fbb1c5811042bfe6fbc3329c17e2bbb75279d315777768ef6b835a85e9331ef2

Analysis

max time kernel
30s
max time network
38s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/random_2.exe
Size

947KB
MD5

c87f37b640fa7e3e01b731b882bc2c89
SHA1

9308495700f0480079b7f98e3b4a5fe5bb7d49b6
SHA256

d799b9a2a2ff0d1cf4c76840719ce79a4719d22a590571b097779bee4c9dc3d0
SHA512

589b59d9271974f4375cb96a423fc32066e708a7ffc634f3bdf3ab07a2d59c99991afe2bf5055fafead91d2debab2017ebc58ff66f7040cbb3f73a70a9f4e7e5
SSDEEP

24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aXX4kE:1TvC/MTQYxsWR7aXIk

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	random_2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	random_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2892	taskkill.exe
2748	taskkill.exe
2768	taskkill.exe
2928	taskkill.exe
2348	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	random_2.exe
1684	random_2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2760	firefox.exe
Token: SeDebugPrivilege	2760	firefox.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
2760	firefox.exe
2760	firefox.exe
1684	random_2.exe
2760	firefox.exe
2760	firefox.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
1684	random_2.exe
2760	firefox.exe
2760	firefox.exe
1684	random_2.exe
2760	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2348	1684	random_2.exe	30
PID 1684 wrote to memory of 2348	1684	random_2.exe	30
PID 1684 wrote to memory of 2348	1684	random_2.exe	30
PID 1684 wrote to memory of 2348	1684	random_2.exe	30
PID 1684 wrote to memory of 2892	1684	random_2.exe	33
PID 1684 wrote to memory of 2892	1684	random_2.exe	33
PID 1684 wrote to memory of 2892	1684	random_2.exe	33
PID 1684 wrote to memory of 2892	1684	random_2.exe	33
PID 1684 wrote to memory of 2748	1684	random_2.exe	35
PID 1684 wrote to memory of 2748	1684	random_2.exe	35
PID 1684 wrote to memory of 2748	1684	random_2.exe	35
PID 1684 wrote to memory of 2748	1684	random_2.exe	35
PID 1684 wrote to memory of 2768	1684	random_2.exe	37
PID 1684 wrote to memory of 2768	1684	random_2.exe	37
PID 1684 wrote to memory of 2768	1684	random_2.exe	37
PID 1684 wrote to memory of 2768	1684	random_2.exe	37
PID 1684 wrote to memory of 2928	1684	random_2.exe	39
PID 1684 wrote to memory of 2928	1684	random_2.exe	39
PID 1684 wrote to memory of 2928	1684	random_2.exe	39
PID 1684 wrote to memory of 2928	1684	random_2.exe	39
PID 1684 wrote to memory of 2752	1684	random_2.exe	41
PID 1684 wrote to memory of 2752	1684	random_2.exe	41
PID 1684 wrote to memory of 2752	1684	random_2.exe	41
PID 1684 wrote to memory of 2752	1684	random_2.exe	41
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2752 wrote to memory of 2760	2752	firefox.exe	42
PID 2760 wrote to memory of 940	2760	firefox.exe	43
PID 2760 wrote to memory of 940	2760	firefox.exe	43
PID 2760 wrote to memory of 940	2760	firefox.exe	43
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44
PID 2760 wrote to memory of 1348	2760	firefox.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quarantine\random_2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\random_2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.1605827844\1931886799" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78e25f78-9aee-4fc7-b013-c38404a760c3} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1296 ffd1d58 gpu
      4⤵
      PID:940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.1.752160022\1073433195" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0210343b-ecb2-4d38-ae03-727415794acd} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1512 e73c58 socket
      4⤵
      PID:1348
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.2.1824425927\1139073613" -childID 1 -isForBrowser -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f514722-c313-41bb-9971-8b9f3078c92d} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2132 19de1558 tab
      4⤵
      PID:1248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.1030362248\1883647154" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21617477-83dd-48b7-b06d-5282c1603869} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2992 1c34a658 tab
      4⤵
      PID:1632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.4.1403957213\1834786539" -childID 3 -isForBrowser -prefsHandle 3484 -prefMapHandle 3544 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1253edbe-df55-460f-be6f-796bf9958848} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3636 1e1d7858 tab
      4⤵
      PID:2160
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.5.1495708127\690269794" -childID 4 -isForBrowser -prefsHandle 3092 -prefMapHandle 3584 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17f1e4c-1371-4cf6-9f80-cf1f8c4c331c} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3492 1e1d7558 tab
      4⤵
      PID:2920
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.6.1940486449\1118330027" -childID 5 -isForBrowser -prefsHandle 3708 -prefMapHandle 3712 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8dd5a3f-8363-4e7c-bc7d-07b2b0614d55} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1108 1e314658 tab
      4⤵
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
7785ac51e869eb9604788126ea6a2879

