Analysis
-
max time kernel
186s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 15:17
General
-
Target
https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ce828ff-f4ca-4791-bd38-501d0501a600} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ff64a5-ac3f-4e07-906e-8f384868fcfb} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3224 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1e33bb0-71a4-4472-a1b8-fb0042a1e9a0} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -childID 2 -isForBrowser -prefsHandle 3844 -prefMapHandle 3836 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da0b8a18-ad26-4016-9777-fd06753583bf} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba48238-02dd-48c0-8ccf-149e3864b5f7} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e82d717-8f3c-4679-a3a5-df81d9c008b5} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b820106a-925a-48f5-b501-a50a2082cc88} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {181e59a8-0dc2-48cd-80b3-5e7ae52ee079} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab3⤵
-
-
-
C:\Windows\system32\wusa.exe"C:\Windows\system32\wusa.exe" "C:\Users\Admin\Downloads\Win7AndW2K8R2-KB3191566-x64.msu"1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD511c6b1225d5faf03e3e4ece9f1542458
SHA1e826c1c391dc7b9e36d9daeb4ea35d0d12988b4e
SHA2568fb48346230434f895c8a6686e46dfa0f633a21f87ba41af4565f010abe6a532
SHA512eedb4e51ec9a476677e9ce9619d56e6bcbcfa2d9dd5558c68cda882cf14df9947bfc64f5a408e22abbda5b074c4bd3d2cb5846267af4d50438053b9cb4bb9ff7
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5c633062b7ad4f9672c29fd404dc5ea0c
SHA182475c9d6a561407c65404fbd477b64365824555
SHA2569274e61b10023a892b8b08efeccc50efe6b583a045289e1924cc91bd604b16d5
SHA512ba800c48681705a2f4faaa99d2528ab7218e39763d5a763cfc71269a151939e6c09f999bb8a9bd8fc31a1179580c1292e119600dc863e07220edd700c866377d
-
Filesize
7KB
MD5f6b96a0b456b21f0682bd568206848c5
SHA163dbf8c7ed029876055328402805aceab76f1458
SHA2565a7b8c35c6d656b48d79be282f5492178b66d33cfa9be92c6bead011d64d2c9e
SHA512542b9b34bba3089a2e4582f0b725770f77359cf19afb7829af0cd13042735776f2ff1a50bdcc094a550d579a0cba6793399aab543cddd441c3ccc68f10c642fd
-
Filesize
11KB
MD58ecac19e700ec1d8356765bdd146dc32
SHA1c270a46f039ff4376361ff100104d098a0d78cda
SHA256cf51e64938ba1e87a08aec6d0bacc764e35a0fd3c5d7753dcc10a316a8c94273
SHA512a2a0fe6ba2a78d84c98dae3a13627503e25d01c15ed4b8b83dc6655ed4c4f40cfadff20dd4b4a6355f4c340dccedc81cb9116acecca3f627d3e1b79b84dae3d2
-
Filesize
5KB
MD528a6f3377cfc8d67cea83f42c7bb8545
SHA1a431eb1be49a062a115212197a474dc0c3ca0684
SHA2569f474d40500d28fd1228a879c32f660272a75b7c42cd6656b0fceb5965399027
SHA512bf0668ac6a72dcba75a5b9b2f9d452fe72e551cf9b857caff5d12b25e244939923c3f00c980192a18f0052915b1308670de8f3f8cbedecd4be389a1efd56c637
-
Filesize
6KB
MD518723c3c851f8df8daf9a0a1a9c811a5
SHA1b3277ebafb1519759b44adff42d8da262aa99c78
SHA256b7dc9cfba5f837e611933d8e1ca568b6e2378e31b1edebcf51d855c00209eee9
