                    6KB

                    MD5

                    6ae0333ff24fd8a85e6fb956ff2b9f7e

                    SHA1

                    78e225e4426319d614a64c18a1b6bce8b3fc1af1

                    SHA256

                    803b7aeb0cc838a6d8b4e88a646ce9c3a32f590216604749d88390830888ae09

                    SHA512

                    972c722d433905402d3335db143669b6453529eb8ddbdf3a9013dfc9636294fb0cc14b77cd18ce790a2c9ea2ff9b05fcf1237ec22a299a720583b677429fc5aa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
                    Filesize

                    7KB

                    MD5

                    11bba17ad4ce015ba1a0f1a2d04bb43c

                    SHA1

                    9455f5d8dbf055d5fe6efbb5311a8970758fdff3

                    SHA256

                    283aed796c9b3bac49195247c0040823806a05a2fc835e3d556dd665a2aa1e7c

                    SHA512

                    9c7aaf7013f95a6ce87d8cf25a074d5e9946b213d51d6d542ad1da588a048cd687017f0a6ef7079ef765686ade1a998c1d9ebec07f9ad087263f02d7cbcbf687

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin
                    Filesize

                    10KB

                    MD5

                    1aafd1728b95bceaf876ad354ecd77bb

                    SHA1

                    07c3ca544a187cc2c32ab1b05db41ae094f45cd4

                    SHA256

                    29dd2d706884614bd4297d386a45be8ef0471f86fae13cf6da33663d3305e30d

                    SHA512

                    8f908892c9afec95bb0c46220716e94abfba1bc84ef9e727be8e87416a1762a363227c638b1b619a86ec346eda64338cb6fff073f0b9b03c233112d6e0a92aee

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    162684f2b0355f3ccfbd14ee61f8fbee

                    SHA1

                    4b5a1dd7b17170769222916d56c78f43437e505f

                    SHA256

                    424676fcae3efe75dbede6ebe36bd1e0b1558b0a449ebde46a1bc601aefd265c

                    SHA512

                    e81652932ed3230383676e1b22f0072fa8e848480d5e609603226fb73b47df40bd86a87673a033b7adaa1e10239e71c8a53c258aa2f59dfc8f1e3a1b370ba290

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    d7befdd5f91f5e93cbc776ad388f2730

                    SHA1

                    5c285a0a7ca2753c305422c9acae601f1b45a986

                    SHA256

                    3808ec50127de309ae42e2790d38a5d97b17301f5e358ca4d7c8f47c1e01fe78

                    SHA512

                    1135dc83b4264c395e1d64cfdbe7ca1b57fe809df161c2664b123b78530c18e16c36fea181865df912773cd0266037be8de6030848bab1fe05b1aef1cf82512d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\0f6beebf-c44c-4d95-b986-406244f4bce0
                    Filesize

                    27KB

                    MD5

                    dbfb9e70bee5c6bed315c20a85e09256

                    SHA1

                    15a3d4e2bf51bf8d5a0733dc7070d30b00fa5efd

                    SHA256

                    3c75ad7cf55359f4346b9f04aa7583fc7d7c5ff00d1b893ee4de9d347c070cb9

                    SHA512

                    56e27c68712f38426a7baa891799f6ff671cf70f93933c3b74d625b6f2496f6870f7de0c5efc7c0dd8651a8993779cf75bd1cabac54bf67008df5c3c1c408a9a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\4c299918-aae5-4c71-936f-880e49dc7148
                    Filesize

                    982B

                    MD5

                    d8aa8fa3b288f10cfb437011034ad7e0

                    SHA1

                    3cf823fef90fd5f714bb90f6531a399963534997

                    SHA256

                    c03291b8e4d8167be2c1d4a6579cc6a7e22569b8931622c9f86a063f0c0fdc96

                    SHA512

                    6c363117feb922838840248ad0aabbf4bafb8c16900796b1a27f55e3c61d832e8ff500badb2b1347b3b6e87c5a2adce301f0ddb6c015cbde4d392f79cac68629

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\ae47f781-0207-4529-aa4c-fcdb2dc9bc00
                    Filesize

                    671B

                    MD5

                    c8ad08c13b882a8ca33b0eb1a2c9d69e

                    SHA1

                    092f15bb900c588f06d71b0f73777612f61b02c5

                    SHA256

                    ef51f0baa846e4742705071153c257b064fe298128bd09b2a3784b92505e0e50

                    SHA512

                    228a5e15b446be2732fe72d17628941b48f6a4a54c954642a79e6406af1652b9c7ee48883e6ef870af264c66a0fd6f1f50822cd948fa139bbf26cb87500bb362

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js
                    Filesize

                    10KB

                    MD5

                    b2c2c0e30169281913b9f1f845d01176

                    SHA1

                    d7b41e1c1157d4a638f1d0751eb6627e5a59d2aa

                    SHA256

                    67ae549960da74709794e8d1642c7b49c31fea220e317d917709292ab94edd90

                    SHA512

                    8299d7bdd6289760f2e8e6c2a338ce299dca3a3a0c78d621872ab0003a6d96a50e2326f01dc0f5c5ec0344b2a000b7115b3ff6d9c8a5e42a709f9bf27e72fef9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    a6bd2c2108a2a25f7e1858d8d63fa837

                    SHA1

                    7a4f2790bce94ce50ba06a21776520caff856d82

                    SHA256

                    cfd4ddabe84de6a9f9f8c92d11603c2423fcf7c0ca70c37b629702a51f115525

                    SHA512

                    e8a96eb9d04428baa96aa655229e4e3d2092aaa1ff7fa4b8e8125e9718055877ce70dc68e282757e00db8a6b1baff1d24ceb72be6c58fcb362b13fe1a099cf63

                    Download Submit