hxxps://parken[.]com[.]au/verificacion-brou/Brou

Analysis

max time kernel
1200s
max time network
1065s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-03-2023 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://parken.com.au/verificacion-brou/Brou

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4248 firefox.exe
4248 firefox.exe
4248 firefox.exe
4248 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4248 firefox.exe
4248 firefox.exe
4248 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4248 firefox.exe

pid	process
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe

pid	process
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe

pid	process
4248	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 3628 wrote to memory of 4248	3628	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4576	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4576	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4876	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4796	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4796	4248	firefox.exe	firefox.exe
PID 4248 wrote to memory of 4796	4248	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://parken.com.au/verificacion-brou/Brou
1⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://parken.com.au/verificacion-brou/Brou
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.0.790207633\1864370915" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83779961-5161-464f-9218-79e9755fd949} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1732 2327e9a1758 gpu
3⤵
PID:4576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.1.427297958\1364978462" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f0219f-6cbb-45a7-a639-cf27befe3bd8} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2184 2327cd46f58 socket
3⤵
PID:4876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.2.1278472543\1394587687" -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2656 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ce7a0dd-8c5c-4c30-a4d0-e3aee294e8f8} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2556 23202342258 tab
3⤵
PID:4796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.3.146590078\1369314178" -childID 2 -isForBrowser -prefsHandle 3744 -prefMapHandle 3740 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce991ebe-2b1c-4104-ba0a-e94bca2d1001} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3756 232037c4d58 tab
3⤵
PID:4924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.5.854459301\273226384" -childID 4 -isForBrowser -prefsHandle 4492 -prefMapHandle 4488 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49ab1ea2-844b-4a62-95d7-226979370494} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 4540 2320464e858 tab
3⤵
PID:4108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.4.825910033\1679163239" -childID 3 -isForBrowser -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e421fb3b-5b45-4143-be84-e9795dbf07fc} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 4508 2320464bb58 tab
3⤵
PID:2076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.6.1053027953\900641191" -childID 5 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e96220e-e2ff-4ca1-ab4e-d7382246de3a} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 4936 2320464cd58 tab
3⤵
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize
146KB

MD5
13a331ff961d2d4c10419a7782a2aa92

SHA1
4b7cb2a84e22e8e93805cc5ff6bb59d74477cdce

SHA256
6094e5500c116f6524490107234f7f9f9b791c5672fc41f537b0ea0fe923bc2e

SHA512
76aeed609ad2c2282c6cde66e4458fda8a7338dc4aa488339a2986bca450c3c2aa9e305337d24083e3ed2808b4244f776b513f53a2ff8b60f1d83a3a6f4ef5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
7KB

MD5
4592c099d2273199289e620def0b4d40

SHA1
5929b08f8430b3d6b446eff86e597142687dd4d6

SHA256
669de2fe255a0e3889d629e5ad47cbc26923cc2f2dcc0c2db24827303c58c26d

SHA512
c83a748cbb646cd91d8eae6de90900c455c39aadc0fb5fe9b5f7f4574ba811b3d536b93c466085e44cb733dad37da0977b6982974b89bd0dad500caa6a812354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
a9e8b23309959a7a28a3344a25911979

SHA1
bee0dcc87ae6cd5898de121f7a5e3fa0462a4412

SHA256
a877f21c437b9ad599353f61463d9aea9499643bff1be457b9f49d0c246d5fea

SHA512
737cb4f2d55c349ddd4bf38c13b78de03787d745319644b49ecaf5152f7696b4c2104245f2d000b71e3b74b5b869b51ee562f146a09c8949b377f0a0ec80220b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\cert9.db
Filesize
224KB

MD5
bc7ffe67bedca3a575836d1162f0addd

SHA1
3474dd7283f563783d41b02579f2ebfe61e2c847

SHA256
29b9748d6b0c26f555ae388a614bccaa4c8d9587173bd105446b5938c908e27a

SHA512
1fed9349bff5c006d5f72fc36e9d5bf9130c240dbc45b351bc416b68b0bbae567fca4c24259b84fe5f5f851f2b642c0942d30eaf6bfd25f64e21bb912f05b54d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
4961ff7e093736911e1726080e65bd9c

SHA1
c4689109731f310dc4e50b810ebeaeb8a81eb414

SHA256
e0f01a2b7d1aa080680f98fec8a391b88e4ccf4b940796e537fa4363d3e1b94a

SHA512
f46519151b6b32c4c0497c6a3dc41f895f81706eef6d262912fbb41dd5e2c090442e17b3a723977f8606cb26070ec64d45917db26aee24a84f7d2cd98514b8d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
cb541fe35e856942a654dffc341aa2dc

SHA1
da681516562da8db7afac0587962bf06e453117c

SHA256
feb28ac9e36f90d0838c330970993c346303a961dd55a01415db7c63caa913f3

SHA512
b4e64671f7ad786fabaf8526e4bf487ff77140b918c5aca3d63c6e8592f3e7c982d027b7b58e1ed6f9957c84e842c112f94215a3ebbb31595f870fcd949bdede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
13f4ea7224417985aabae4a2f59fc2ba

SHA1
2d20752d98ce84d37a69d349d2c008e302748b59

SHA256
929688d666a67a627252819b523a1a80c92a092a94b155728b8ae603ec370c4f

SHA512
0cf9e68368fff17491537a97f62cd1dc0ac9d1d7330cb2ad3f3e252ad973097fd53e416c70e9c0abb7a5cf97ac92e58f364fa96c47c95c071df71aca94dd8501

Download Submit