Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
18/02/2025, 10:22
General
-
Target
HorionInjector.exe
-
Size
147KB
-
MD5
6b5b6e625de774e5c285712b7c4a0da7
-
SHA1
317099aef530afbe3a0c5d6a2743d51e04805267
-
SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
-
SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
-
SSDEEP
3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke
Malware Config
Signatures
-
Downloads MZ/PE file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies registry class 30 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"1⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 27215 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c298d49-3d2c-418c-9c9a-391c78d59347} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27251 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d92c28f-c4a5-4a47-b393-24eebe09e735} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2888 -prefsLen 27392 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b1441c-ae7a-481a-86c8-07ae57c6d941} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4004 -prefsLen 32625 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a47730-5025-4ef9-b8a7-dbf7e68247f2} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4924 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4888 -prefsLen 32625 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93af0a3-3c8f-43a8-9138-e6aaf1c7ce34} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c68ffd6-94cc-4c24-82fe-09f651a9f92e} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a91c7920-0db4-4b5b-b69b-6aa867afea22} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5572 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f83cc59-8623-4b05-b766-edaf04021632} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -childID 6 -isForBrowser -prefsHandle 2704 -prefMapHandle 3560 -prefsLen 27305 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebffcdeb-75da-4269-872a-601ea33bb731} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 7 -isForBrowser -prefsHandle 6388 -prefMapHandle 6384 -prefsLen 27305 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {780c742d-a78b-4943-8cba-616f9bfa5e96} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6824 -childID 8 -isForBrowser -prefsHandle 6420 -prefMapHandle 6840 -prefsLen 27305 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5272ce54-600b-4f03-beba-54a524c20667} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7032 -childID 9 -isForBrowser -prefsHandle 6844 -prefMapHandle 6824 -prefsLen 27305 -prefMapSize 244628 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8afd4204-58d3-440c-a389-682dfc549d43} 4208 "\\.\pipe\gecko-crash-server-pipe.4208" tab3⤵
-
-
C:\Users\Admin\Downloads\HorionInjector.exe"C:\Users\Admin\Downloads\HorionInjector.exe"3⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App4⤵
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5df3f4f459de068fb3b0d7ab2bbed84fd
SHA120e0b63db7534183e0f3193d4a89edbb55518f02
SHA2564db9f81c8530d8b373fc549c506b305bffdd361d501a9bb28dbe22ff925eccca
SHA512738b544bef865b8e29ddf2a3f47362291399c29277d2d4e0481d25eb4f3b5901a38822fac283c66e8059f24a29185d87373e631e5b6217356bd30b0d16b53e48
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.9MB
MD53fa9ea1c0b62498bf0e5eeb3301283c5
SHA1b5754ac473b18cdbdad637c634c598a47c737940
SHA2569078b4f782ea6db2ad36063120ffab6ca9e4f4bc5ac4142382448cc3ec803eb6
SHA512509407002956b1159de65cd491d89349b1132d4a5a31daa3023dc86266c5915c9c862ce3e3fad2a1bb04d2e86be28ff3fe68e18f84e2e4de3fc33f4fddebcefc
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5dc65395a34f1728ec5a35088dc1f8ac7
SHA10842bff660509a730ecf2092355d80c1e196fe4f
SHA256ae31ea8083a3d07aa6ef5cda1e6da35a48f453031b957db5831263b15495d97a
