Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
26-06-2024 07:32
General
-
Target
https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D
Score
5/10
Malware Config
Signatures
-
Detected potential entity reuse from brand microsoft.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://ion-group.my.salesforce.com/setup/emailverif?oid=00D3000000008h6&k=Cj4KNQoPMDBEMzAwMDAwMDAwOGg2Eg8wMkczODAwMDAwMDhnOEYaDzAwNTM4MDAwMDA2Tk5hSCAFGKajqoiFMhIQ56yiF5BnZOMBVqHOkLGgTBoMDAFreNPmgAJb7fU0ImsKAJ1XPKnSdBSfDdbpGUHU3VrB3zn0QhAUqJlAvrwszdTiaY_RDBD9PLheKgyRwVc7KVDQ6t4s7zEgs57lgLyG9UhCn6_vXVdJk1CyTcnLqJbyNEDwjKskZT1BJLJ6F8DX9ZRNAxL1xlwdlQ%3D%3D2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.1626355346\1360271986" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6930f5a1-e1a9-4158-94c2-7afea80d8adf} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1892 1fee0b05958 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.1.1419873758\1159793769" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09d3d128-142d-4ef7-af59-11c85f1b7474} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2440 1fecc894f58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.2.1950269998\974165911" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 2968 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0db0b2b2-f0ab-48f3-862d-1d776eb6cb66} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2744 1fedfa94058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.455834558\115058189" -childID 2 -isForBrowser -prefsHandle 3352 -prefMapHandle 3368 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56c7f3b0-d929-4ba8-9833-919ed6856101} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3356 1fee6965258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.4.637195834\1601154566" -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5268 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a41486f8-b7a5-4e88-baf4-6a02d0fff0db} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5296 1fee88a9158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.5.1811386455\213392698" -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {557c2e1c-beb6-4526-9054-e38f6079e2ec} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5424 1fee88a9758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.703771026\203047653" -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f753e27-f153-469e-830d-d3377f6f8039} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 5612 1fee88a9d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.7.611380196\1574498526" -childID 6 -isForBrowser -prefsHandle 5464 -prefMapHandle 3008 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f1c75bf-0652-449e-a186-b7be94730539} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2956 1fee906f458 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.8.1300889208\1511777377" -childID 7 -isForBrowser -prefsHandle 5640 -prefMapHandle 5252 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {674d6547-ebac-4b7d-bd51-97fe844452f0} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4452 1fee88aa958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.9.465394041\189975316" -childID 8 -isForBrowser -prefsHandle 5400 -prefMapHandle 5320 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {579de809-9383-47fe-afe3-fa406008360b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3808 1fee318bb58 tab3⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmpFilesize
23KB
MD5613595fdcb9ea3ca2842fa861df1a451
SHA15efa7b907402aa77a0bcfcd16eb47364147a849d
SHA256617ebcf1a945ecb51d03d1f8b054dc81dcb1e95b7ec7d46afb17a1a02970a733
SHA5129b61b70f10a6075604e9adbde608a2c418497abf73587c9d0b0e69fc424b3a316ef7e3b984373c74b50695f23c4b26b3bd8d53bb8b068563bbc6bb999cd2c465
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5e0236413295e49948baeeb46d884acef
SHA1c24f80184264ef596722c1a84b8dedde9bdad557
SHA25611af5d1895a6e5952ebf08f72ad5121d828a5e2f8dc0656875d527e886ca54e8
SHA512d99fd945c37dee141ea4e4f2e2460f482230bb679d8a63131348685a7dbebce074c9543161672fc525cd0c84d41d29e2ee78f6e3a7b8f7d18ca40eefcb95e5c6
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5870b0b2057b02c012ae660a60a8cf3a8
SHA1de36df30678ecf716189eb86179904bfbf9c11bc
SHA256a143251cd1964f2b8cb7921b647b49e5d95f9a93bd7af1bc338335600df8a1b1
SHA512b2fb5741233398b049eea5a561c2e8af478957a4b2e189fcd3b738cd610c8778428ffb9c1bcaf382a334255fe090ad6b6c1b4e0e51e1495cc22390f890221ec9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.jsFilesize
6KB
MD51e2c9a12cb92b63cfd5dafdfbd51ccad
SHA1e9421e9a4bd0d6efff5eb6e5ce0179a2f226c570
SHA25675bfdc18573b1c0c834ce12cf237ffdb1a2d24ab5482940597e87c32c29bf85f
SHA5124e813b7f23d2802828da558e4480c3cf867e0f8e747127928107e8c2c8ac3d561c216b4dfc0b60570b1f470d34287b129e0b57826752ead45adb8936303a2905
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4Filesize
14KB
MD5284d351534a5907f01ef54bee6b0b92b
SHA144fa7b405ade61fc142e7908ce8fe9d7eba42cc3
SHA25683baecb91edced37bc71f9b146aebfe396f1289076c6fee7e62f4a74db2e0bdd
SHA51269950ca92081adbd206f07655b930caeba29ea00181f2e77c1eb57398cf2adaeb32e235e66f95ab54093fb7fb5471530d2d3df8ba38586d9ae25a6606a7dca01