Analysis
-
max time kernel
93s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 19:05
General
-
Target
https://drive.google.com/file/d/1S56Ksqsb-l0K-F54a66EKNngAM0-AVU_/view?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1S56Ksqsb-l0K-F54a66EKNngAM0-AVU_/view?usp=sharing"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1S56Ksqsb-l0K-F54a66EKNngAM0-AVU_/view?usp=sharing2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c11e06c-13fb-4717-8c73-3bd1cd7c28c5} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {580624c5-02d8-460e-8e20-83b39dce575f} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3330def5-0a19-44c5-8143-458577c33fe5} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f89b7d-d616-4d2b-aa25-6243b74f3e9c} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4444 -prefMapHandle 1532 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43e43cdc-d20a-438d-9834-5d5e3623c379} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5216 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae0655e4-376f-454c-b8b0-b5964218348a} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 5196 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {267ca76c-d6e8-4f1c-9d75-c9ea87ed8f18} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3099294-1abc-4c5a-b0a6-e59d9222925b} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 6 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7f5b9c3-794a-4f13-abab-56505c47c03d} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5a5ff8ec202b006b7f2d328613d3931e7
SHA1955bcdad1ae17a57f8d3f6afa5cf6d54a8bd8bb8
SHA256836aa67db816894cc524fea7d9fc34d15bf07e853ff74bb36736882969dab830
SHA5124c180b8f60c6468286db109063749038ac5c9ad89070e950fd72f01f88fb42f3eb054eb05bc1af78f860e40148001d4f9e5dcf4ef99937572c67af5e4c6a5982
-
Filesize
6KB
MD58d554e60c8b879cdfbf92a2e2e7aab07
SHA1d466e8278df59dcbe10bad59b6cb17d4bf43f163
SHA256506c24cf54d0c097ce85920a34936263d39e2b09b46a88a7aa149cb3b2ba2cd5
SHA5122788f880cbccc4fcf869995ca06e9fa0ab3f8c462454bcca4d87d7fa82afe388ce906246dc65bcd945d65f885286c92df18d4c98ec6d92a5e9a5955ccc44fde8
-
Filesize
10KB
MD59bebfd95d6732dfb6b28be7f2e77f690
SHA1178852ebe67eb46ce9e73b88d5a9509d0d70c847
SHA256cd51e59123bfedc847e449e0ff9e78abc60839cc1bb60dac26b38b3588b1d147
SHA51261f3552b562c84e547680a5ad31edb752b490ed92fcf3b8ca2d1f4180073e3c1e3ea542ef77276bb9d228255b6309af44f9b06648f6260c427d17c691bba7c3e
-
Filesize
18KB
MD59ded71cd70d1104079e3df43893950de
SHA1f28c86fd5a4462b9174bc049e0abd8f7dce7e803
SHA256932290c5638818dd188d4ea9cabb40a67f0ca7f005315f93bb6ed99532d1344e
SHA512b660bd2bddc0b3928fbbd5fb8acfbf528b4e43248e5dab968708045a409ca6a7a01ade4ac805a960bc2641ba98c261f43a799ee8acc26fa352ee3811435855f6
-
Filesize
25KB
MD5cb7751bdb1551863e7c21c47b565bb61
SHA1468fcff48da3020d1917b3d94c2204f2f4204df7
SHA256ee98bb7aa1a2048396b3323d81bb97121f6b12e47f3281710c0b2ee097767781