SHA1
dc124747f84b5248e97d5c522d653eb94628ca88

SHA256
6ee362256d55ff9290363a6314541bd44217be1bb0aca86d98e22a4bca076e7f

SHA512
a3098cc3179ae28fc459fdfc365f872f9903cdcf5df711d5106087ec085ece5ee14c2ed8b896a0ad0683a2ee4cdc069fe1cdcd7047c8660e0631fd2d4f5b50ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
d00b3e335f5f45d1f43d475e5a9cfe63

SHA1
c636d2acb996f96dc3cfe35ab7f79c4ab3741b98

SHA256
67a8e67778a947f4b3b433166347d75d1084604269cb864322f13f02a7868cd2

SHA512
d3517bf4cb2a2635d56d750fd64088e4cb03a8a602ae47b98192530aecfee1dcbf06e917631cf040ce77b46cde7e642d83d79e9a4ece027cbb21e9d1dd4b4da9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
356a5546abd60138eb36f22115ae077e

SHA1
bdd0e2128ab4e29a9594f5f2954c058eca091325

SHA256
4ba4bac3ffb30d7c9979fe9da0c211de37b6a3d041bee2b393648b8c4e11a3b1

SHA512
867fa8ffe94e91471ec70480cac787c73cd01d143606e847e9d98b536051102d63754395ef2658272c4db53674440b2734476e2a7bf7b9713b09d56eb1049981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\4d642869-e5f7-4417-9a2b-e53a59fd47ac

Filesize
13KB

MD5
ab6ab12b36e47b44b6f225bcd14b3feb

SHA1
b86de0e0ebf1dd5c64d58ff12b73f2bfb0c71b8b

SHA256
83aafd6582a1b506975fc25ccacbaf30688b4e4362e06d6700f84238ba195b72

SHA512
5aba4b43ef8342a66718404bcd78e438c43e3181537bce73271fe79843830efb395297ef0b06a86d70b17ec735e98e399b82828b069338f52073981870ed7cce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\bc39a6f0-e0e8-4789-814a-fa0a16b6da1d

Filesize
745B

MD5
b873df6fb53375b20d81d3e32d0c4b5a

SHA1
bb82e9f36aa6c070ec3666d9e124cbe1b57c6747

SHA256
00dbf3b1ff3cce3c694a75cc5ad13c36cef8a92a5b2df8dbd957be569e1c1ff0

SHA512
bdf61f2482351207ec7d2f63e0232b8432667e01392336809f975053869d6eb883f391602ddc8f8b7fc7a1e4343dd778fb9c6ad3e9566b5d274b88a50ba0d7bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
83bd3427a7b07e77d2bcb23c7bbb2348

SHA1
2ec293c3dc70badc23b6291f5f539faee65689b1

SHA256
01d0c8b37dc0238a4321d61c9b0d626efd2b9f4049b893cd4f43c290c9612552

SHA512
c6bcce53d11725267aed314a084862981d77dce188fe1437b12b25bdf404f02d2da75c4028e1cad6f80f20134eeb59831d7eb887cce3ca68254e85f3546db9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
186bcaaefefee106dc6ea11fefd5eef6

SHA1
47f2a4ac456815ebbc7dbce9979e79a03df624e0

SHA256
ba45f34bd2455e876d0fac30d8d34f5d0bd3212cfd5cc2b70da1a0ac9c7f2cc3

SHA512
61db91242d74f96faf9d9b68293cb222f68e0be0b2e26774560bbe1f1c619f687cbdb24ab8741b465d0052d85cf0e1067f21a9b2420e4dec1ccb04c0ba0da563

Download Submit