Analysis
-
max time kernel
15s -
max time network
23s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
02-01-2025 16:24
General
-
Target
https://drive.google.com/drive/folders/1-8Ig7ExaeZii1z9PbqUTshhXlZWRz9BC?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/drive/folders/1-8Ig7ExaeZii1z9PbqUTshhXlZWRz9BC?usp=drive_link"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/drive/folders/1-8Ig7ExaeZii1z9PbqUTshhXlZWRz9BC?usp=drive_link2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1904 -parentBuildID 20240401114208 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cdcdd7a-7435-4b6b-a7dc-dec027e145c6} 480 "\\.\pipe\gecko-crash-server-pipe.480" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24759 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6966567f-b5e1-48ec-a3d6-7a5c9ff700de} 480 "\\.\pipe\gecko-crash-server-pipe.480" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22700 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f2c0ff-4ab5-4e35-9474-2dd44e98df72} 480 "\\.\pipe\gecko-crash-server-pipe.480" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 29249 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {add2033e-d493-4048-b2af-197f9e9765ce} 480 "\\.\pipe\gecko-crash-server-pipe.480" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4680 -prefsLen 29249 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9304f6a5-045d-44c0-9b72-17194a9e816e} 480 "\\.\pipe\gecko-crash-server-pipe.480" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5552 -prefMapHandle 5308 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cf3b23b-9eb7-4714-b056-9b22048a2625} 480 "\\.\pipe\gecko-crash-server-pipe.480" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5688 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffe36a14-1327-45f5-bc1f-4bdae41f42c7} 480 "\\.\pipe\gecko-crash-server-pipe.480" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4ed211-a694-4503-a09b-18068bc735cd} 480 "\\.\pipe\gecko-crash-server-pipe.480" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5359b7ba8402c20046d26cb1fa2665070
SHA159e6fad54e6f31a869e859e55be0ad2339cb9883
SHA2563a3c424efee16ab27f04668da40e24d1f6b203f1cdec6579974e3185862da31a
SHA512cae3e67b3e960c623b1e29042a86d0efa9d5e20d42a79ea080a738020335eae46208169583071036bc16c12b19fe18149929458dcfffbe2a4c72944bddc75513
-
Filesize
10KB
MD5dd5a8e39d5fa147da201f9510ba65698
SHA1f7bab65754b616af2e81f7a39be4fa566e5161e2
SHA256d99129fde1676a216d25659b46909eb5b90a787ee273e0fb9711e2308184c2a2
SHA5128dcbd17671ff66e31ce44f5d5a3a5ccdb86b8d8ff51ebd520886b29377547a8047f0d014cff2ebfccdfc2c84b2c64c00961f6539301ff4106453f9a2fa517b7b
-
Filesize
5KB
MD5ec9b165e1b568bd922a6fb594556ce9c
SHA16194c626f9ca2139491cb83761e05a83c905128c
SHA2560d8ad73834c41ee51302f3b3c363b5681770f32138c566cf525bcbd8b4675b9a
SHA51275f64da66a476fb79c2be7b47feebbcc5f424dd280d56507604b2aebe2932b9f1b3551b07396ea815d901b66987ca7e1da094c8a5549c62ba01dc49c70a61862
-
Filesize
6KB
MD5fc977880fc7356b87f491f63a5b50e4a
SHA1b981d465bc67c57d8b7e1daa6e33565f1544d953
SHA256c3c85c0606086ccdfeff2af05cfb7485d9c329f1758c58e59181884ef8254cc4
SHA512d8c1ce7faa11b7d6b20ba7fb0e86065eb6a5033fbe7e68b1bd06676b023277cfef4fe15f3a75f4021382ea147896a01ae90e0547105c3fb62982fe06a785fa17
-
Filesize
27KB
MD5c199f7fbc06937114657a77411660a06
SHA180b46097be8151265c983d555e7b65bd5914b495
SHA2563c37cb12ef79bcb3bec6182fdfff6dc1b681e9f8272ad48ed75e4a2afafe66d1
SHA512b15a9c80af1b35abd4f1c1f9f6ba464e4f441a8c87b3055aa57a2af8d864d375011be2f72c080b90ab03cdb629bd4317db7888300ce83a00eedd0adc8cd41831
-
Filesize
671B
MD548b8464fa4398d900eb2e1dfdbe60e80
SHA109a57da49e4f387456bd512506ed39ab814cae17
SHA2569a7044ad640dfe5067364ef59449422cd12f177ffc722706e966f1ea9111321c
SHA512e332666a34de45c2c026db197d5d4504ee174a233c913e709cc928527a53896432bc6c2c154566a31b33de441306115174aad6bacbd252e5ccbf0f3bd9ca9cfe
-
Filesize
982B
MD5f6762f34a8640f2f9ae2935ba78f9e67
SHA1c98648af6632ce57d54b643928d8b2b3c5359a27
SHA25669e77335aa58657090829bad940ab30a69d88a011bc32e5c4a66565de20a35c0
SHA5126ec1986bfefb8e6ebb42ea9077008e1a0c6c7a2b26855eb546095b74d47d7c02acad03e12352de7cf76a47c2381b8ada3e4565e594dee0f4c7486a4b3632735b
-
Filesize
10KB
MD599388fc5fa864591f171794d9a594e37
SHA16b373891311abff695bd5c96b83a0ae172d52544
SHA256350951430340e80fc81e6bd81c6a2bfb1d373725c84239b21186f1c1e7047d8e
SHA5129d8a5b8607f98e09fcd3f90cb2be6ff2270ab69cdbef709a09020d38256c83c26d218ac1545d43f1faaa19be04d83f6d93f53c5ae32737da15fe0d89786dd6d0