2474b9f9e17523d6002ce1bd0f242ed1082e000d2b2ec5603dc97ed691e0ef9d

Analysis

max time kernel
215s
max time network
277s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meowrara2.6.zip
Size

51.7MB
MD5

5f85bb94f8605cf418b39939cee33d19
SHA1

cdece383d40cc38d899278f059468b9ca3aa84a9
SHA256

2474b9f9e17523d6002ce1bd0f242ed1082e000d2b2ec5603dc97ed691e0ef9d
SHA512

183322eaf01c0cb8663de530449a78075647edee3793e3784c77d5b5b43a4cac08ab9f668f19261cfb7db615ae9bab732f05db9ed5527bddb406a03c34ed2514
SSDEEP

1572864:JjNPxL6HkXAH6a/zu224yT39jVqmVicZ6aYrAsQgpdgwi09:JLXAaa/z8tjVqwiLa/SgC9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 228 firefox.exe
Token: SeDebugPrivilege 228 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	228	firefox.exe
Token: SeDebugPrivilege	228	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe
228	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

228 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 228	3852	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 1772	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe
PID 228 wrote to memory of 3004	228	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\meowrara2.6.zip
1⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1836 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a585fd78-0ca8-4496-a3de-858440e00781} 228 "\\.\pipe\gecko-crash-server-pipe.228" gpu
3⤵
PID:1772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f76a60f-9597-436a-8358-d0312181be45} 228 "\\.\pipe\gecko-crash-server-pipe.228" socket
3⤵
- Checks processor information in registry
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3160 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1360 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2647d8b-a975-44b5-9f1b-74efac753892} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
3⤵
PID:3140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3516 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1360 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {965c8ebd-1d56-4066-be43-7f4c987c2366} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
3⤵
PID:692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3956 -prefMapHandle 4692 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eb671c1-3fb6-4eff-815a-725711e0a0fd} 228 "\\.\pipe\gecko-crash-server-pipe.228" utility
3⤵
- Checks processor information in registry
PID:3860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1360 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b4814ef-d0de-47b0-ad4d-10e14c81ed16} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
3⤵
PID:2948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1360 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c897a99a-4e62-4231-831e-a804aa1d8590} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
3⤵
PID:3528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1360 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50f97e84-586a-484d-9fab-810a338ec4dc} 228 "\\.\pipe\gecko-crash-server-pipe.228" tab
3⤵
PID:384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json
Filesize
36KB

MD5
65cacca4c970280eda43ee1c2c7e7717

SHA1
f4162761fb2cd0a5e8d38bd8ddc2b96a7ce00361

SHA256
60935d0cafe0e2849993bbfb6a0d62d15f2c25625cc809bdb44b07c0ddec2bc6

SHA512
a44a99d2a880f779c52a0fa087a41c3c91bf38fe4a51fb5436be3805762144cad1a8e0407e3aed1cb99bef35563b87ccb8c1f0f88680d75a3092c1042a386125

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
6fb5169d160439360eb41f9053c3572e

SHA1
8194cbd7a4eadd0f0f7f7bc76a172ca81150b1f3

SHA256
b2413e0798c5c51ed4feff7db116fc4b39060a29bef0a638a5abb2b6adcd1a68

SHA512
c48b62fabacb3d865c6817260e7f4c4692c2da8b8670d8af8053dcf08fb7afce494a2d941bb6b75bf72df02331398e42f387a36bf85a1e8843b7c059808e25eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
27d85eff7ed5eca0f7f23e9eb5aadfb2

SHA1
102d6c0c608b7271e43afa680cc8f9a20844987e

SHA256
ff10bf2e5bb42f6ef2c7717d47acd9f58ffc6445021390df78bf48da170e7e7b

SHA512
e9c3420bf9adb1443a7390ce5a80774a4020dd696e6535ebab14176eac4bed9ff00b55ba67a38a2779036e195180534a7d18ba3ded2e7163f5fd8ad2796af118

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\16a04e1b-acc8-4ff6-a696-4ff858d0e1bb
Filesize
25KB

MD5
f4fc6cf520111b7304c6f328f1eb5a0c

SHA1
a8862effd61e7396c590f7bf56cf69cc1a02a5e8

SHA256
0422cf6d4e511be65835ab5dd14b853d1de9588eb8faf05a8320a4987e740422

SHA512
c9438a20d2ab3071071da8cfb5b1ae68ff57260cbe5f5ebba5430e7daa0eb023f9c112bf74803685e209e9796e77add09afba0c78df2f2e2e4bbc6f2d3bd3708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\3bc67f4c-9464-435d-ae9e-6ee19ebfb960
Filesize
671B

MD5
0fab6a1fcdc1d71462b1230ca5169d16

SHA1
d90147eac167e1da5e606e0f0ebf20e8c93818dd

SHA256
4d04bd7c9b6ae1ebfbed20b7f78bbf9e3b3bc28c29e8a068bc9936216d4e347b

SHA512
0362e430184329489647476a2031838c6a38768d32820bc61fa12e8efd15fd4ba8fc24e189f22e376ff30abe019137c69a1e9181a522fb2ae46078778bf71c8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\d2b37c1b-f934-49df-9dae-c1694554fcb0
Filesize
982B

MD5
8249ef8f69f9996c458caa4735befc86

SHA1
4b29ef2bfd927d34919e6958859178839f48a7a1

SHA256
236c80ae215ae19b78426b28fc51d622be76fbf56229665379015ff75c322e25

SHA512
ebea974bfd0eae93358b1624e4dfe6c03433935097b1ab7e574f75c4f8ff6de3c955a287451b4e0de91c5bfee12c3854b321d8d8f69f62bd330d57335e09e725

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js
Filesize
11KB

MD5
6d583ef6525244de7ba9db9d3c0eb233

SHA1
9eaf22523615b2b5f29777894a61985cfc2b0060

SHA256
9c363a474f5a1f29c2a895102a153d91959803f7e15a796772e37cc7958bc2ba

SHA512
8a28c0ec221314cc4f3e764f1cec111610209937a45c2d43e78ee51aeca5fecaf27b19937f3a5c267040a6696d76ba1f7406ad03ea6d0291503762f3c7ff12e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js
Filesize
10KB

MD5
37301e31b2a9dad91b511c88810e1df9

SHA1
329c24f21b11de4b68322be2a16ea41218b83722

SHA256
7c98042aca4560d3b6c6574e030f93e8a206f44b690993882ef52db890f57a9b

SHA512
a725b4708d1c92a748df177104a9dd967ca63934d0c08517af2e15e794fe1b9ae3b16cf5be0292ed3ffb2b4933a0b39cd3757cee1c1aa1c1641cd2aca1eebb5e

Download Submit