Overview

overview

3

Static

static

1

SS perm.rar

windows7-x64

3

SS perm.rar

windows10-2004-x64

3

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SS perm.rar

  • Size

    25.4MB

  • MD5

    b66e030532dcc0d334caaa7f30468548

  • SHA1

    93d38ad036622cfee02c84a62dc39d96d05549d9

  • SHA256

    e14c79e6028706a38c1e2f3bb2ab5f17c59c22bb8a430e8cc8e42a7490815659

  • SHA512

    84c2176befd4134dbd06452a797a9d39f446775597649d3f8a52507bab64be4cef6f943ebb199acd60b8671ffb42beb32dde075ec97cbfa98c6ab1f0d0671510

  • SSDEEP

    393216:srFIGBZkGLQ9uYWW96RMf3hp0uWU5a1lwzeg1SWSAOjnpAYAIyJkh3hxWfHC:srF3BWGxYqWfRwUa1WzH16AoqrFkIfHC

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 55 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SS perm.rar"
    1⤵
    • Modifies registry class
    PID:3884
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\SS perm.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\SS perm.rar"
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c479666a-327b-43b0-84da-dd1fde7014c7} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" gpu
          4⤵
            PID:2332
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12862bf-653e-4eb3-a71c-18f87d3f5700} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" socket
            4⤵
            • Checks processor information in registry
            PID:1084
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0794b323-91e8-4a1f-b7e5-e54a60f8da72} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
            4⤵
              PID:2968
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {375f97ac-1a33-43ee-8e31-3c70fc069531} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
              4⤵
                PID:2944
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {618c56e6-2bc6-470f-9bb8-6b10f9e38987} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" utility
                4⤵
                • Checks processor information in registry
                PID:2116
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a7eb990-3a63-43ab-a4f2-2a0da414482f} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                4⤵
                  PID:1204
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5840 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {621be783-7a9b-4acf-aa53-864649f4bcf1} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                  4⤵
                    PID:1444
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8b0cd3-21d8-4fc5-b9bf-4920b1416d44} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                    4⤵
                      PID:388
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:4352
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\SS perm.rar"
                  2⤵
                    PID:4428
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\SS perm.rar"
                      3⤵
                      • Checks processor information in registry
                      PID:3888
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:1064

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
                    Filesize

                    33KB

                    MD5

                    ec46285bcc0b2bb4e9a347fe2884df82

                    SHA1

                    42195f4136c43dea5eae79861c8a3598fb785d3c

                    SHA256

                    9e9921df0bb68fe1d6b2f2623e6247e1ec20feb6433a17d042fd8a5c74ddf69d

                    SHA512

                    15707aeb50c94abc94131c0ac4f527c0b75f91f4211f48a266e994d18fec8fa8cfd2044f797852625aa64f7dfab527677a5d6b7ec2f565c4ff15cb4aed95b701

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    f83fe983a9fae267cbfecb0d210cc189

                    SHA1

                    01e73a41bc7bfbad93d9fb1c578f2f34cae03033

                    SHA256

                    7e952260441a01f2ac6d248b4fbd3afeb8c67f892db7007d9bfc2d4ac7d0a639

                    SHA512

                    4c4bb7a687d4a813191fb685036e613d01d6f61158933785dc4f81775ff02bcf3cf4c969c84970e8c0f3e02025a30da14ef07488be2b772da6ab5a6b8cbe30f1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    150093914a51448e866e3f8196a63ff0

                    SHA1

                    d9c72ac3a56acba20e50088562dd247c40ebadcb

                    SHA256

                    ebd44f8fe8996c0de13550e973e07a0a7316c135d6a720c5efab6a57985952eb

                    SHA512

                    623914aeff164af90026f0aeab15f9f001a042f9851c5a2ff73473f425491bd0f8c9279d472c6add4a815c631202fb7a529911bae5a9c1651912a100ea38f84e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\4891495e-96ee-4de3-93f4-facd972a8a34
                    Filesize

                    982B

                    MD5

                    99f51889b49559258b18f80f46a87caa

                    SHA1

                    7581fe2d4a09189f16cddd2ab5a47a7578f7eb15

                    SHA256

                    7cb0f25b858be743636981bda298b856d98c75b182c338d636ea0c98cd85b0c9

                    SHA512

                    71c9c12891ff6fc7a34654b7754426e4c76006d42837eb18c7c236e341f90e8e8c64d0f64506bd1776f192d4e0a72bba031a9a43b1ba11945c4fbe59071d6150

