Overview
overview
3Static
static
3Firefox/Ac...er.dll
windows7-x64
3Firefox/Ac...er.dll
windows10-2004-x64
3Firefox/Ac...al.dll
windows7-x64
3Firefox/Ac...al.dll
windows10-2004-x64
3Firefox/IA...al.dll
windows7-x64
3Firefox/IA...al.dll
windows10-2004-x64
3Firefox/br...or.dll
windows7-x64
3Firefox/br...or.dll
windows10-2004-x64
3Firefox/d3...47.dll
windows10-2004-x64
3Firefox/freebl3.dll
windows7-x64
3Firefox/freebl3.dll
windows10-2004-x64
3Firefox/lgpllibs.dll
windows7-x64
3Firefox/lgpllibs.dll
windows10-2004-x64
3Firefox/libEGL.dll
windows7-x64
3Firefox/libEGL.dll
windows10-2004-x64
3Firefox/libGLESv2.dll
windows7-x64
3Firefox/libGLESv2.dll
windows10-2004-x64
3Firefox/mo...ec.dll
windows7-x64
3Firefox/mo...ec.dll
windows10-2004-x64
3Firefox/mozavutil.dll
windows7-x64
3Firefox/mozavutil.dll
windows10-2004-x64
3Firefox/mozglue.dll
windows7-x64
3Firefox/mozglue.dll
windows10-2004-x64
3Firefox/nss3.dll
windows7-x64
3Firefox/nss3.dll
windows10-2004-x64
3Firefox/nssckbi.dll
windows7-x64
3Firefox/nssckbi.dll
windows10-2004-x64
3Firefox/nssdbm3.dll
windows7-x64
3Firefox/nssdbm3.dll
windows10-2004-x64
3Firefox/pl...er.exe
windows7-x64
3Firefox/pl...er.exe
windows10-2004-x64
3Firefox/pl...ui.exe
windows7-x64
3Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 19:32
Static task
static1
Behavioral task
behavioral1
Sample
Firefox/AccessibleHandler.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Firefox/AccessibleHandler.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Firefox/AccessibleMarshal.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Firefox/AccessibleMarshal.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Firefox/IA2Marshal.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Firefox/IA2Marshal.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Firefox/breakpadinjector.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
Firefox/breakpadinjector.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Firefox/d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Firefox/freebl3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
Firefox/freebl3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Firefox/lgpllibs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
Firefox/lgpllibs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Firefox/libEGL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral15
Sample
Firefox/libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Firefox/libGLESv2.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral17
Sample
Firefox/libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Firefox/mozavcodec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
Firefox/mozavcodec.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Firefox/mozavutil.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
Firefox/mozavutil.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Firefox/mozglue.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
Firefox/mozglue.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Firefox/nss3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
Firefox/nss3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
Firefox/nssckbi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
Firefox/nssckbi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
Firefox/nssdbm3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
Firefox/nssdbm3.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Firefox/plugin-container.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral31
Sample
Firefox/plugin-container.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Firefox/plugin-hang-ui.exe
Resource
win7-20240729-en
windows7-x64
General
-
Target
Firefox/AccessibleHandler.dll
-
Size
121KB
-
MD5
98815ba20aaab292802f85f0b120089b
-
SHA1
a4960228d83780c8535be5be12ed08b5215b9a3f
-
SHA256
e2c87737cc84259d72301d42f4f62bb842ceff4c2ffdb342a81a694aa7a1e7e3
-
SHA512
68da2f6bfa557167af3ec38de8a711e6b1d22d1dc1892af69a403fd27c7ffd540e6c6c3477c42fa52cdd50835e0dde13084a6760298c1f39a3b8e67128f648bd
-
SSDEEP
3072:zFAh4ZFiJ4J45KIHenM/qIL5y1DmWGeSKWStqFgQr:G4ZFi/D+2L56S6gg
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE573FAF-7815-4FC2-A031-B092268ACE9E}\InprocHandler32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\AsynchronousInterface regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\AsynchronousInterface\ = "{8E089670-4F57-41A7-89C0-37F17482FA6F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E089670-4F57-41A7-89C0-37F17482FA6F}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Firefox\\AccessibleHandler.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801}\NumMethods\ = "8" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE573FAF-7815-4FC2-A031-B092268ACE9E}\InprocHandler32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Firefox\\AccessibleHandler.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E089670-4F57-41A7-89C0-37F17482FA6F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E089670-4F57-41A7-89C0-37F17482FA6F}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F}\SynchronousInterface\ = "{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE573FAF-7815-4FC2-A031-B092268ACE9E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E089670-4F57-41A7-89C0-37F17482FA6F}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\ProxyStubClsid32\ = "{8E089670-4F57-41A7-89C0-37F17482FA6F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\ = "IHandlerControl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801}\ = "IGeckoBackChannel" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18E2488D-310F-400F-8339-0E50B513E801}\ProxyStubClsid32\ = "{8E089670-4F57-41A7-89C0-37F17482FA6F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715CCE-1790-4FE1-AEF5-48BB5ACDF3A1}\NumMethods\ = "5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE573FAF-7815-4FC2-A031-B092268ACE9E}\InprocHandler32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E089670-4F57-41A7-89C0-37F17482FA6F}\ = "PSFactoryBuffer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F}\ = "AsyncIHandlerControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F}\NumMethods\ = "7" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F}\SynchronousInterface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E089670-4F57-41A7-89C0-37F17482FA6F}\NumMethods regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31 PID 2744 wrote to memory of 2768 2744 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Firefox\AccessibleHandler.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Firefox\AccessibleHandler.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768
-