SHA512b3a7ad66adf31849300199d0e741f435647d87d09f2eee14385483ecd19fbe740fbc1366719cd45abac1fd4a7210117289e1abaf6138a4dd344cb0cc86578d40
-
Filesize
5KB
MD53f199d00b8de1df95e4c9717d95c75dd
SHA19e776441b2ae6db95b00e11e84b8220a6feccf08
SHA2566c79e2a4fc9ccd472f393223684358f859dae0a2d357b80ad0f8d68448674f0e
SHA51253e69e14a48db81a6a227c9b2ef57aa252b121feae193eb9225f956b2c21326d3ac0c7cf9588a2276b457fb982568772d4cad9afda5b0f1a662a9c7d2f733038
-
Filesize
7KB
MD5415be1b856784d27fcd103677bf924f0
SHA1eb1bd55adf3c5469b3396cc4c9e0325533667344
SHA2564c517eeef73bd7f511758efabe582cd98463a2324389735bd7d6fbc863a1deca
SHA512a40eca629bfd1e1eddd6e647f5427934b85d298200176689c2ab647ebc9b78ab10750ccf57cec0aa79349985b74629c28b3df5b504e68845b182ee1134a996af
-
Filesize
671B
MD5e87317a1c0f1a71dbaacbeec72cba5c4
SHA13b06d9f9877cd24b7fcf441ff37b70154d5a33f8
SHA256b84cd45c77be11f44892b2f9ce541a7068ba866ed04c706a85c41e0eda1f57c2
SHA51211c18424c73c0ec59c245e7f145116baf8a8edb7611f2710ff98afa9d2619bbff3095569f91deebd99889b12b32a3bf482c21f34676606b57b9e9cc7e2159a0e
-
Filesize
982B
MD56e206eff1d3424a75db23341200ea4fd
SHA14160f6b5dc7984b5d609681759cb87c981f508db
SHA256e119423c5a97ec14266a9ddec3d9604390b13fbe56e345dd41b598762cf90a6b
SHA512b87fa168845d71642987e5a0586c007d65434456e25c7017cb4460909b170ac811007c075c8e06a6604226aaa08d0fb0eabda383715c1edf4a0b9472eeb41253
-
Filesize
30KB
MD536335c62293f992839e1cf405c93d60a
SHA111e5326029e5f24099330ef144e1fa9d5dc1fc1f
SHA2566e0c65e2b743f4d58ac3d3f3006dc92ede812f634da8b6116ba79be580c851c6
SHA512ee530d23de0f625f201925e320abd180a3277f93ff45da3c798b18d3528a79bf77a790dd6cfe8973bf5be2abe895a252d7300b507af82a7c8ae2428b6c5ff57c
-
Filesize
6KB
MD5bc7b4bc0fcb09dcaaafbab560f1b62f6
SHA1b618e8c78fdc8e7c4432990d112ceb7b69dfb290
SHA2560ef131d2f5504dd06847c6efb725dd638d613a6e493921590b47469783005a71
SHA512fd578dc7d52addabbbc4283855e72048fabd376692eda74c16b5e7e1a421a976b43b066a0d980f42a77d6fc0e47e5f4ce1e7e868e0df2c2c61bbd71fc945185c
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5be72ab859ad1ee94a44c8b624c9beb52
SHA106b04cfd0b2f24ff54c202ff2cf44fc98cdfbb82
SHA256b4f25af167e5d5b7714d76c912756baf360e8492d6bbc934fceaa45450737bdc
SHA512f6ecc01f6eb6390d95df9e9da4744d39183085bd2c8fc5075f94455b34228367d92b3228c60679672fa20719d53b22990a3483b16731a090b36b88b0559055f7
-
Filesize
10KB
MD55f73929e967587ca139be35ac3f6689c
SHA1e1d9401dc57ef50ec8c81511efed7be509e52434
SHA256f570163fdd0514f22d05788083b2641aa5b20293371f770ad0a73cc3a108a2ae
SHA512231404269e44e76ca3e18c7660cdfabe8e06061336127bb60e5ed50a3adc7c5209c87dee52029307cbcb0ce3fb2ef1cae156e904fe4add0a2f6954f3766da923
-
Filesize
9KB
MD5f363c6efbdbd5c0f042226e5085f9339
SHA1b39889a13a078dbbc7ee12c34c03600a061f8caf
SHA256e621e7671360162bb4ff52689c9c2e3419b88bc171a8ae0002611a0defcd1cec
SHA512b36bd88f8a2cac0743e888b3d36cdf8fb5fecc7b030842d4efa358df30db240500cf64bb12b7083403e7c2e31b5a7246e4d92000705b06c86e0c8a3e205be110
-
Filesize
11KB
MD5fb3698a12cfa7deac013f9fb044b61f8
SHA17f2412306830fddd0f53a04e8b37b61fdf80afa9
SHA2568f3fedb46879b05c8a66920c5e0c5dbf2a7e08ccb30fbcfc58f47ffd77efe867
SHA51269b605e2b08dba9fb85c9e5a0de103051cec8d186e6af203f8795bc2dfef167710290fd43a5f07db21bb43a6e30bda2f5582596d5e2d4dfae66c553e06c91f89
-
Filesize
3KB
MD570902b2e5b1ed5eb56ee01ad5f6cd9da
SHA115e14d44edef1c0ca3fc88b8741e29cad6b7c34e
SHA2564894aa37af0e69b95948323e9a669ef2b5fa77bdebd4afe8a06ca2595f4055e9
SHA51263ee211dd7813d1777053962e2547f0f44d7918bec3ead858ced2fb5a213b2a0d926ea5be60dac3d98e9de79641ac8f769fed06cd8da02ac9f8b8b33ef5f0233
-
Filesize
147KB
MD56b5b6e625de774e5c285712b7c4a0da7
SHA1317099aef530afbe3a0c5d6a2743d51e04805267
SHA2562d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
-
Filesize
1.8MB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
744KB
-
Filesize
160KB
-
Filesize
10.8MB