SHA5120ebc27333fa14a1679cf560d7ce3075b370509fad8467de7ed9d39fc27a2d20c14777f92207d3dc46f5a3ba43033ae2d5e47894586902d12a6c6d680e30107f0
-
Filesize
5KB
MD52df53e4dc6391c1a7b8d08bca49f2535
SHA11985ed5b94a4a63efbf93b2818362bd602066649
SHA2560aefb83fdbd3485d92516722cdfe86a21bc74c8b1ac63e78497b324f81ea4142
SHA512605d95cbe812243d6b255f4a3a5f043ef6f275809574e620801cded4196cbc5afad6ed1d2492828847e2321844badcb2787deedca5bc9600382575549e87bec6
-
Filesize
6KB
MD5b5b8695ac24b899f98db4b1fff48cdd2
SHA1d5fb3911615fb235105a1aae64e2c679e060b606
SHA2568e223494a7837b512570e95a8bc078d4ceacf90e7d3db193dadf53f90ddc0915
SHA51271cb4b3a0b70958486ce1599f77f896622d3cb6fa6c04bd31a048b961e994c30dca7d0d228171bee68a8cf2e2f33ed2b947ae810a12192c319610ce0c0af58e0
-
Filesize
26KB
MD5d3f9517d91879cc54bfe8964d3887976
SHA1352138ad642888b9097b6bfe58c1677c3673022f
SHA2565a5287cfe392a56b3ca05aaaf7a30162999516d3a751266efe792ea6895abc2f
SHA51259650996e63539f64dc8cfb4e7512c00000fba571477e5ec63402795685ea33ff4bd3d98e34db5819d683394c720cd2af91211a2187edaf4d295221e753ea6b8
-
Filesize
982B
MD55f5e14b82d58766e19cec6e658b31992
SHA1847967d797fcb1a3d6123a05817bc9790bc5f68b
SHA256d9ea2d913bd5db87d31a1fa3e2629023fba4effc89fd503483e452b840670bb7
SHA512f95eeaa826534c326eba7e91cb8ef92093b8b5fd57350b3e33664cf81d7ff5daaafb2d02a9ae684d522dad69b3d34eda8cdc614c6bda3a5eb891c1aa8adad263
-
Filesize
671B
MD5a6fbdf010883cc64ff045e3b0262fe68
SHA176bae82b453f969ce894673183fbae7c78b5383b
SHA25628ecdfa95679873fe56ecb04318d69b167db0c723d65ee9281e7ad6181c548cd
SHA512c695a507bdbbc4f15644e814f701c942cdfe958613e050034e5e847f7a44f051dae65a8d69da09cdcda9dafb998a4e70e04a759d16426df4fafb0d8c333a231a
-
Filesize
11KB
MD5f6bb4c4a3fbf42ae89767a26f972206e
SHA175ee0bac76c345f962cc9f4e4671acff4928f7e6
SHA256d8630b9175461437108093b2be9c977ec58f3b36df76ca46b97717479dbb64c3
SHA5121454f1c43d8389de0d847d6c8b18544ae8d0940580f217efb47fe9546ab8ce1395ffbd15eb2a2d45e46e227b01621ce0fe982f699126d3821f47341399edc2ef
-
Filesize
11KB
MD5353cec32d344ce1fae5dc2562da1b8f8
SHA10eba2a39c25e9a11cf68a57bf8d51ce32b43477d
SHA256ee9c41329964701ab32fadbff87416e51212c8872f573357695394c7effdfb19
SHA512cad53953c351ed32621e61cac83c5d1d35494f7b4683ec28b41427a2d529eb6a90db3625b73dfe5b28d84769f371bcf69f5c4ad93f81a6054f6d283c4cece9f1
-
Filesize
11KB
MD5dfa6c87cb986bdb146260b93a9ec97f9
SHA14e115f04de5e2ea9e00d229f75e3adfeb3a9ff96
SHA2565d622fa8fad91f33cd56d136d2a99567dddcbeca86d778c62bb912b6c678d473
SHA5121c99c7edfbe3f87df39eefa8d87ac21c227299e45e03678a1030aaa06ad5415b04c2dbe4cb210f821a4dc6f32c8578410f4f50ada08e9d38545ed85c331d8eee
-
Filesize
288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
376KB
MD5a189f92d14d5ddb0fd5ca892254188b4
SHA14bfaa34f1bf8141b7f135fe837fb38fdd60050f3
SHA256268e69f8b71019289f38aa11e55094d42d890f84a2ba1c5ae6c17e912a1fa04b
SHA512a3b1fb9df9d4eb7e612c0c2f523479e0b7eaa3c1eedd82be85172ad59bede077d23cac2c7d90026df0a09d254bb953fa50461c18932200b5df0c7c36629b123b