Analysis
-
max time kernel
67s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 19:19
General
-
Target
https://drive.google.com/file/d/1lgvRQtHr5k6LUF96USVsAuB2cllxnhwJ/view
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1lgvRQtHr5k6LUF96USVsAuB2cllxnhwJ/view"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1lgvRQtHr5k6LUF96USVsAuB2cllxnhwJ/view2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1972 -prefMapHandle 1964 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89187e62-0f34-40a0-9df4-e1400c778e0d} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb9399a9-a491-407f-addf-76ab7857f549} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 3280 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41b9dd5c-d93d-4afb-a7f3-b4867f937197} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 2944 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb7a37e-c389-48d5-988f-a9c9597dc546} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4460 -prefMapHandle 1456 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {268b566d-974d-45e9-b133-aa5cc3e83da8} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5516 -prefMapHandle 5508 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5dc00b4-b581-4dac-8802-ece01a12ace8} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da08ec61-caa3-4733-970d-351306874a3e} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e119fbb9-e343-4f69-8b2e-0520f2d5a97a} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5904 -childID 6 -isForBrowser -prefsHandle 5908 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf50536-45fe-4808-858b-1eeb662e17ed} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Lockscreen.exe"C:\Users\Admin\Downloads\Lockscreen.exe"1⤵
- Executes dropped EXE
- System policy modification
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3946055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5bfa102c5f34884225c1351456a573c2d
SHA1aad6cc47f744e083bb80cdcd6a5346e39d199a95
SHA25632b7749de00bfbabde1dae3edf1f8551f9ad66429ff9dbd4384abbe24ed01ce1
SHA5124264e55ed3987fa74276e1b6baedb5d6b491870dd68e42b8fe8da20c667d1ab4b2a969f9386fb94ba82e4b544f3caa1ebe3c7abfc0aafd61130298d1e58a98a5
-
Filesize
6KB
MD556a0113b14e01875269643aad2e68140
SHA1fa07c809018bfa54bef5c7b641f289b37698fb8d
SHA256def89fc0676832031d164a89da8987bb18383aa1fdebfe17cc72d03808947324
SHA512d6d1ca63cc672b369b04f189682e6d81fb59d0b919d8cb96f63275e79735d84aacf466816ad108ff76ec710397ccde330fd21e61738659239e3e3a6b932b82ae
-
Filesize
6KB
MD57d1ac84058e54858ce6b8816f7691b5e
SHA1efce79f460dde885de513169620a2c364305202f
SHA2567c3ba621c86eb9ca07b70a436f0f5dbd3a18818fb37fd66be4c7e17c75243953
SHA512d5cae6142c8dc3cb3fb2554a23c407f8a19b3ce5b4b431d87e47f1cdf4292ca0958abbc8e0b42d081e322cc7a70e2a8eccddedc2f391efc8708f1cb237b19691
-
Filesize
13KB
MD519e4e1af92863a3b9c49a2c636cdb7c9
SHA115e5d571fe9837cf81e35737fd982952cd278749
SHA2565b38606406b98dacf11e7498d711e9315a9ff8608f11167af4211473a051dea6
SHA51213ee5894dd858550895e1c115033b72a78891ef8e71d2eaf2fbcbf16cbafc0aaee5fb8e4291b154ebf359285b8b53d9acd07f25f111adc3c8f41d8e7c3c22af0
-
Filesize
17KB
MD50f7a57cea13d442bc1f3e069a060e30d
SHA15b9780a0c5fb111dd0b07c50513175262c0b2af1
