Overview

overview

8

Static

static

3

Updater.zip

windows10-ltsc 2021-x64

8

Updater.exe

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    405s
  • max time network
    407s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-01-2025 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Updater.exe

  • Size

    49.1MB

  • MD5

    f0b6329b9fb24e78303edf1b63235179

  • SHA1

    d38813c27e5ce75378f86a2612b6c8c450c31ce3

  • SHA256

    9c99152179e5da930aa6a38b737797083374452c67d09e612e193ea6ae60ac36

  • SHA512

    222dc14217320cf899191d0d47a1706208e68553ad34b3d511b26762aef209eb89879c070e8376558d7300081574e9c5b149d50231adef2021aafc9d19b568eb

  • SSDEEP

    1572864:iWTsb692piMo7VAe4yCwDcGS7T/ZqOBv+:iWgb647qcZqc9n91

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
    1⤵
      PID:3092
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9357a4-9df4-40eb-ad42-273d36602a13} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" gpu
          3⤵
            PID:3432
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0104d39-e60b-48d2-8df9-e595f91f535f} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" socket
            3⤵
            • Checks processor information in registry
            PID:1224
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2836 -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 3272 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808daec0-7914-4025-a932-7fd48a3f6d18} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab
            3⤵
              PID:5080
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eec0e6a-88c8-45ce-948d-e0b0ced2f3bb} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab
              3⤵
                PID:3796
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6175d6a-4db3-4c35-b878-2bdf5cb80128} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" utility
                3⤵
                • Checks processor information in registry
                PID:4192
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23e65da2-a2d5-4286-a28c-a5a91b5eada7} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab
                3⤵
                  PID:4820
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5640 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {067c4eaa-97bb-489a-ba8d-667ced3b5193} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab
                  3⤵
                    PID:3668
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bec29e-47dd-41f6-836c-4d6504950a56} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab
                    3⤵
                      PID:4352

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  544257eee9bd366fe539954be51033bf

                  SHA1

                  5f8ce4a52588ac76c8a3de4c413cc864dd8eeca2

                  SHA256

                  5c5fd42efb2bc58e1be8d21b8ac74ee2bbbc8ce1e50e1a7c1862359a0bf31a90

                  SHA512

                  295903153b8f824b45bc3100be1433add398bdb760a04dc891358ef8949c5d8ab00ac306a4a551d29177fd3f538055acd0393da2237d5c7fe4fa716aeb95aba7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  30KB

                  MD5

                  5b32643fdf8bd2f87a009ea9b0649f57

                  SHA1

                  f7474b4b7d0901a6fa50983ad12acff0dac88af2

                  SHA256

                  e1c827bd2a7ec882cdbd599bf15c2e249efce8623b100bc46e164418bf7cfe94

                  SHA512

                  28b36d5d86b91dcb6a52b11e272ab64ff5f85b5bebfc267d3c7b1e9e62291e9b13a72f2d0f2e3fa03131e48ca809879832292c62c5737043f95b8ff0469aac5e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  be84d83878ae6e71e9c64070dd02acd1

                  SHA1

                  b52594d4b2ed52cb5377e6e8eb268ac1e06dc52f

                  SHA256

                  c260beac7069114eb2df105498e4a508cfc488b699b798d254300304bec96443

                  SHA512

                  b36b65ba01a06d178aa15e0dbd272c2f578712f73aa6dbfe9f05d5de3eb0330f51cb42981856b0454ce9f8b1c5568c1aef4053710e293a22b7af381832aef308

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\7fc5fe56-e14c-4bb8-8ecb-11b0c2d7ca39
                  Filesize

                  982B

                  MD5

                  84b7a1b2d06527ea5002bdf040ddbfd4

                  SHA1

                  554b417fadb2a9872b96b0cffcd1ba2dfa1bb40e

                  SHA256

                  5a22e59d6ea0b195c85f125797488c52523d3445ddb274c8be2e1fd817eff21e

                  SHA512

                  95bf128e900d425a2b483a8c0043710bfc8ebdf575ee328553c14bbb561ad6100adb28c9a0ee067a7663858453dd008b87ab053f7e35220d31474ae05a220224

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\afc826e8-fcf2-4651-b0f6-6927187968e1
                  Filesize

                  671B

                  MD5

                  8cb1425ccb496060caec3961470c75a2

                  SHA1

                  60d992383954a6518d9bfcbf4ed150f3c1c36b8d

                  SHA256

                  da060a2487c790a25d97b7532c6e50503d81a9c7aec9cd775f3cb2a2913a9f78

                  SHA512

                  13534261ed7ca994381c402daf8e5652aacda5ae00e55008e70422d1e2ab4a8e905a7d8c0ee35bae5eb62d6a83fee7e37dc7fb13da7e9bf64eefe5ae688eb4bc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\d07d0447-a581-46a6-80b4-97131949ce63
                  Filesize

                  26KB

                  MD5

                  b473d9f5682507b0770f329453b1dc62

                  SHA1

                  10e2e6afe665c5b98c83ac0ab13513e93cb32d54

                  SHA256

                  d2787ca44fc641d8435870b2295b20a1cb032e24a13e432d97990b6307b08307

                  SHA512

                  583eac5d4e3aef76b581bac824c6abeda83924286dd4a6d0cb6e821b2ebb3135f4f314e2c8dc6dd16d0ba8beefa81712fb3571fa4967cc9b11c5392ba8522a66

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  3c815e67c0af2d08e4ee59c49d8faef0

                  SHA1

                  a61c719855f321bd8508806d80c6bb0b636cd942

                  SHA256

                  d56844ff98801e8b3b54947bc1b29d67e6a09a43a9d08acc7a68679772509192

                  SHA512

                  950be09d648d3d5ea3f59df518a7af22775d7722d3ec63301e9812e3ae80a28d7c8bf443010ae0faf7de3ab18ed50406ecc511784c1c6de920d48bd9b4f1d673

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  7f48eaf996b2b68632c6d05e3ce39e97

                  SHA1

                  337f4a0a529f3096d260a8538e60a328a126d44a

                  SHA256

                  fdcde034158bc660236816aceeafcd172760044922ac003480a1bd5716875777

                  SHA512

                  0fdcf63527b0736783ca7ba102d6f5f0b05e9c8e8b57fe7f9ad20efe434934045283d9136b6c7aae57fc7d841db507ba253464eb9c85c7943669c6f4580ef006

                  Download Submit