Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-11-2024 20:00
General
-
Target
https://drive.google.com/uc?export=viewonlinedocu=d&id=1E51sz2ci3WRZZjUkxYgrNbygHEKi-aWX&data=05|02|[email protected]|26a2237267b448e2506608dcfcf4dfa9|66f6821e0a304a068b8b901bbfd2bc60|0|0|638663375923112256|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|20000|||&sdata=pECSKmGmHKF/6/SX9zf/qrVLaW1haLlHmdb5MiX7k8c=&reserved=0
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: 05|02|[email protected]|26a2237267b448e2506608dcfcf4dfa9|66f6821e0a304a068b8b901bbfd2bc60|0|0|638663375923112256|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|20000|||
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/uc?export=viewonlinedocu=d&id=1E51sz2ci3WRZZjUkxYgrNbygHEKi-aWX&data=05|02|[email protected]|26a2237267b448e2506608dcfcf4dfa9|66f6821e0a304a068b8b901bbfd2bc60|0|0|638663375923112256|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|20000|||&sdata=pECSKmGmHKF/6/SX9zf/qrVLaW1haLlHmdb5MiX7k8c=&reserved=0"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/uc?export=viewonlinedocu=d&id=1E51sz2ci3WRZZjUkxYgrNbygHEKi-aWX&data=05|02|[email protected]|26a2237267b448e2506608dcfcf4dfa9|66f6821e0a304a068b8b901bbfd2bc60|0|0|638663375923112256|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|20000|||&sdata=pECSKmGmHKF/6/SX9zf/qrVLaW1haLlHmdb5MiX7k8c=&reserved=02⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1968 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16fdc94d-1054-4be6-832a-2cc9fed24691} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2496 -parentBuildID 20240401114208 -prefsHandle 2488 -prefMapHandle 2484 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4faedf26-da40-4305-85ef-3ff42e2a2b92} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3196 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a42ea72e-bd3a-4d8c-a879-a81459fe8d3e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 2764 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec502dbe-a826-4cd6-8332-bd9694b85798} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a32019c-f215-45f4-b6de-381bd63f5946} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ab6e4f-1a49-43bf-a3f7-5dbad9dd6b22} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc09507c-f58b-450a-9995-4c7f9d7fd437} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2dfcaac-a023-45b6-83df-a54fb08d81b9} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6244 -prefMapHandle 6232 -prefsLen 29318 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77292557-e375-44a5-863d-7451fd31cd4a} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3448 -childID 7 -isForBrowser -prefsHandle 3616 -prefMapHandle 3620 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {277d542c-054c-40ba-9b65-3526683af3ad} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5737d08d61a696789cfc28eda51ca19d6
SHA134ea67d269f9b9781e74b8f775c28425a484cfc3
SHA256ccefa9a873614060c0746a2b2e176ff1d4def6fba3b5f5df728c59c311b77133
SHA512fca5102419593d63474b5cd5587c3be66be75612a42593e0a557a0a0ad01a398ffe3b9041db85afce5344594124960b9dbf146e12bc8f960a85b464805f05b7a
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD596e73b5fc4428fd98ca24cd0b25bbdc0
SHA19dada8c4bc7da34fba2c4edd8bab6384ce404f9c
SHA256f73f4d15f6e6e3e1977b1b27a555a48944914d6bd185c9921b28e675dde6d158
SHA512b663e2c2c0e7fb208b7b316283ea09426a23e6cefa1e3258708aaf916175a944c2d3864129c11f686854a1ec91e41bbb0c1760412090a43baecc1d65c3d371b6
