hxxp://google[.]com

Resubmissions

27-06-2024 16:41

240627-t7g6yasekl 10

27-06-2024 16:40

240627-t6h2vazfjg 1

27-06-2024 16:39

240627-t52gsszerd 1

27-06-2024 16:31

240627-t1ky9ascjm 8

Analysis

max time kernel
84s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 5028 firefox.exe
Token: SeDebugPrivilege 5028 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

5028 firefox.exe
5028 firefox.exe
5028 firefox.exe
5028 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

5028 firefox.exe
5028 firefox.exe
5028 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

5028 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

pid
4
4
4
4
4
660

description	pid	process
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe

pid	process
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe

pid	process
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe

pid	process
5028	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 4652 wrote to memory of 5028	4652	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 2068	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe
PID 5028 wrote to memory of 888	5028	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.0.1177258949\33175765" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0bdde90-c925-403e-8fae-882912a1e46c} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 1884 2543ac0ae58 gpu
3⤵
PID:2068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.1.1988024262\1371857089" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0762f1a9-d382-4d0d-a171-739608e7b4ae} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2476 25426a86c58 socket
3⤵
PID:888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.2.1448718046\74419615" -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 1344 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ee438d-3162-4b02-8aab-669bc3fdf7b6} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2788 2543dc3a658 tab
3⤵
PID:1844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.3.766383184\67965108" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9005d833-6699-4c0e-82eb-4daf3f272d63} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3640 2543f540958 tab
3⤵
PID:3052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.4.724808492\1647595929" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8756b249-b59c-45ac-a30d-04815510f8cc} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5040 254411bd358 tab
3⤵
PID:696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.5.674609028\788149146" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8567e6-bf03-41bd-a3d5-c522350b9f43} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5172 254411bd658 tab
3⤵
PID:884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.6.614083858\662334433" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0185adc1-d96e-4299-be9a-9292f5b4367f} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5448 25441a63f58 tab
3⤵
PID:460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.7.2080899901\178083834" -childID 6 -isForBrowser -prefsHandle 3784 -prefMapHandle 3808 -prefsLen 27957 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d899ef44-2f3a-4ee0-8d45-509eff594047} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4912 2543d698c58 tab
3⤵
PID:2348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.8.1997154322\710870501" -childID 7 -isForBrowser -prefsHandle 2860 -prefMapHandle 2796 -prefsLen 28172 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24426e8a-c7f1-45b7-b1b4-8599b2070715} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3304 2543ac0c658 tab
3⤵
PID:5348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
7ceef9a3c7142f23fe38755539f93653

SHA1
57a4fcf3fb72285f5ad26b7d1084cb4f0a291b76

SHA256
7ad486435457a7df0c90724b0663ddeabcc0616f4375cd5a07b23dd1af257ed4

SHA512
d2d0dc172b021fe3b7f007d56c4b048a341742b12dbfe928ad3a804fa3b2e731b6878e1d0ab2c498a16e65a13f65fd87d1fadd970928bc302c5e1841cf14e8de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
62dac6954c9e38cb21bd6472a18e539a

SHA1
c16b452a748f0e7ec2d7a8000b934bea1847e0e2

SHA256
4c35737a4083779b7b10635ad6549a02c5322831d35bb7f1530f6d62c8dd194b

SHA512
6682216f679ff05ea3c81fb1b095a4dd443a5e784ef7bc475d9db377678c7eb45f09acdee75db6f9ff247592139e92379f20f5d579d7160b4c94346dedd14687

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
68e3b29fbaf6961212fde2ba8018cdd9

SHA1
ac0419bd06b18fef000ff57f6330841a32e2ce74

SHA256
db4127b937f714e4a0bbea823b74123bd7a39f3de2a4b66c508fcdc690f06a2d

SHA512
aff308eaf9a113c8e598ecc88ba87799018d9b0f8a978f61dfb8342a4187f72a697526b53f7577dff968386e104cef879d2e3e526fe643a0d668e6c88df2e122

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
d7b41af96fecb56a15717fcafea78118

SHA1
771b305de327bd2a18a4a61420b0ebe110ff3e6d

SHA256
bf081693c1633b980a02a45a7ffcc175e866890a9b7924af3f3595798e4cb5cf

SHA512
2042b4f1a1e53e6112da6030d9843ced2da500c5026732b9a100d69235d0eeb40e8895ea8f46f1ad95826a6c0f6b3421b59c81fcc0c33eae500ac93a00693884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1017B

MD5
06c651f6f9937aa76d7c5e62095b01f3

SHA1
a9ceb534e37b4fac38813b909fdd32a2b197adc4

SHA256
3425908058a1653307f9fab571c7b4765e3aa8925657e5347bf60ac31114b4a5

SHA512
9b229060f19a956946243549e6c4897a9f895f4d514208c4828d5d8d0d79d2aa07fef5a90649fb912fb2b22b8a6e80fdd5470dcd1eb25399492a471214c50eeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
6dccadc992361618ed8dbff1672fbf9f

SHA1
349e7ca36ee97d4912bf221b9c9a4bdd86e829e5

SHA256
f485c2a15d831fc08cac4829665bc6ef0ce741f65b6f2a164da914b9d7a39083

SHA512
a1622c9dccf00916aae3d3ae3193fa009570c1fde418fc6446da3cd5010026510afbfe1bb7d252930171ba9228b78572bfbc72a3a98c71c7f9bc6be3e93d742f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
3f84a840bf56cbb280d5e71335b362ac

SHA1
a098adad7d7bf2aca1f946f9f959db7a2c459202

SHA256
9acff82eb61d23df522444b1385eed359664c5919030f9c92b3ed4bbb467f0ad

SHA512
4d14da234691b974218cd8888a2bbaa869a475219acf8826f04c2b296f893aecebe2120dd083e2b56c74b6daf0a825e831027db85305ec0bc31b500af35392e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
06fae1166c99eced64df7451832518fa

SHA1
8e58272ee8116c1c06fd7e1ac56cf2cc7b0c693b

SHA256
10066df0f16e8129de3a43eb5ef04d6ead2214a7e48aae7c5ecb25743d22a0c9

SHA512
5a2fad9cfb5862b83b75ca86b3294169ce8a6b714af03b1c59a36a833a29a4a47192b27e6e37bdb834bcdd7b67cd19c783880f133452ad17b691dfcd1c0600a1

Download Submit