Analysis
-
max time kernel
12s -
max time network
13s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
02-01-2025 16:19
General
-
Target
https://drive.google.com/file/d/1tCe23wY3z9BdB1L2hN3AnyGtQolmMKW4/view?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1tCe23wY3z9BdB1L2hN3AnyGtQolmMKW4/view?usp=drive_link"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1tCe23wY3z9BdB1L2hN3AnyGtQolmMKW4/view?usp=drive_link2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e092672-6147-4c19-bb1c-bfe58f8c5706} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24759 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c22ca12-f260-4ee7-9f31-cc078449f69d} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1404 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3284 -prefsLen 22700 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2235f46a-76e1-4985-a0ed-994084389bea} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3176 -prefsLen 29249 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4112c501-7819-4377-9b7a-0e16196244a7} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4360 -prefMapHandle 4356 -prefsLen 29249 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa82eb86-37c8-4300-b2e1-2323963515cc} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50842aed-582d-4e73-acc9-dffcb71346ae} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c99cfe6-b225-454b-993b-77cb8d3984dd} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5844 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3723dea2-ac1f-4fa9-bc66-37699a9007cd} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6304 -childID 6 -isForBrowser -prefsHandle 6288 -prefMapHandle 6208 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fc9d856-cce5-4626-b9d8-80054cddfc5b} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD575091f9d2b4d9b79bc74f1d221d7aff4
SHA1803afb923f61f869dedf098a6515c1720a0f9748
SHA256dd71d8e777c8be62250dbca0b2778f1b4b8c08d1bc537bb9dada46c66d20be35
SHA512c7c018b59e69ec2a17bb065279c2b2bfc2662ce6f3ba241d2bcbbc1423f07b1c55d1fcd3069a46c6b4a21deec3ff14bbd1a84b286c5a0e9104e2cb46bc061392
-
Filesize
5KB
MD59f9241b865ea340a664909b29d30a0f9
SHA19f3ecc5a6466cf6593c5f766278ef5cdbf72434d
SHA256bdde914f3b2d88b1f074bcae19a34ef601e6db8efc03ee23e2f5f60898045825
SHA51255a9dd31a20bb01f84c556b12b6ccddcd85779def05263b233c5d62811e686eff300a892dc8a5b7ac64f56d53d969109b21d7420ccfd3ba8540807716d6b9d5d
-
Filesize
5KB
MD5ea7b41e2ce58033f4dd10d21e0f6d236
SHA19369cac1c6994c19b9b908ba5f71626d6c4e986a
SHA25645d6028178c776a46dcc6d6169ed6d17537872c16a7bc91a557157f7c86f17cc
SHA5129b82a1393313435efcb30bcbfc879df3b6641f35ce9e4718dde9d12b20c51c36fb46df7d6de84b0a573be97642cf5c0b907f8655416276c4a9571bd84daaa4b8
-
Filesize
671B
MD531571e6a12d3438f84f2c07e1811bcc7
SHA14c0d25be765df573b6d5280464ab3d3616f6f478
SHA256db735a6cd0126fb0cca198aad8db8f298de18f392054888c4c0462a293c06c4c
SHA512a92f35aa63394936f7152fa8e9ae9eeb100e459d71eeb6827cfe81145b1db620d68ede6588589bb1210c512c4e39e1c37ac12407cb6e258756722fdb4593106e
-
Filesize
982B
MD5bc7269f5d49a8802960ac85e6e775d99
SHA1f8c1e2ae073ce09495e094d7a6e59800a2415fa9
SHA256198bee0fb390ccb832467f42563e08fb2dd25f52fcb2bea531e15faee06fdfb2
SHA5128ed38fb9c08a9ec39343a49444eb7ce027baace5e9b27761d063c9c70ba8bcb427deb881e03c90e7858921c4f695b9b5550ba7c22f676dea50d883a90d833b45
-
Filesize
25KB
MD56ddb82a62fb956d25427862e3f647b3f
SHA138ae7c5a727b51f2026d2f346ef992c4ae0f510b
SHA25645f1fed602484e7a314f74e81c463493ea6dd41f04ae4f0723502f8c63d020d8
SHA512d80aa5f1f6d90a299012015e390b7c94841e2a2b79fca07ec275d07f3645fb686ab3eb820d15a0e80fb2c2f677aa0be4f8f94b10cb171ab2221622f6d53faaf3
-
Filesize
10KB
MD5b738b5135a7033fb252a6257473ab20f
SHA1276b6e611cd8b357d9aa120f143c6787383399fd
SHA2567889a13efcb4bbc6d128132e95721b42cf5914a6b864df35d51a75a9066d1c57
SHA51244d87765e1f85c4ddcb53cccab299a5f4e3b505f5e7b7b4c6a2970e670f154771eaf9cdabfbe4c2d91b0627ef20a75bb35ad819ade1978e3a8eb97e5ebb85d14