-
Filesize
11KB
MD56d3663929c7cd51d67af95cc0da9ddbb
SHA172ed1ef52c0d1a8b8a9c00be136c973c94470a56
SHA256b82515ad0eaa3e001e13472bf52be2338b3d01945107fce0a469909df3a2fcde
SHA512960555834e32779768c034ecb58fe452eb38fbbb847bb5ce3b736c7b986a23e8c1b57939632fe32a4cecb2f1cdc60022320a28ff9d1c7a7abe00b91659a66f53
-
Filesize
5KB
MD5a27b98592972f514f21c454610c10f6f
SHA1b5f4e344a57171d5147d582612790c8129d18b97
SHA256c628bac97c0f8527677b9be53d2d586b2f5af8f5a45b79d5112c1efc93e3058d
SHA512d92a8017b2abaf42a07cd5ff1aa42aa6be2d455f9d8dbd6e55a9f04bc788c6d64196324e6b02b009433440844a7f198a7c6c5399afb9af9ff1cd02da24024c23
-
Filesize
14KB
MD57093f70d72e30c917e7d11a080be821d
SHA142354caf74536c03053013c6486c4f03c800e802
SHA256a396f7cbc1afd7667cc7380fd996c42a48ca01c1d03431da90d20c2214138c3c
SHA5120a257565cbb38406ff6be51f0580a55f2e4a4b3fb94fb4cd637f7717e3de4e4458146d5460f59b5d71d5ca5f0bc68147c57849d5cdafd2f4f265244e5203b65c
-
Filesize
982B
MD58305bf8862bdab97f44c7478d8deeda9
SHA1669e5ef44b80d9987267a67e46fff06b640571d0
SHA256d66ae3644b911938d20554ffaf1165418cd2badd1b30bf1ce01cb212f025c60b
SHA51248d53704a5af7bba8d16ed112336ad88882ee54ca3701252fefca68814da985e64f1e7a5b09de59f5dc36733a916306a9424e35655b1d6ac73949262ad591eb9
-
Filesize
671B
MD5e90bf047cba6d32d433570d1d7a78193
SHA106d4387607de93cd76aeaf15a32034d11447d501
SHA2565f6961ebc4a2df48b1b200b5535f7237b304e72c67069eea278366ed06a716c1
SHA51215c2e288bdbda75c9bce76937decd8a5525e289112eb2fc83fa19ff9bb4a0b37962f913ae741c3613e88c58f5d0474002599f1c2d73b44a01c42de818f5a1fc7
-
Filesize
25KB
MD52a69bd7b3144c8db578195d07012da18
SHA1544d50043f5eae0a44261886dede9516bf5970e1
SHA2564ca8870d6388e0ebd902cbf434764b80d7893a784b4a29aa321519fd28e8ea3d
SHA5127e0e2b337c84310c591c0833d5c3c4284aa3f09634ab743f2ed6e27f282427491c5aebf5517c0273c23c44bd833098aab44b03cb173af0a066a0b6efa7d5e48d
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5065c7dcea8bddd7650cb6d097897a4bd
SHA1a5df2d298c233b5286d1b735b4633ed54d74c8d6
SHA256ca5ffc3981b3166c6b0527db9e20dd06f96a53ca5b09b5c0f833650dff98c17b
SHA5123c8da7168d191cebc90df3f1554d1ed8940a711b27ac640569f5338181c474807d9ee0a176bdf96d0dc3dc190833852cff60c53c242f533959d97ae9351d9b91
-
Filesize
11KB
MD54d783b37a7f155f71290e2ea35954e83
SHA17e5c891939cb69207f779d963e41d0aa37b4655a
SHA256a73e75f5590ba2bdd273ee0b467d2e20d7fb30f37eec6504eaf49afdd65e4ef6
SHA5121e695a243db07383ef7f8ea73cd02ca878f260ad6d2c97796abdcd43959adac9b1f2528f7ce38565e75c8db6b9b7bde54d12cb99be1df8a47c9af0740871db86
-
Filesize
11KB
MD52e349a1963ace7810177dff9c0b2f5ce
SHA1cb404680e161c980a96ddc63f307595d54ddc76e
SHA25683824e1ce88fc745f783086e4e17bb8626f26fa7784a70706ac5545285d2387e
SHA5121332eaa823e07b945f03ab8510ee1e4b71bafdbe5dee25bc291c3e74a2bf3fc0b354c5a06ce6e9713a8e2042fd3a5ab0bb8fca72055413ecf653f969269ddcc5
-
Filesize
32KB
MD5284bbcce0beab20b11d57bb9b9ab2a91
SHA179cb811782ae57d95d9e94ed33a5a656d925537a
SHA25647e9b6f9ef57d6224825810c651a7116650ebec2392950c9d97660483ea98793
SHA5124e5a8349f40ab8743bc15c6478e23d9f32f8bf9540fc412f558e1b34bb4845ac0a52f5da661e0d3c1c186e45aa8af4cb6dbeb80f5a3ac8966b53446980ddb490
-
Filesize
34KB
MD56300ef272ba3e58047072be888943400
SHA16bd9a4517bb9b674557cf5dbb0d4e27f8521219e
SHA2568bd337738fb86fc06f9004d242855e4375fc2efd0c7acf4feedcaa4d19112d8f
SHA51224591c881df1e3e846aeaa6219dc8882800b04f417a0c0a2d2fd2b4e0459aa90a5a3a4c9be00ffd0494b120e1c5664e848c299569d3c68c21a0cf534b87c395d