hxxps://ftp[.]chapa2crcce[.]com[.]br/wp[.]/index[.]html

General

Target

https://ftp.chapa2crcce.com.br/wp./index.html

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2768810330"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991471"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D38E2C49-5062-11ED-A973-DEB08A22E9AC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D38E2C4B-5062-11ED-A973-DEB08A22E9AC}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2768654690"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991471"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2792 firefox.exe
Token: SeDebugPrivilege 2792 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2792 firefox.exe
2792 firefox.exe
2792 firefox.exe
2792 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2792 firefox.exe
2792 firefox.exe
2792 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

iexplore.exefirefox.exe

pid process

1820 iexplore.exe
1820 iexplore.exe
2792 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2792	firefox.exe
Token: SeDebugPrivilege	2792	firefox.exe

pid	process
2792	firefox.exe
2792	firefox.exe
2792	firefox.exe
2792	firefox.exe

pid	process
2792	firefox.exe
2792	firefox.exe
2792	firefox.exe

pid	process
1820	iexplore.exe
1820	iexplore.exe
2792	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1820 wrote to memory of 2552	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2552	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 2552	1820	iexplore.exe	IEXPLORE.EXE
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2136 wrote to memory of 2792	2136	firefox.exe	firefox.exe
PID 2792 wrote to memory of 380	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 380	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 1536	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe
PID 2792 wrote to memory of 768	2792	firefox.exe	firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ftp.chapa2crcce.com.br/wp./index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:82945 /prefetch:2
2⤵
PID:2552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2792.0.435047907\1618017968" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 1624 gpu
3⤵
PID:380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2792.3.1109479262\1384225998" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2196 tab
3⤵
PID:1536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2792.13.1058188633\730895268" -childID 2 -isForBrowser -prefsHandle 2208 -prefMapHandle 2216 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 3064 tab
3⤵
PID:768