Resubmissions
09/03/2025, 14:14
250309-rj642ssps3 709/03/2025, 14:13
250309-rjnygaswfw 327/08/2024, 09:43
240827-lp8l6swdmr 10Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250218-en -
resource tags
-
submitted
09/03/2025, 14:14
General
-
Target
F-Secure-Safe-Network-Installer.exe
-
Size
3.0MB
-
MD5
9c15aac2f31dd9e1e8d64cf8f04ea5d6
-
SHA1
aaeeb05a24f6e7ef77d46ba71794490afbc414ab
-
SHA256
e082c6d30278139fdab5a7ddddecbcbafad12ab4dff1d5a960d9704fe635c007
-
SHA512
0249416a9a1b526b887007704133166353fa97f9def8e57725092ee61f3bc0f5090238699c47733962495cd64550413acf25ff3086d1617e4440e9b6eba1a975
-
SSDEEP
49152:+zk68h1xr/Rq09zUWUus6qidDQjvBJVSq2UCur80qDt5OXqj:+I6Q/Rq09zUWUus6qidE80qDt5OXqj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe"C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1876 -prefsLen 27416 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26641be9-1e26-44df-a8c4-cf318f7b7931} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 27294 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {462f3aee-354c-44a4-94d7-bffe23c8fc85} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3212 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81435c55-340d-4e81-9dfd-99c22322dd91} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 32668 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4067d7e-3b01-4861-951d-75b9d107e4d2} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 32668 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9f7d44b-e861-468d-b13d-bcb586d29f73} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42723a67-6f7b-4406-8224-701939ec5ce9} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5320 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bebbbee5-e124-4251-8363-fa3bdc42fe74} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5704 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4146bc44-106e-40bc-a898-a32583cca2c5} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 6 -isForBrowser -prefsHandle 4704 -prefMapHandle 4700 -prefsLen 32538 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a2a35ba-d0de-4e81-9357-69d25c3f67da} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 7 -isForBrowser -prefsHandle 6336 -prefMapHandle 6320 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f87c359-1e3c-481b-b15c-00a1c87be1b6} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6620 -childID 8 -isForBrowser -prefsHandle 2752 -prefMapHandle 2748 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce062fc1-e2f1-4209-a8bc-ab83700ff582} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 9 -isForBrowser -prefsHandle 5640 -prefMapHandle 5636 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b31cbdb-3c08-4fa0-b4f1-e4385d30f22f} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 10 -isForBrowser -prefsHandle 3832 -prefMapHandle 6748 -prefsLen 27447 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {170ea528-95cc-402e-8400-15e696cff3d4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6996 -childID 11 -isForBrowser -prefsHandle 4564 -prefMapHandle 4664 -prefsLen 27823 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb1b559-1b14-4426-a317-5fa5d53fa85e} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5e54f8dffa16130787a22ae0fdcf375e7
