hxxps://puntaarenas[.]cl/OIRS/OIRS/2014/[.]hu/hu/

General

Target

https://puntaarenas.cl/OIRS/OIRS/2014/.hu/hu/
Sample

210113-24mawcjv6n

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4912 firefox.exe

pid	process
4912	firefox.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4760 wrote to memory of 4912	4760	firefox.exe	firefox.exe
PID 4912 wrote to memory of 4264	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 4264	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe
PID 4912 wrote to memory of 584	4912	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://puntaarenas.cl/OIRS/OIRS/2014/.hu/hu/
1⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://puntaarenas.cl/OIRS/OIRS/2014/.hu/hu/
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.0.1372745750\248989349" -parentBuildID 20200403170909 -prefsHandle 1552 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 1632 gpu
3⤵
PID:4264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.3.1749267891\32803041" -childID 1 -isForBrowser -prefsHandle 2252 -prefMapHandle 2276 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 2264 tab
3⤵
PID:584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.13.1753690174\1767167830" -childID 2 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 3224 tab
3⤵
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-4-0x0000000000000000-mapping.dmp

Download
memory/1144-5-0x0000000000000000-mapping.dmp

Download
memory/4264-3-0x0000000000000000-mapping.dmp

Download
memory/4912-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing