Overview

overview

10

Static

static

10

valo/12803...62.pdb

windows10-ltsc 2021-x64

8

valo/LUA.exe

windows10-ltsc 2021-x64

10

valo/LUA.pdb

windows10-ltsc 2021-x64

3

valo/Mapper.exe

windows10-ltsc 2021-x64

10

valo/Oykyo.sys

windows10-ltsc 2021-x64

8

Analysis

  • max time kernel
    34s
  • max time network
    37s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-02-2025 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    valo/LUA.pdb

  • Size

    6.9MB

  • MD5

    b8f12dbfcae082126347376a7541a4ea

  • SHA1

    e5562e67a479790b33331cb9624d6ba36ea5f286

  • SHA256

    32e156e99c508807c6d7e133f9557d5d1afbccf476f6521f096b437c094ff1e1

  • SHA512

    63c1f729bc408d4192a19ba8c0f66f3ee730ea5e6e631d9698cc23690e8363b3c6183368619cc0ea6010f469008a83c1d4d5f8a360018c18ab094aae962e87a7

  • SSDEEP

    98304:RAwfqlseIm6P3/hDeHtnMH0p0B6oraKbK0regBOF5lI0:bHrdregp

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\valo\LUA.pdb
    1⤵
    • Modifies registry class
    PID:2700
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\valo\LUA.pdb"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\valo\LUA.pdb
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1864 -prefsLen 27181 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f108ce61-5388-48b6-b05c-64975bd7eadc} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" gpu
          4⤵
            PID:3092
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 28101 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2327042b-b47d-49d6-b148-fc72251118cc} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" socket
            4⤵
            • Checks processor information in registry
            PID:2864
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3084 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80ce64da-1ebf-459e-b718-c836d1d6c1df} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
            4⤵
              PID:2768
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 32591 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96dc9aea-b362-4d82-9708-504513977b2a} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
              4⤵
                PID:1656
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 5012 -prefsLen 32591 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45bee12-27e4-426c-bf81-320b6f0bb785} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" utility
                4⤵
                • Checks processor information in registry
                PID:1704
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7a2f2a-a97b-48b0-9d28-5041a5a0847e} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
                4⤵
                  PID:4836
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {745d633c-cd12-4184-b288-5b4bca6d7310} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
                  4⤵
                    PID:1308
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5492 -prefMapHandle 5500 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e34cb16-4e87-4979-8981-b63a6d21e1fc} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" tab
                    4⤵
                      PID:3732

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdszxkyj.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                28KB

                MD5

                72f749e7dd41fc11048c49ae246eae2d

                SHA1

                af2c75029111a3b4be90ed30802d0b902391906a

                SHA256

                47f77233687ce422fb3ebb5ca297d248f7ee22bab20204b787aa09b07d446a29

                SHA512

                8f2718a41fb4eef4992055bd8bb416dc2de8f83ae71c8395e3a3f9077d2d06fd803c43f6abb1e5094b32a2b2c066a89f2a640287d38b43e385f37a33612d5e52

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                6a14177c361b0a40192f929ad4f7713b

                SHA1

                1b040f54c9417d9f8dfb7f7d685658f03af4d648

                SHA256

                4b0babc923076590c1b77556e0541f869c15f08a3e4cd0d414d5ab5a3db792b7

                SHA512

                1345941f2e561025d9f9335c4d2b14ee8d83c2ed8836ad4116f48d6c63c6504dffdaf179330afce35e808e5766787ac82006759f789edc1e02c180f591001abf

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                13KB

                MD5

                eb44a3544a9b858a0eb988ce48c7970e

                SHA1

                7f50be284cfbf5d9688b16f3008b7d181f94a2fe

                SHA256

                e2a2bab631c23bd7c2ce6fb0b5940d0716a749bdac1e07309707609519eae2c6

                SHA512

                0eff513a5f0c014af48c7615b63eb25b0559205d2564ed6a44fb4c31db77fc47e7d15716ed3fc1d249e7691eaefbbe5ac3ac2b11ebf78f621b052b67c146a7fd

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\datareporting\glean\pending_pings\2385ba6f-39c6-4260-a689-857154ef616a
                Filesize