SHA16514cd30146adc2562a1ad5ba9dab10031a0fd6f
SHA2564d36f18662a5ec643c5e0bb6a48008d82f562cdcb17e1a265d66ffedf864b1c9
SHA512e03008cdf084949cc52ff786e8b579f1c3d23946897c7b79cb7484e69f70b889acdca59b082736fc8a74cc5f236f6ab6b975908ec64e9a45d78f4057e94b716b
-
Filesize
109B
MD5f367ee02573f8700f11a9d6359b437e5
SHA1136ce81f01979a1f8bb0bc87759ae97763d884cc
SHA256b3e245d7b38956c31b3a22eb3d98f549dd5f512f3d4505a9072753334410e0da
SHA512846d67205cdfd65da35e48c04b9cb74bece73a44e568dc55a53e2ba34c2e37f615473833796c4f588b9bbf2f5e6d93a7e69a9eeb70b7767ccd98d29e12bfbbaa
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD55b4d3e85286f378c3f800dc5435d4eb3
SHA15a47b590ee75fee426379d28000b33c807ce5ad1
SHA25662df66d2ba2cd178ec77fd67719124f9a030b956daab66bff5ccdf349efcb37b
SHA512416b44908de56f1dfc670952c8c5dcbc5bbbc65b22f5f3a5e34f20f1fdecb82ec0eb88feaef49255492c34f3027affd3779f723e09419e4887ec5203c233806f
-
Filesize
28KB
MD50c1d5e88937c742d5ddd5669d6dc6798
SHA1733ba1f26ba16cca7a938ac01029ed5347d29009
SHA2564c4280f393fa064c8175ed0a88f03b76cce1b01e2dd33c61953e3121201072b9
SHA512d803d16c9967063ac863b6090c9afd8eca8c3f07883829d11882ed6b4ecfd65deca43add3b9ac2de64b6027e2cf9143702ae42fcd94fd8c1f0bd847e45ef27eb
-
Filesize
5KB
MD516400f0d49b25955a77e4560bb75eddb
SHA1cb39ad7c33611228697b7dafb6fd7f5b348106c8
SHA256713a2f7d89ac45e2ab80b1c066d9d79d0a975942b14bfd88447e4fc75024cf6b
SHA512813daaf3cf09deedbe0ba3b760b7d9ec1c690c5b45681fe54363488a14b024f38271036023b0f5af4cf61f5cdbf459603db3093a82746866132b82be5320d347
-
Filesize
6KB
MD56e3a65190ea8982786e7c370a3cdf156
SHA1b382f07e814b0ad1fc7eb5b290c15ab5295dac5b
SHA256d6118222172188e4babeae1a2514303523aae895c05ea14c1e5ba160148d3178
SHA5124fc5c5abf2cd3062c4d99c29f0f134ac0bbe7fd23e0d805ee142b7efcf512ccaf83bc6d67f177ca6b31b85c962ee501935ed9c4cfaeaa48f9fcc7eb37639dade
-
Filesize
7KB
MD5540030fe7882d0ea26deac5d60762089
SHA109a342a4aa646d3801df67d2f51c06d3b546941e
SHA2566a13917b8432dd5c90bca8901307992cd957003645099c32db7686b7fbad9729
SHA512741613c963e1a16a873dbc98630073028a682452221a0b176a11535b50b16cbe35c315c99531597c978578d16cd8cee84d8a3a000ffb746e579d1174b85b3c6a
-
Filesize
27KB
MD5332626415d22c358efa13c0972b549e6
SHA112927a2af0079fd28188d6aafd0420029152e42f
SHA25631c6d2166a06b21dc7c22d06137a524f2a7eb1b08c191801c43bc6c903db40c2
SHA512897cbbacb6398d529d2f416055c63916bdff58efdaf1e4d6be6efa1462603ccda145a381eb801db5f365556d633cf76a10b7bc122bedb92eb0b3724c628d242e
-
Filesize
982B
MD5adc85dd55499155a2ccfed6ad6dc9430
SHA181eda565ba034205f3921b2f4ec49f9ed8aea79d
SHA256a707bf4e1e437a82dd2fa73a04ac5fdd9e751638de046a00a4d14045911636b9
SHA5126c250289eed3430baf65447b13cd69162abd7b3479d75f2190dc9fc90722191a3beeaf91c3f2032eb56d4b8a698d8f81cf9d07923ff8833b9393c29b5183f27a
-
Filesize
671B
MD55288b93e9c923efba154c87f74324132