SHA256a363900a3118b4545331b8679d7ce56b8353185889362e21a3f7193df3736180
SHA5126944d6131fd7837bbe757f35177fe765c822cd8e52691c69bd4a032311cda711cff7c0e83e18f0a8b8fe2acd477ddee219563974cf34e5b61f79d9c2d6c0d999
-
Filesize
6KB
MD5b46ae55371c8a02044d824fa01984ab9
SHA1fed763b868f379200a92ffbfeca1555b33dd73ff
SHA25643093d5dea9a6fadd46108b1e178523830d0471d4dfd10d6fcbf0459dc51eb18
SHA51237eb731b75514c20a737ce7da4f7a11a344944075cfb6814a591b2c52bcf12a9b89fbd7ac8bb29d8a830fa67b63bed02a930778653d2a51fbee81e0e256d22a0
-
Filesize
30KB
MD5c19360a08bcce588b36d3400c311ebc7
SHA158318ad180c72a6245886483fade1b7f6f4a623f
SHA2563591ede216c2d729cade2be8d514357cd56966c7be44cedfb0ba9b2a3c20da63
SHA512210c58aadc211c648df9a0b86c1af9928673d31a824dd812634f202630225839f2d74db163d6768e03feb6aeeb29c5821c372f7cbbb2cec814492d270a825c17
-
Filesize
31KB
MD5daf3e4656bc3e9f0d553abc7e03dffc8
SHA14832ae9f210b65b7e05300770405832aa6370c48
SHA2566c3cc8aee148d3583f6f7ed99d3a9a33b8fbb8646d40b78f2ca8edafeb253ce3
SHA512f71c4b3d6351c4852cd3671f99ad20c97fb75657df882f7b866a8356ba45f8ce9d7d6c8c4634c220b91c415e3f3b7384a92a3034b9a8c4b27e40929e39402e6a
-
Filesize
5KB
MD5aa189ad2cf2121139b6951cfc4127583
SHA1b00a393e9589f66c2832e20c3049f13d7a188c53
SHA2569698049d49d241f48a512938b3a9808aa5ef02aa25f4729c4946bdd50d0a223a
SHA51270a95ec66635004a6cb9a60477d6ac997aab8ebb7e6fe8d9d35765caea864ede821a85459d846bcaa99516401d92443c371ae363067f7221247af1c2f06a6025
-
Filesize
671B
MD51adac45bf3c749f117a7e952ff7fced3
SHA1d63725437290bc738b5fae6c080b14d0a9d7e338
SHA25624928237844e98743caabbd8fe49687c646178003fffe013e14246c44646b7d8
SHA512875ccf9e721279d17156ac12906827ba997556c064d8a8617cf8426784f0c84b8ce940df5a161db4fc455907e79392b2f2a66f0c715c9369750a916c77829dcf
-
Filesize
28KB
MD5f4f6bcf4af53ecdbaf78e92d5679619c
SHA127536debcea6ff28a028af57fd19f8ead23d334d
SHA256e2641996394c6ec8e2f193294ed63e5ad507fcbbe2ce317a174a099596f22c35
SHA512956aa27991ca7e1a33c9a3efefd1cb2278d9de98d0092262a1dbd0f2a616da7456487d6f47740949fe46206473174248a8d1fbf25ab7b3145e3a1801798a2c6a
-
Filesize
982B
MD5da991bcca74644fb34eb8613349dbf6a
SHA12b51af8433ff77d58d09c432ed348a34c78f71a3
SHA256ce45f9673edf8fcd83f760f2f05a29f06bff4299bbb2e35495bca7e85caea6d9
SHA5127210d9a9ebffa0157cc30bac7a9158f3f1b62ab38089863fe018df77f72288d8bd31756fa4f1948102abbd7eb0855153c029ee962ade16982f1ab50acedd1566
-
Filesize
11KB
MD56b376afc0c63c0f5b9193d944f21dddf
SHA1618c94feb09bf7cf431d650dc74700f6480ed88d
SHA2566359f34ed0519a8a9c22d7a95f93dc0dcbd0b0042ed0329465e31f8ffa8fec97
SHA512eb4820d0316d187cb053b2e9cb825764e71e099bf6050aefbbd7227bafb569983ef3c8cd68ff20961fbc15202dadfcabd904770e5bd7ac62d0919bc20aa90b2d
-
Filesize
11KB
MD5121ad46b3cf87401bcfac99cfc91e426
SHA12b85027d85ff6843d0238eff6e65f7c54d5b3a6d
SHA256877283fcd45904f2a5ec96d8e7c20839a09ac53d5cda6fa3cc3b99191cb66ca5
SHA5128f7e47008a522ed3e9d034177f77f9fee0cd42e94325ca23c5ba1bccbbd97fd5166933364073975e05ac108593830af7f3b6f8bd91697780e709481d40228252
-
Filesize
28KB
MD5693f0b6f14862d6eb108aecc3d7a339f
SHA10c7ac0e0c53cedb8702a465547e0e796ec921b80
SHA2565ad03cd1c0674047bfb5173bb60af1e8fdb26b8c6949dcfc07ac4391afc5545a
SHA51250c00edc0c61496f2b1d897579ace4e9fab3fd4daba74754c0aae14fd21b3222c4db2c7a52640cc10893a06cbf8757a809d5e040b1fc796e90033cea61064675