SHA51212dc476fc013feec56b5027fda13278e48a948e8dcc25cd79fd8f8c0f89e5fa511c68a48a681763bdbdb133f8debf4032004c55341ba1350f901d2440ee7fcce
-
Filesize
15KB
MD52e295d1b2d0ae2b6dc2a4810021aa370
SHA11a5b7c9a0428510426d384ff3d63db774fbfbbdf
SHA256041f744bc4041c016178bc9b88a66cf539e7f5c5c7f991c9664569115a8ae629
SHA51280f41fd18d67e9f2ff53ead7272516e4b16d33d73ea8610f96aca70c0711ee6489c772be2ba90b8d71890a4f3e30ebb3c37d7c43146baa446a2d78c1f3d2851a
-
Filesize
671B
MD5457314a3eb7095cff5814c8aaea045d3
SHA155ee93117e21f4cec287697099c62610f57965b3
SHA256ed874fab81efb262665a0bae7f384ac4d85ca413ccab245a7b3be40ef75bf6ac
SHA512b07979e580f20f6fe8a6b65390d8b68c79b8c0163c2b403e70cc5ad92c64847cea3739d315dd6e9e1adf32d68b2ae4ee5f820a0127c7a5f345e7d97d1c94afa6
-
Filesize
26KB
MD594a52ddebc8617b1c309000e1864665e
SHA1b64dae989f944bfe8a55c3b95765ee2fd1d69ab0
SHA2565193cdaf0beb671be98f9af1859d92b4f1c238575c4851c498784a0ecc65d12e
SHA5129210fbcc107e4dedd5aafe2bde27d7b536119997dcada72da39d923385a83f6cf9ed367ebc8c5f47c39972369204f297612d229c7fa488dadafc669cbbf715e1
-
Filesize
982B
MD5decddb5eaed5dce463cb731ca1637acb
SHA16ed4c13c66040b0d5e2206d86305a9c28de31775
SHA25626ef4df3d222637aa07ad091cc44badf1e57be1f827583f5c8ad728bc33b84c7
SHA5127d398fdb6f272d240a76a37103b5b262fb95e252c729cd3e8e4bfddc6044d89d75cfbb1775511b8d3d62ca668d6865f981717752eed3d2598a97e39d6dfab44c
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
11KB
MD52d7b03d565499b5cbaa6ac936e55c947
SHA1f0ad85264e9848f61f1fbae0cef36b2fc42e9ee3
SHA256a8cdd59766865d0239171e861ce8055c6411ad3759b503a65aaaaebf153b7fa3
SHA51267d93c1c3d518801d882c486f5ff9872121c9d4d895d77707b2b5cab69f452e1cdc42236d0658a1eca2decb0478f6e762cb251aa7bda58c079e82a644036565c
-
Filesize
11KB
MD517b92c2d3c4c5ce4d4102ac8f3a24525
SHA12b004011f8e676d2f6dcfec656cccb67759bc7e0
SHA25656e68ea0f85a44a8932375a77469a7902c832c13fd5a965e522a7e5b0255b51d
SHA5126927686d8fcbb427c49cc7059379a9a46e6a7a3fcf82c61f6fcdab8c63080a324d21537785605f908107c345e267e346f0cbbcd08be11b05cef374561f43c845
-
Filesize
10KB
MD5b156abad46a3e5c02443365fb0dc4b4d
SHA1d7a086e6263fd6ca6fdbcb0bb0398b4a91bbc37c
SHA2565e0d20026230faf26383065886da55935d4aaf30478409e8e9bcc219309a9856
SHA5127483d95794aa75d7c93f9f9bfc7034cc554896e72bd7792d9629ec59d8dc2f374794350d75935f2c5ed07a4e4d6d2ece48f0d2822897a41f1652a09375fbd0e1
-
Filesize
1KB
MD5442aecdc30efa411e4f0e6a3ae15c290
SHA1b4952a96ab25f244d07ca97459fc30035cdcff67
SHA2561091d0ad0be8da43435dac7a954c0ed94bf67e6e377b7755be39fa4809cb52ce
SHA512db383a6cf836259a42e1a0eb41840d041ee7481ed8e0a29469cb64a1fe17de468e018ca3cac91e29250761f6ac27c68a097eddf16f4c67e098a32f8685d6916d
-
Filesize
3KB
MD55be76b5c6429f4f6ab35237aad0f8d64
SHA1a9c67bde0a03b440ceb69c4af420873b42a72f61
SHA256cabd59169bca1fc54665fba5ffbe450f26b05a66ba9b37f907bf6743929199b1
SHA512949681ac1bd1037f4930f173177059620f217e96731dec1a9e2829ef0a247b1414e07e04e81de32100a66646fafd8f9aadb7d0bd5cad95cfd2f516796835b95e