SHA12c3df7144ece8e1a3e6f1fa83c3cd35f34df2aa8
SHA2565fd80b9922643591684d0cd3336a75dda41b15e01ba4bfbf04de9e4d391dccc7
SHA512a77ebb4f57b295efbdaa408d7eb0fb76ef5e85efc0e3ccd20bd8087d1fe1d6b5333d6e0a5286b11621b03f27c2b61a1ee77d1a95bce7a00370f21f6d06fdd162
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD57eeb714514b81eea5889acc90a2c4030
SHA185611819cd820f038fba481284923c31eea3bd7d
SHA256ba4df1f4518eaec91e410fc4a9f28bc4108806b98f23335d323c589eedb599df
SHA512a0f6d3d1340c71c3f66ca25bb30b87d0fd6a70f2b52a44ea842833a68b59d973c1c649a46942451edc184c5c6e7609180212ef8ccea3e48e74d5889c87839940
-
Filesize
9KB
MD59d80cff68718cfcc8b1c5cc2f39ca548
SHA1741b93ab50105447fcc42fb6472a994148684aa2
SHA2569a5998ebbc190a0e822b89a60666e99d6a96deff425c3ad29e563e4fbc0573ac
SHA5121fa1b94e6998d20e55652b56508606a1c8bc4d328ac1733a2ec7fa567e8c9ce95bb4414f72c83a904694c4507ff6668c28bb7a91c915aa7cd08ec303192b755e
-
Filesize
10KB
MD50adab4c39f056d6f93c6039b7957b9dc
SHA1b2262cc62cf0f7fcab1a751f84324b6dc863f7e5
SHA2562a690a33ecb9055658fec2174123a1edbb054b8d4e1a4d7f10af9ea4a4e6f6f6
SHA512506bec017a10f88ba4c558bed01ce4bb7bba2404373f51b72bf3f4f1de9401fc04aaf3c51ca21350299ea40428a08d309b882e6cb4f53d69aa68b3393c9c5a07
-
Filesize
1KB
MD5d2340443b6381746d7e4eeb93f395303
SHA1f7f87b34dc73bdb7caea08d56770ea66bfcbccb0
SHA256e677ab1a5a5353440d4c8b243e1dd2efb517504275717d0b54a5f59171194867
SHA51201fda213166878832bc7585d17818389ef74778cc73fe699c31c9e48a4e0b7c6d291882d7215da4baf226274a018a94957cba94160f2a781ac38365b1a76e7b9
-
Filesize
16KB
MD5635efc45663b6e41bfe0ac1381c2afdd
SHA18568b6ce05e94558479df74ee31ef69ea013ebc4
SHA256b26a365f9c3808e0f3afe13f7e40444a52a1d2ff08f88f5940084fdda14e8113
SHA5129638d268db6b0e1cc282602ba25bec4b828c8198ca80f0a9bc6083528d5fafb2ad8c2f75e73f2f5ffa18122e8f9cd555fda405248c271a021f232649d7a50be2
-
Filesize
18KB
MD56f79bb162649561a0ea0bcd2cdf535ee
SHA148a089bba7dac4bfefd151f636d1541cffa694b7
SHA256d324398284643bf04a7f5617ade6e47d1b9596b6aaaf9cd507f687671a49754c
SHA512691aed8e47ae38edd2eccdfbf07526d9812e6dfd2fbaf6cdd0c4cc503c36033c960e8ad20a7e14a8aa416e58d86f52aa022614f6270c944f3158db5dd7754446
-
Filesize
14KB
MD547b8042280ffb14834027f9c0f7bf160
SHA146ebf6e837dbe05519cf9c188d939fb66ad0754d
SHA256609b13598988312aef40743a7bd0c6835ca9713605eade271a6268341023c52b
SHA512fe1970625f84742e79ae7148d12c9282265c06fbd70c4347fd52519c129260ee282c44f1efac232308ac043275e2ccd2bc335e9b94f7e488120f20424c7b78ec
-
Filesize
17KB
MD587b536f784082132329f8c3d5740a9a4
SHA11e17997aaa1152c6dd468e18606dd417153be219
SHA256ef79d94ac913c42a09a0da538e9fa625ca8541393cd7e4b9ad59d033347ad178
SHA512151094ab66ac5d1dc5e42a5e491fb4b0fa3e5241a4e25fe10b90d0601546a263caa9f94d98c855844939a7778276cbad2bd2cb6c89f93b08c1961cedf219e36b
-
Filesize
50KB
MD5e38dd9d7a5acdbcb5b97b309ac8078c5
SHA13f4f0b072b19eff1326bd1f2c81c6980e2cc8bfc
SHA25609c3605ab001ec35382f5ad17450e2e042f8ba3e98117c7c6991f9015a60a883
SHA512d988785745194f4b4cbe173951eea463e0a4920e9fb37652e1a1a4b9f4dad1ec9562c0d01b114648c0fb8a2c01addd10e2eb443071d815c3e1cb5d39825bcb2c
-
Filesize
1.5MB