                671B

                MD5

                8ce02291064ce4ea307e7244b3a26600

                SHA1

                623508a3ff5ea372c02ba87c57da8a4618a8d26f

                SHA256

                d619da276ee5e74793b91d2c1d573d6c7bce85248656c15d82623164869f746a

                SHA512

                c43b3661fd3708fa1423a27698e072cddff1e0f3695e943ac73831f9b0c5bef19471c21eee70ebe598d802562b254623af886787b916f5b1c9a3578c31588219

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\datareporting\glean\pending_pings\819b8abe-cd9b-48be-932d-a08b7dab6d15
                Filesize

                982B

                MD5

                719fd731155c5670ed9234bf940df27b

                SHA1

                0a1e79196240fdb61e95fe4208c9c99d14f2643b

                SHA256

                0a2e2fa4047e04989c61b33de3f35d40bffbb4d09aa88beea8c43f8c0936461d

                SHA512

                48c0c8e4454ac7d51f26745d0e4e610dba0dba7fcb565212fe13ad958180f4964d09e0020be5bbe956f1c3b9425550c858c6c3b56bc6b0bffe0cef1a56e92c5c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\datareporting\glean\pending_pings\99ed43e9-603c-4735-a964-80d058fbe0b9
                Filesize

                25KB

                MD5

                85fbe34f5b755b84ee4fa25796198513

                SHA1

                7520b6c44b8ef109e35d73bb55887f9363c0a789

                SHA256

                5d01dde11969afca932bdf2f909a7f84fbc3bf9db7938d425e095151c807f35a

                SHA512

                01c4faf99a448602b55c8bb01a8cb1d3c0881e249eb8e318f8615be10541f7c8af8ad24527438c2f484d6594eb1dac2f6973c8e48a08b442da43e806b9e6d517

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\prefs-1.js
                Filesize

                10KB

                MD5

                77dc8d243717bcff12816be19ac721ef

                SHA1

                1a6e1cca4f51b6b71bfb4930df16ba483caa3647

                SHA256

                7bb29c87d69537d6de6acf97a0fbd06dda397315e124a3cde0228340c5203223

                SHA512

                c4903181e9205380d26a1f824758a9831bc79d06784ca490c2535cd987aaf1aeba80e7fba30c4284d13889d26c297673df46e9c22407ae1f8e323014f82f3ea2

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\prefs.js
                Filesize

                9KB

                MD5

                aa8f1296d1730d3221e145c2dc1ac90e

                SHA1

                8bc1a4cf0676e230ea2182b4e500a3f1aec4e25c

                SHA256

                b4fbb97fef54d86f65d7cd374d9511bba4cf82bd1cc6b35650bc7dd88c3efd2b

                SHA512

                230720b4a5bcd45e00ed0533a00534d13ee124bf47e90bdd59edbdea1b8c91344e82849ad6fd11a7db47c3c8ef6e120011352c08de47a40648c422b69535a595

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdszxkyj.default-release\prefs.js
                Filesize

                10KB

                MD5

                9fd5dce7b73356a94cf37b4e00d0c08e

                SHA1

                fd98afa2b3a5b3af53a70fc99efddd540d330b48

                SHA256

                2931f18ad9de058183087f7da20752427a92ef09af25496f838219830ada1a43

                SHA512

                a0439a6dbd088384a2ac7805780aeb76ffc331054ff6e33e08953db56af9d494a2aea5ea7b29e34edf22f1267f0e8453d626f5db2c0f4dba89823d11e6233730

                Download Submit

              • C:\Users\Admin\Downloads\b0BMCBMF.pdb.part
                Filesize

                6.9MB

                MD5

                b8f12dbfcae082126347376a7541a4ea

                SHA1

                e5562e67a479790b33331cb9624d6ba36ea5f286

                SHA256

                32e156e99c508807c6d7e133f9557d5d1afbccf476f6521f096b437c094ff1e1

                SHA512

                63c1f729bc408d4192a19ba8c0f66f3ee730ea5e6e631d9698cc23690e8363b3c6183368619cc0ea6010f469008a83c1d4d5f8a360018c18ab094aae962e87a7

                Download Submit