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\548b2992-132e-46c6-a574-a91cd3e9f800
                    Filesize

                    671B

                    MD5

                    e1bc392b8d40e0033b67f54ddf630ba5

                    SHA1

                    d4dfdcff3af37ebdfa42257bad051da6c00a336a

                    SHA256

                    8f6fd77713d48ff043b9b74339dd2b029078ce0cb934444479d4bf8d9f7c765d

                    SHA512

                    bff295e532364157bd6ebd4dace2ad07b32a5ce7c9cc159403614688cb6e671a5aca84b1509d0f6c873d25533147a88b15c1b283238e880d4eafde0b06fc2792

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\7cac7144-c162-4cde-b86d-b5873c90c612
                    Filesize

                    25KB

                    MD5

                    6f8ed27d9b554e20f369487a3595a48f

                    SHA1

                    135f1a9e7e9e1923ce1e25e9cfb1d0c93482f9a0

                    SHA256

                    e74744f00ac8c533f6cfaf16e11a1b64110198f2b83e3e9112d9ff1318c7ccc1

                    SHA512

                    2373dec39c5b5f06c7417453ce7e2df04267e1ea494a7895d181536acf56cc9e7b52e4b137f89f7c41eaacf58e86819fb9d2643bf5f051498c40024c8178e2d3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
                    Filesize

                    11KB

                    MD5

                    6184255de6100a0bd7aabb1c0f8b2a8a

                    SHA1

                    de52e21a02a8900af31979dc6db54f755cc9e1f5

                    SHA256

                    01f35c2889d8b99f32812000a2ed86fbd5146fa3996fbbcb287396ceeed23dce

                    SHA512

                    9e887f16337a78edd86fc240614119e589e42f5f0e3fa169759c09bce5a291b2e162e02c695da6447c16b0730b6b062f014237b06f79387e3c6c0b767ce179aa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    cfc7db414ff51d131e2f3fc6add4fa90

                    SHA1

                    24cb8d55d4257b873f29a78b5d1e243ef9b556e2

                    SHA256

                    336ea702a673e2709914b03f9ed6a04de0716bd2a95ca3fa73e2ea74226f3473

                    SHA512

                    01dc638bee0f3a22165b760488c28db2e4cf7a6e3681c2b9b1f0e4d22cafb7e3e4c647536551541170d1e7315320db3c110cb121fae7aef8eed45d729e42088a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    0a8ab2f22f490a6e7adee62d4550fba3

                    SHA1

                    8469b118a9013aa5169278d637cd6f19631fc837

                    SHA256

                    c85b1455b3badc21efefc5f1f9a22a1c6c8d336d974a0273c623804ad424b138

                    SHA512

                    8c3edda1ffd35c25960c7a6fb2939241bf3364d7091eb1bd08d600eeba03d7bdd11a6d112099bc1628288bfd9929a00c294030b8b8acedcf6e72a0426b74717e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    a56781facfa06a71228695e8a3be51f9

                    SHA1

                    d6812b71849bdde5153de4fa2e04eefcae4b9758

                    SHA256

                    1ad7b8a276d24a1ad3809aab15a18f943f6f8333ca938f25aaa26c8e430244af

                    SHA512

                    1402cd189f88b0a3fb97b1b03552b471b7672cad3be7bd893501ce9e6f662ee8d6ebaf1b4e7667937520716f90bf1c1083b8c941f5e8fa0fc88edf9d9257128a

                    Download Submit

                  • C:\Users\Admin\Downloads\DijI-49e.rar.part
                    Filesize

                    25.4MB

                    MD5

                    b66e030532dcc0d334caaa7f30468548

                    SHA1

                    93d38ad036622cfee02c84a62dc39d96d05549d9

                    SHA256

                    e14c79e6028706a38c1e2f3bb2ab5f17c59c22bb8a430e8cc8e42a7490815659

                    SHA512

                    84c2176befd4134dbd06452a797a9d39f446775597649d3f8a52507bab64be4cef6f943ebb199acd60b8671ffb42beb32dde075ec97cbfa98c6ab1f0d0671510

                    Download Submit