hxxps://img1[.]wsimg[.]com/blobby/go/47674b18-8c7e-4944-9aee-d7f174d6d950/downloads/d474aa31-7302-4c9b-a28d-ce2e24568a19/malversedanger[.]zip?ver=1732036917645

Resubmissions

19/11/2024, 19:41

241119-yektks1kay 3

19/11/2024, 19:41

241119-yedehawldj 1

19/11/2024, 19:40

241119-ydzakssalk 8

19/11/2024, 19:37

241119-yb36ra1hqj 8

Analysis

max time kernel
22s
max time network
17s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://img1.wsimg.com/blobby/go/47674b18-8c7e-4944-9aee-d7f174d6d950/downloads/d474aa31-7302-4c9b-a28d-ce2e24568a19/malversedanger.zip?ver=1732036917645

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\malversedanger.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	firefox.exe
Token: SeDebugPrivilege	3204	firefox.exe
Token: SeDebugPrivilege	3204	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe
3204	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 1608 wrote to memory of 3204	1608	firefox.exe	81
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 672	3204	firefox.exe	82
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83
PID 3204 wrote to memory of 4968	3204	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://img1.wsimg.com/blobby/go/47674b18-8c7e-4944-9aee-d7f174d6d950/downloads/d474aa31-7302-4c9b-a28d-ce2e24568a19/malversedanger.zip?ver=1732036917645"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://img1.wsimg.com/blobby/go/47674b18-8c7e-4944-9aee-d7f174d6d950/downloads/d474aa31-7302-4c9b-a28d-ce2e24568a19/malversedanger.zip?ver=1732036917645
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcd20177-b0b5-4a13-8f68-c78c607a309b} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" gpu
    3⤵
    PID:672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f71b0ae-e6f1-4c79-9cab-9255193b1f30} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" socket
    3⤵
    - Checks processor information in registry
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1332 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2996 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a628f46b-b19d-4528-83e5-18cc6c07c457} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 2984 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c68a088b-08a2-402c-8191-e7b989d5c2c3} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4528 -prefMapHandle 4532 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56f8c053-5e61-4571-845c-15050e5dff85} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" utility
    3⤵
    - Checks processor information in registry
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 3 -isForBrowser -prefsHandle 5748 -prefMapHandle 5760 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bce3a3-ac80-4375-b3a4-3be369996ed8} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 4 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7e4d8cb-6ccb-4fb1-a1ed-6b5bfc338329} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 6060 -prefMapHandle 5748 -prefsLen 27172 -prefMapSize 244658 -jsInitHandle 1124 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2fdbc78-1ba5-475e-9637-b55c395f3464} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
    3⤵
    PID:2852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\malversedanger.bat" "
1⤵
- Checks computer location settings
- Modifies registry class
PID:4368
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\bsod.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:792
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:1852

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a9bd012ea1364024bcbb37962c81e91c /t 2312 /p 792
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
196ea4a3a30ec6c2603b8cfb6b01bd34

SHA1
49aabe603299648aa421c8a8228ae7154b6a475e

SHA256
256020ec74bee6582682d6f591345a551e6e1f45818c6b6fdf4d3eb13806ae8c

SHA512
0fb6080e1588cbf62d59d0e2d840a806d8cc3f74ce5f971b8ed728feddf24d3fb90b3ed48eab8c591c994680b8614837425b8c33eeac289cb8d8d6baf125ed4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c709a11cfc615dd1f88ee7bcb8ae2a50

SHA1
3e8d662907cc2372795821d320d03f0b4a12a013

SHA256
0f57ebec416f34e0a3470874aee6879d9cec856577d0f2fc28697f8b53e3b198

SHA512
6632ca2989f66227b3dd9b7e54af05721f98566f8bd481e35b88ad5d14baa360994b46f72f350851951d38eddafcbad21cb4500f41c7ee943af45a64b438f064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\28d355ad-0597-42e0-ab03-8bcb7780b08f

Filesize
26KB

MD5
42b2b2729e127263c5be82cda7988374

SHA1
95a306d0595035197d130cfab4230eb9f47d9126

SHA256
4599aa2066ba9599bc7b853004469616e35b0a9709210e66407c3b8132652644

SHA512
96e0e86bb7a68aea1317e542f11b76b771733095c6dcc93e9256667e9cf5b52820b892848f73df55000805335af48917dcdf9532eec1dce3ac10b6f3d60b5f58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\39fb70ac-2f94-4e32-9bdd-95534a277be6

Filesize
982B

MD5
bdeb368c9367fa94a35025cb3ec76a18

SHA1
e37d86467495ea8898998b9fe3cda4373b560344

SHA256
b8a0e8315baa083349cce585afc258a01f34c61a391387a92f0b78f8092c5dd8

SHA512
043dfee83cd86c7edbb0e99d8731abbd0b3f4c4528551ffcb92749805cc1f3799894523e50976d6449e42af97ff674f2ba5990c7da55d3b33e1b11505173e370

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\5c64f3e9-a1a9-4b51-b919-4a9c9e56f4c4

Filesize
671B

MD5
da373f818ea4ad77d07b19f6ad52d455

SHA1
dc8f6eddd3631f805940282fd81009147aab40f0

SHA256
6c52e141e0cdf8e7b7d88e82ca73f80c5e23a44b3f2c7eb34196f46d628f0d41

SHA512
3c8b50924e3b9fa87dfd847afd37e0403f53c6e50cb112ee38939fe4fb14e521006f23febcff05d1d4059a184f7c2bcc922b133aff5e57a535d7a142fd354451

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs-1.js

Filesize
10KB

MD5
ecf047dc6cb70b51078ecbc7cbc0fd4d

SHA1
a5b678a73253d18c6dbc36b103b0960f77a8724d

SHA256
e63d47fae3c8fcf9c45a82d778be64bb60d6cbd0725e05853f970e315515f33f

SHA512
d1c1196193d9cdac6a8cbc9c2d4f6ea218c8185e79293af18089a9bb31d28e8a9aef11ac94dd321afdbcf12ceb96297191134d5f9cce1c04390a1d8ed76eae20

Download Submit
C:\Users\Admin\Desktop\bsod.hta

Filesize
1KB

MD5
cf9b7ab65c938b3dee1f3df89d615dcf

SHA1
ae9e038a015524b307588c9c4dfe02bcd94d6b86

SHA256
5254d4cbab2839f51390094d06e53749f6e1179e9851cecb6608798e1af34c65

SHA512
b6270408c87cbf2e69a6c23a61c305d81d3a6c8c5a6e6faf4aa31c03f6f631d28b62c1d26c5e7afe97adde5057dcddc877c3504b21cdb715da45992136cf7394

Download Submit
C:\Users\Admin\Downloads\AjjtNhMV.zip.part

Filesize
1KB

MD5
f341b1cae2f16fb3b8faf069226dbe73

SHA1
11af6d3fade10d83b726cf183250b3151dfad35f

SHA256
3eb839472fbdf87bc8093c976969f4e52fa7f3408ad83d9da8ec8fd4d43f6bf3

SHA512
d1e6beaf92d516867c452a3c01b90c641bfa9097a2be732a7a96ccc1f88086ce599b3cc042129b7973127a3084a8cec74f6a84362c68b9cab5b1507cd21b30be

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads