Overview

overview

4

Static

static

1

patch.xp3

windows10-1703-x64

3

patch.xp3

windows11-21h2-x64

4

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/09/2024, 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    patch.xp3

  • Size

    28.9MB

  • MD5

    86cd9cc083018ca45c79ac489e6c1184

  • SHA1

    afcc81bb5d1035941f03318abdf705ba906bb561

  • SHA256

    7167f8dde8c75ec4ce17d67363d6b746cc2337b7b0ddfd649b975479d6bfb894

  • SHA512

    c3ca7577da1fb4a054576bb9330fbfe5b4c765d2cace186597480803f9a4f2d58a364bee8d0794ad2690f90ef39b5028e10e629ccfa8349531c40d8a28d28f5d

  • SSDEEP

    786432:w17uFLmCeV8NAP8aYhIK7cDdgzyxbcwQAastZ9j3ykjLmMnjo:4yQCRSPD8IkchgOxIs/3yUvjo

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\patch.xp3
    1⤵
    • Modifies registry class
    PID:540
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\patch.xp3
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:1652
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.603240621\257697250" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e5898a-b500-4946-840d-17dd2a86aea3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1800 25af7ad9c58 gpu
        3⤵
          PID:2300
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.98779350\1534852345" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21016 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4357607-c015-4052-b160-1b68fd68d3ad} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2184 25aecae7f58 socket
          3⤵
            PID:3688
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.1347563881\321368392" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2756 -prefsLen 21119 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e611ad5-ac07-4283-8e8b-e42992aa15da} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2872 25afbbb0f58 tab
            3⤵
              PID:1148
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.858402608\1411198240" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3624 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a9e684-bdaf-48b9-8333-33fefdfc2377} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3652 25aeca62b58 tab
              3⤵
                PID:4940
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.444188022\1321832172" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d02ba0f1-7c11-4ff7-98cf-9848e60a8b06} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3880 25aeca5e858 tab
                3⤵
                  PID:64
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.975251668\835105310" -childID 4 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cdfb9d0-5b27-4c82-be56-e35a44bb8c92} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 4872 25afe1d1258 tab
                  3⤵
                    PID:200
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.220935263\1943819463" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {143da7e8-d776-43b5-9d4c-7551454c328d} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5004 25afe5ab158 tab
                    3⤵
                      PID:4288
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.7.1233721451\389706217" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63941fb-1a88-4e73-ba92-54bfff30ecca} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5188 25afe5aa558 tab
                      3⤵
                        PID:4148
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.8.956741962\2097006540" -childID 7 -isForBrowser -prefsHandle 4816 -prefMapHandle 5428 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b567cd-99d0-41bf-883c-63f314541a14} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5548 25afe5ac958 tab
                        3⤵
                          PID:2668

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      35KB

                      MD5

                      76cec4c37afe35d37bf80d9b58aa9f7d

                      SHA1

                      5c22a976ae2c944b5680584efdf8ea08103d9f68

                      SHA256

                      6dec61a71a6e191728160e03d0bbd72a3f6b9633b2762bb42edffc62a0ec8d59

                      SHA512

                      721d3931683d67deb63681e6a79d105fc1339f2ec5d478ab1e7395f9c04865b6fd05de883bf0927ba916ff42118c842ede576e5d751c9dbfa1b886edcc4a4f98

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\1799007856A9D53EE1FDCD01A316215CC4F68AAF
                      Filesize

                      221KB

                      MD5

                      a31e6a1f1392af515efca30330479d63

                      SHA1

                      d0140e37c834da14bce0488468283552581830b1

                      SHA256

                      7d754a201ebbd09ce3dc7cc4f7295dc45ba98d1e46f1397212f72930db3ae729

                      SHA512

                      9931269791c4b5636c1785d2d50b5961b5d7d9f0518f1c070cb7616f32ea86b57cf42b9ab892768d7338eb70e179a6a7c985749e76f4e2e0374225b472539a39

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      115d42aeffbfa4afe8bf5733826a4840

