46e04464e055963a0624d377f265f01cabb04edbc1fbf881c71b63c81ea57bc6

Analysis

max time kernel
133s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/09/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FL Cloud mastering Windows.exe
Size

31.1MB
MD5

4e777bb75a97ac5478dab6dd3e56c277
SHA1

d714e1cc1357d3cccf8a1d6bf7a35c4661209b6a
SHA256

46e04464e055963a0624d377f265f01cabb04edbc1fbf881c71b63c81ea57bc6
SHA512

e46199ea04dee5fd96cddb73fd8c9ef309739ac5e61243af46bcf0b43b0785d1eb213d11a2123f032082b062971cb80754c01e0960b7a7631880e8d24e587db9
SSDEEP

786432:gEXpxS5bqEvrQiAkdmp4rzFY2ju32NWD2uEr9eJzn/05:gEXpqmEvUnp4BM2NWDGQ1c5

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FL Cloud mastering Windows.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	taskmgr.exe
Token: SeSystemProfilePrivilege	648	taskmgr.exe
Token: SeCreateGlobalPrivilege	648	taskmgr.exe
Token: 33	648	taskmgr.exe
Token: SeIncBasePriorityPrivilege	648	taskmgr.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
648	taskmgr.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4588 wrote to memory of 4492	4588	firefox.exe	76
PID 4492 wrote to memory of 3340	4492	firefox.exe	77
PID 4492 wrote to memory of 3340	4492	firefox.exe	77
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 3500	4492	firefox.exe	78
PID 4492 wrote to memory of 4324	4492	firefox.exe	79
PID 4492 wrote to memory of 4324	4492	firefox.exe	79
PID 4492 wrote to memory of 4324	4492	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FL Cloud mastering Windows.exe
"C:\Users\Admin\AppData\Local\Temp\FL Cloud mastering Windows.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3152

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.0.1769587893\1999726018" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975983d9-1396-4553-8b4c-c88336104ffd} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 1780 2229a1d4e58 gpu
    3⤵
    PID:3340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.1.1893268124\1858679353" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581f5255-76e8-4be4-bd3b-f0e16c30323c} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2136 2229a10c058 socket
    3⤵
    - Checks processor information in registry
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.2.1372622273\742123113" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2624 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cd87b13-2d36-49b9-b28e-21ade8568d46} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2912 2229e39e358 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.3.927240993\938747080" -childID 2 -isForBrowser -prefsHandle 3380 -prefMapHandle 3384 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1f92d9-0453-4355-9736-76d2e8983441} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 3396 22287e64158 tab
    3⤵
    PID:744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.4.1137479987\709234806" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e22ecc7-9d64-4a23-93bc-ac5b2367c1b9} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4404 222a0545758 tab
    3⤵
    PID:3124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.5.953200713\121193490" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d7fc80-f97c-4689-9948-187f166640d9} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4840 222a073ee58 tab
    3⤵
    PID:660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.6.580541966\1646302907" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {195828e0-7b73-4b7f-bc98-e142b1807619} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4968 222a0e86258 tab
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.7.1892855755\708349557" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a55d962-244f-42ba-bd45-72505696afd6} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5140 222a0e86558 tab
    3⤵
    PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0bd9821581ee22e71b03156a33986aa8

SHA1
1086a8c3b86bb970925c5acc8ff5f281d60b5fb3

SHA256
550dc23e4e38b49ff91c0007bfe056b9863191fe2939aad74451ebe05d89b3e8

SHA512
dbf5ce33e6a99ab62ba7ce0a9a71cf8ff5f2590b4ab83b4b1d0e34b5f421638abf94b6bedb00244ddbecf4f55397caa0a3f7b552c881cb6dc3d99f9f873e6400

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\5be4b062-5d23-4ac7-be6a-eae5e06996bc

Filesize
10KB

MD5
29dd0f487f5b1d62753afb359b6a6b1e

SHA1
7d9f2022075d1b571a9f4ced10a6f58a6cbaa6de

SHA256
7432bde8ef3725d809b06a16b01ee63c54804521d01dbf141a8196bf0db7a17d

SHA512
d1295704e93e134c605114e8ddccce1ce9ccaa33db92a89892348b954371f9fc6a8f778319ed37c883a576330a78b913a61c8e44d13543e9c26592d5aba2e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\db34e7c8-67bc-4ab3-990d-dcd9b0553d90

Filesize
746B

MD5
b6d4983fd3df9fd765284cee523ea20d

SHA1
6d0286680db9af264652eb228a6b89914ebcd933

SHA256
201385bf2bc8eb20bb8e8b09e6498a0688c0f6dee9711e527856eda62a9dee66

SHA512
c322d586d44a5ccb549057f738973cabd078fa7d9d4052e03658de0fd17c4e3ae68b89e0203283155f25a9b27abbc7a277cf868673ac202f7c1bcced2319bc60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
1782003212e830c7242d67d2e4851b81

SHA1
b7133c12d2401147df9084b005fc97a43f796137

SHA256
f4ccd1d00553c0143da91280d31c01bfd97b2846073e9c4a43566aefe4a6ef04

SHA512
5c3327892fbd58355747ab906d551f58e7f95df3abe1d9a004b9953f03ad0acc03148518b0f25be88a331179279a9b50225bc1c6842ae64b71bee8eb17a34ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

Filesize
885B

MD5
759aa83798382970918afe364ce00b2d

SHA1
5a5f0fd4084d7ce02748a1b610f70b1686c584c5

SHA256
b5e85e0a75ead13e261a7ceb21de2ea8a29d940250fb6de7e658be3ec3c94a8a

SHA512
231f9f04c618f5bc73e9c7b6a1993f3aa7a126594d5c581221b649981d96ce3cb936d8cca6933016095e5cf28a72a210aec9ff070e6797a1a1bbc444768ceb52

Download Submit