hxxps://ion-group[.]my[.]salesforce[.]com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4972 firefox.exe
4972 firefox.exe
4972 firefox.exe
4972 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4972 firefox.exe
4972 firefox.exe
4972 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4972 firefox.exe

pid	process
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe

pid	process
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe

pid	process
4972	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4712 wrote to memory of 4972	4712	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 3440	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe
PID 4972 wrote to memory of 2164	4972	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.0.1588493196\219678619" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cae83dd-65d5-4aa8-bd25-13ffdd8abb2c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 1896 26e75504d58 gpu
3⤵
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.1.1786338763\123469680" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb75801-b5e6-4dd6-bb0d-554e54a603fc} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 2488 26e61195f58 socket
3⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.2.307882478\924372125" -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97fb253-ca63-4cc8-9785-412374439596} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3064 26e78446258 tab
3⤵
PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.3.1168120173\531222907" -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb31c03c-b755-4ac8-a30e-09028d16cb69} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3864 26e79fc6358 tab
3⤵
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.4.1719683309\1055013890" -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3394cdd3-4175-48c0-aa7e-ed2adeab4e69} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5112 26e7b8b9c58 tab
3⤵
PID:1044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.5.305539222\676983952" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85cab6c8-4b81-4d43-8983-11deedf6a575} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5176 26e7b34d258 tab
3⤵
PID:3996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.6.1014574358\766995306" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dae21b1-f56f-4887-b3df-ce17735dc2b7} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5376 26e7b34ff58 tab
3⤵
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
3c6d3db69d005c835eba978edd1f63dc

SHA1
654e290389f3e49d20492b9b3935a119e5ae53a8

SHA256
40bb2394de71fa3462d45b6acf5770cbef9825276ae9c9ae526622b61ee69f6e

SHA512
5e520e9c67f1e4ee1c5ad6a89937ba1048ce4514bec365a4d6157420fb81a6cd2b0baf506e94f8c2ab0494305688a45b7b1508ac465067364f1c65eb3a8b92a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
7c0f5ae5e0c87688139063ccfdd7e8ad

SHA1
1f51f9576cd6b3c9d0cca3bda36111b40456e538

SHA256
ccc7dbdc6f5fce836cb9794a33bbc7b2397a08e3f3c06475e43264416eefb574

SHA512
eb22a51ccd2a7f9f5eea82279bc06ac6c1c05609e7ac733186f9301c1d60f24562f1e2e5e7074eab467a756f1be61625c1ee4faf6d509826f023f393babcd2d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
6503f52e8709b7be50f59739df7f8ce1

SHA1
a73c4693f8a3f51a592154145a5244ce90b1c9b0

SHA256
3d1a1db16080c59a6eb834d54279984b95c2461f700db469120e63c43e13232b

SHA512
83531e46a2659cef1dc316ab8cdd05accffe5166ef903ecab3bb52714fdcbb4db4260e5f145b90e82645a25cfb5bb7cc2b04a3f7809f018a6d229eee5353cf99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
105d68e7de04f920a33fab108f3bd574

SHA1
67d5f26e648641db7db50b8f2e92e87af4f29eee

SHA256
6f8e788d567ee50b80a718482c672b6330035a0fc1ea8a22fe0fb7ade09dbbe6

SHA512
70602777164fa57f3c0591f4ed683f73333df3636b422c461ac662a21dde3e3c640d7ce0c8a2244cd59a4be2e934ae7aabfd5c227ae66f3355d671c04987c6d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1016B

MD5
6b48ad93db243c8e12b8c5cfaec0083e

SHA1
5693c8210a2da3a588cd778d6b93ea905d7986fa

SHA256
c71fe372bd28ddad379453f947eab405b808b7a3411bad6092af42bf05144c42

SHA512
16d07cb4d3c170841b0aeebef60da8715cb33bc7b83658711a8d8d4c3b5473dfa005c6bc37cc066aa24b428f11f1753a40f77181931d72d0927ed283088d409a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
7bab7e7612f14bcf1cf0c7284716f93b

SHA1
01b136f5be0806e4cca1ef67192896005c55d56e

SHA256
075d094880aa0ae155ff9d9cb33069bb9ad20d94560b1d84424cde70a2caa14c

SHA512
516dc9914312e55eb68bee0ce22a81cbb5915404128f82fb0ed514d356aea125a6ca203097ae502f99ac071549106fb7468eed2fc93c455530975b78a5d2870a

Download Submit