                      SHA1

                      75925f1c5e2fd8c661cff504ba40369fb1517b08

                      SHA256

                      547538c7dc35fed25ad98db6c63d7aeb1c85345703590d07734c45c8034e918a

                      SHA512

                      ec954ae476ffd1dd2903485111bf741565e204cafda2cc3b286ed9cb94396a81c9ab20565cf0e104859072fc477a836c838615a94fbffabca075027de457a1d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\5381ce07-a50c-4eb0-932c-1c19e3962d83
                      Filesize

                      10KB

                      MD5

                      147e75019a06fed86aeb8444b1bbba38

                      SHA1

                      0fd38c9a307230d3bc7abc6b81814579172ddb58

                      SHA256

                      5bd91c99f07d0074ac8d310e74660de05162fcbfb9c8d2b8c330357b17d75230

                      SHA512

                      560e4e78f699f80501a9034872b9957c96b4a3f362f0736081336a0f3db5898903bc6935d2ea4623e64527a085453444cc75f0432d31ad00e398af0d09dc2d71

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\de2219d1-49ce-4500-b3b6-094845176c4e
                      Filesize

                      669B

                      MD5

                      627be4a16369d28f0f953b23542a6ad8

                      SHA1

                      b949cb1ea7c47481da11e2275533678020c9c39e

                      SHA256

                      0da0349513e7dc31d0c3e4a15ba48cbb83f6ec2d139f478b38eec6d310336ce2

                      SHA512

                      d773c238ffef8cdd88316c861d0fe1c0d96217952a5b9591c4e73002e0f6f8ba56f30d756309b8d2989816e7e1096c1318a7b43708e04473b7a8c8397c35dd7e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      8ad4a2aa26735be58b11b356205ad016

                      SHA1

                      bb979088827dff4e7f1eb8e5a152cc157c60159f

                      SHA256

                      7ba12d7dcab2d68d7a33a34928563b8c4aff88a2b55909cde449a8e64d3af1b0

                      SHA512

                      d936f42c28fe58ed52930d383508c946126b013c0b1afed5ffea3a5ab99d73c0fabf14821c5ea1ab78c98f6626da230d0bb15c721fbf8a9fdf78992fbf1ec5db

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      4b3c23adf6128412f290a5b4b2e05797

                      SHA1

                      dd2814c28b9bc9ceb9ac500cffb0c8ecca90cd6f

                      SHA256

                      dbae0d7c41e662204278bb895b4d159a91a962a892cd6195d77cda51d481c859

                      SHA512

                      6cc670267da721129e303d5e8be4f20bd5da78c5255103e670e261c4d119975f8b56ce30b43cd4e5f58f50a0a17d248f6b66bd93edbcd66d9c3bd12e02b1aee5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      e3769992c41646d417525ddcbac45fea

                      SHA1

                      acfa3f33c289a617998f164bbbb8e26a63c3ac40

                      SHA256

                      fbf45bf10b26af3d6d13612cb3b1648eba4915d0af88bf4c7a4919e9f8f04c00

                      SHA512

                      cfc6057359a2edb6c4b584729d8b073deee5d36d2081335a49ff817bb10a79f5b6c35f12095aff5a2e45e4703be6088f0e9fc36e89016f5e099304f01fb7854a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      f0742cbb626295d01c698c6ea3fbe6b7

                      SHA1

                      aafc6eb554b79a18c50d5428b75e74f38915eba0

                      SHA256

                      698bdc61dc4925940bdd86079b64c83f90645539dea2b21d340c04b1eb326e2b

                      SHA512

                      b5128fa937f8da97b89d2bb33a0f63202897141b69b8313091b7143a19a4fd68a8632aa949d862620c1a89189548ee06c8af31e09f0ba4af76cebd3617fb7205

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      3bf8e2362cf2e08bfacb8b18ba704dab

                      SHA1

                      d69ffc70d474f597cfd02d337e79218dd6f8a7d2

                      SHA256

                      59540638c29c0e968a61a7c6b92a6a972e82f54663ea6bf603d6de95aa8c70bb

                      SHA512

                      4b203a0063235edba06961b391dc07d2c040a4f43cca7ed053401254aeaa0446fd29fc6ba83d7e25ac65a722db4089995c5e4f93feaadd349c4eab056788dae6

                      Download Submit