Overview

overview

10

Static

static

10

6_stage4exe.zip

windows11-21h2-x64

1

lfwhUWZlmF...AJ.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-it
  • resource tags

    arch:x64arch:x86image:win11-20241007-itlocale:it-itos:windows11-21h2-x64systemwindows
  • submitted
    14-12-2024 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6_stage4exe.zip

  • Size

    45KB

  • MD5

    650e71f1384ee29fd33e354de1abed65

  • SHA1

    4bcd282b3700caf4b7a8533f4fdcc26e81d6322e

  • SHA256

    577c27620d9d8988a19a7829103c3ea9dd699d6dd054de17e5b0adc196ee5061

  • SHA512

    dc5ac1b88ff356f606f76921946e78fd1fe7597f86455e05dc56822fc3e1dd49fc8bf47c1d000f10445b07f60bb89fff6b8139231d06d18380fb7235c8cf9093

  • SSDEEP

    768:bJQpTyuq+xF51363cdLZDau2yG6MuwuSRNcwtFJz+z7GaMKdcqzHx0/d7GTL4h2s:iTyGxX1CcZMQMuwuUt+zTbW9GTpVZbTI

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\6_stage4exe.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:660
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1480
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {448c65fa-f968-4083-b3b7-cb28170c0ef6} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" gpu
        3⤵
          PID:1864
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {150951c2-d55e-4279-b1c4-b95c67574ac6} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" socket
          3⤵
            PID:2380
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1bfbfee-3134-47d2-a776-7cae97ae62b9} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
            3⤵
              PID:3500
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1516 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2816 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0753be33-0c7c-4490-a8e8-adfef65f8e3c} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
              3⤵
                PID:4724
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4536 -prefMapHandle 4464 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7003811a-1efb-4c8f-b0fa-331127fc81e4} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" utility
                3⤵
                • Checks processor information in registry
                PID:4148
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 4556 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b0b13ea-62fd-4f17-8c95-8a1644b93dcd} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
                3⤵
                  PID:4520
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5568 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd792ea-e126-4ce9-9703-657a6d9eb2a1} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
                  3⤵
                    PID:8
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5752 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffc009f-f232-4431-8ff1-0241fc526b5a} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
                    3⤵
                      PID:4600

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json
                  Filesize

                  20KB

                  MD5

                  d547eecc8d315e5d58d6f7cd1c50cca0

                  SHA1

                  3c5119ffc1e3236f7055f25d2da1fd9eddce609d

                  SHA256

                  780a8b4a3551aff55bf5321450a8fa304c2f2817eb1af4f5ec3312ed36a4fa08

                  SHA512

                  f9e4fd6c7f1d16a0bae479e8e72bc2d8ac77effd8f94f0e7f57e600746195866c13acdebfa9d3ce48a4829824ee7b5435590b1ff52e2b9f26e997700191efd3c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  15KB

                  MD5

                  96c542dec016d9ec1ecc4dddfcbaac66

                  SHA1

                  6199f7648bb744efa58acf7b96fee85d938389e4

                  SHA256

                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                  SHA512

                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                  Filesize

                  10KB

                  MD5

                  2a1dcc951ac77f558d63009cc483cbc6

                  SHA1

                  37963a13598574febbd42261183132b1acbaddaf

                  SHA256

                  5816cf1b7f9026ffc2eb6350c5470168a80d78758e7f540d2ce5b992b6bb428c

                  SHA512

                  2b48e7c541e60f4c4b681fdec4d6e392b5a5183a3251296272c84839afcaa376133ab494d6fcca9347aaf8f3ecf4bea2056d1ef6eb1bbd1799bf50b9570fa2c1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  63a92f7531a51b5a1aa2b1bfa200c25e

                  SHA1

                  ddee47c83233cac9f25df72cec35c1834c842143

                  SHA256

                  2040808dcff7f44ab036f2b720fdd2dff084c1a0552e80d38c1167418c155daf

                  SHA512

                  dba44f9f4998a12e1ff5ab9044cc4d62723ed0df3a79b3ad26299bf93fa0fbea47d149eb3cd139b353ab227dfbd74e2efac90892912f91c939d03756348d7560

