hxxps://file[.]fan/3813e1da0f904a05

Analysis

max time kernel
33s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.fan/3813e1da0f904a05

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2360 firefox.exe
Token: SeDebugPrivilege 2360 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2360 firefox.exe
2360 firefox.exe
2360 firefox.exe
2360 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2360 firefox.exe
2360 firefox.exe
2360 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2360 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2360	firefox.exe
Token: SeDebugPrivilege	2360	firefox.exe

pid	process
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe

pid	process
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe

pid	process
2360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 2360	3484	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1592	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe
PID 2360 wrote to memory of 1184	2360	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://file.fan/3813e1da0f904a05"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://file.fan/3813e1da0f904a05
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.0.682786240\510659355" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2290b839-b3a5-4af2-ac3a-354c5adf94ca} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1884 1b294109458 gpu
3⤵
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.1.221732853\530715529" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1197561a-ab29-4f52-a610-0c227ebca786} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2476 1b292f26458 socket
3⤵
PID:1184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.2.1652269646\858206728" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbca7e9c-b5ac-4916-9418-90d72bb81310} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2996 1b29704ae58 tab
3⤵
PID:3936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.3.967268780\1699561394" -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb950b45-6587-4994-9ce3-3881f6608f55} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3640 1b29897c258 tab
3⤵
PID:4428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.4.1925684972\351315000" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbf19f55-7d22-4db2-a1cd-6fbea66904bb} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 5044 1b29a5b4f58 tab
3⤵
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.5.1886613803\1709568698" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5024 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {681f24e5-98ad-4f04-8375-3bb0ee059024} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 5156 1b29a5b3a58 tab
3⤵
PID:4652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.6.1652776758\35952079" -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9683344b-58ad-46cd-995a-accc3ee950cc} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 5448 1b29a5b5b58 tab
3⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
003473f5b1310023c548a6f38d1e2483

SHA1
c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5

SHA256
7b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93

SHA512
a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
e32e61d91a5eb24e26ced19d27ad2533

SHA1
964a4e49f806fc583f1205420c70fe09eb504f86

SHA256
55a7769a8a91b843f7d86f910c681d907729f1e9691ef7ca95c25c5b2925cca5

SHA512
dcbb8232a1ebc1a495e66efabc483ccc66d1b5fb8e4d6c9e9dcbb6c68803d4762066bb7027dd2566b736e63bd561740687547e99e8c0be44547e8c6f63b05682

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
4cbd6412db42a4be82dd538226c48e69

SHA1
144628f766c332173c3d734e80c8318a7138f056

SHA256
7b4a503a1a22db5e8d10b4d371cc488fddc2e5bb56d103eb58034d5ca4b9039c

SHA512
19fe66d17608ffa91dd9e2ebd5a36c8dd76446a75e5eab162700d3a626203bcd76bcb8554daa7e995bc8b588416144f6dfe0dc46991f026d9d1458d8b39794b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
ba6b4a1b282edb382f0826f55d6c9708

SHA1
c5d0603e51ec1265c63eb23a115b2fbc609a6825

SHA256
74a57b2de4d90c742be31730fac0ed61b4dd876905063cde36c0fd081a244ae4

SHA512
c6e71d585ca72d887edbc93006c0801dd73278098f611be6e7048edcfb3233ae7a7e566fa9ee1c0711cb14c1a4de8a54859b20bf2fefb9caf4a38a6fd7455b54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1017B

MD5
77e4a8e2fbd146be9e435703f4deac61

SHA1
f75c777c59b851a9675e01e50b13b44d98f4aef4

SHA256
4d3182dcde6c93d4a400c4f939f46ef7479d3d7acd28d40b5f02d69b2822ce95

SHA512
cfc6e95239afa7476b4bc7c2f073db8f5264d2f0e8bbeb7daa75ed1c9307bee058880aa2be0c6831061cf16bccc555f9bb9ede1a445b08ac11fc4de630c0e3fd

Download Submit