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  9f0282f00687944ed2791de12d61e817

                  SHA1

                  5795e1d7f71b7d5555357845af320c7fa06c8f33

                  SHA256

                  108b9285e943dff21740b1a1c98dd4531cba5d5e61ed6356c91f22e8a73696da

                  SHA512

                  5f1fa5a15ad89c34f945ffba3da8e227962d2f236f8d572da41efdefd3054ba2d12ddf0da3a90a868de1c833396bd032aba46432b2417f20d9f694abc1240b28

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  b19f7c9f84216707ab6d0a8d04c724df

                  SHA1

                  cba6d1d3022efa2da44e1d4f2dab6623c81fb342

                  SHA256

                  dbe09b21d17b34b8685149af282dac3b4846e0b11eb9d10d495a717db0a5e943

                  SHA512

                  e06e8bb7d1fed18468d1cc585d0a32cf585249422a1bb1920dd5c96213a312badc599f79763d7f9ca6d690c701bf23d9a6ee35849411a2fd157cfbac634d40e3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  6111576edaa125ec8c3098627caaa8bd

                  SHA1

                  0f663cc3fbcdf2d788f3d9b71f4d13685a2ac228

                  SHA256

                  1e6d878176ef98b1c309b3a754aac69a4f0048532a4cb0d650419894cfe0f828

                  SHA512

                  42b2771a9b012738d0e89bc833968d04ca920a27517d1cf1a1ab3db00ae833ca3d7f4e21123627b0414cee47fb64ef2d65662706c89d19511686b2437e234fc4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\0f67f48f-edf0-41e1-adb3-2fca23d083ad
                  Filesize

                  671B

                  MD5

                  b27016d5efc0e5b5b73bfb2db5966745

                  SHA1

                  a554b5e68a007f85351802cdcdb150a6db9a135f

                  SHA256

                  fb4bbb468095cde6c15cd6690ded976cd02b3e1472d6de5f1c3a84e0cd607338

                  SHA512

                  55b84cbfa5cb4a5c329ae8cb85564a143ae38d60d3fe9de780b6a6353086fccbe897183254e2ed7976277b5548a0324a184d59de430c0a5e50185232cec53f2f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\4137acf9-2e4e-4318-b1ac-cbf713a26eaf
                  Filesize

                  25KB

                  MD5

                  461a912635129c31740a7e7db6f54353

                  SHA1

                  7ff53e5df1cdff185d35aae29c4a810835cb95d1

                  SHA256

                  675cd68768508c4ee02333afac8c34a00ccb20271f397a2aaa480be7a20027c2

                  SHA512

                  3a1b701236041b08b7891e37c2abee534bed0cd866a2153fa87f74eef72c157328e6a794eda25ff876cd341cf217458d656d4591bbd00ff720823cf42504ad07

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\73f83b55-d7dd-47cf-95b2-255557881cc2
                  Filesize

                  982B

                  MD5

                  bb22812447bf5563696f8e55faf19341

                  SHA1

                  16e4d557df8e3802b944e6d7f5b9ba635e0444ac

                  SHA256

                  868e2a28c530a6b000a8dce433ee04cf4bd55358f4a9395ce79d64677b0d38a9

                  SHA512

                  5cb9218e419a87e873a903f5c2f4b6e55c3f45f6942d37816f35d0a50b81395ec45eea71a93a10dd09c078a98d277e44dba3187b43aef82931fdece6aa73ba96

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs.js
                  Filesize

                  11KB

                  MD5

                  345a6467739ee2cc8b73b918aeb62242

                  SHA1

                  4e8c2a6714e6bd19eeb91fb20656882b53ae5321

                  SHA256

                  1a8f96c1ed6e89da3b46f3e2e59dbc79a2ac979cdc7a289790375d507e8ad690

                  SHA512

                  1f6abac2cae028bde7f517f4ec67bba0145ca07dfcf29942a24f4fda23fe504e08faea8ea30211199ad85ee5b0cd78be0773e9960bfa3207988fcbd4350a9996

                  Download Submit