hxxps://casacocornermudgee[.]com[.]au/Validacion-eBROU2

Analysis

max time kernel
1200s
max time network
1196s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://casacocornermudgee.com.au/Validacion-eBROU2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe
Token: SeDebugPrivilege	3712	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3712 firefox.exe
3712 firefox.exe
3712 firefox.exe
3712 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3712 firefox.exe
3712 firefox.exe
3712 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3712 firefox.exe

pid	process
3712	firefox.exe
3712	firefox.exe
3712	firefox.exe
3712	firefox.exe

pid	process
3712	firefox.exe
3712	firefox.exe
3712	firefox.exe

pid	process
3712	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3712	3704	firefox.exe	firefox.exe
PID 3712 wrote to memory of 4304	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 4304	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 2504	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 4720	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 4720	3712	firefox.exe	firefox.exe
PID 3712 wrote to memory of 4720	3712	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://casacocornermudgee.com.au/Validacion-eBROU2
1⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://casacocornermudgee.com.au/Validacion-eBROU2
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.0.1416181513\1745267483" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1664 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c19c555-d761-4acf-8e1f-83a4c851d36e} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 1748 135d3206e58 gpu
3⤵
PID:4304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.1.262985874\919592513" -parentBuildID 20221007134813 -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {776af67f-f69c-40f5-b317-239bf77219e1} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 2200 135bf66f558 socket
3⤵
PID:2504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.2.36851659\1387492654" -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2752 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53647e1b-5250-4ed9-9937-f66e6f001425} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 3248 135d620f858 tab
3⤵
PID:4720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.3.711491102\1977082924" -childID 2 -isForBrowser -prefsHandle 2824 -prefMapHandle 3084 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {843efc25-aeb1-42bf-961a-9a3b2558de74} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 2832 135d737a558 tab
3⤵
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.4.120572727\1920194896" -childID 3 -isForBrowser -prefsHandle 4532 -prefMapHandle 4556 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7ef7848-1ff6-4676-8e9e-e600bfe044f6} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 4664 135d8682558 tab
3⤵
PID:3244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.6.910033192\1464048271" -childID 5 -isForBrowser -prefsHandle 4984 -prefMapHandle 4988 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f77fbf76-d6ce-41ca-8205-b77f1e6a8b75} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 4976 135d8682e58 tab
3⤵
PID:1064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3712.5.920476205\1587870204" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4780 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc9d934-75ad-4ebc-8db1-3f2a2bcc1961} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 4596 135d8682258 tab
3⤵
PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize
139KB

MD5
2ffa6b5d5524aea37341622b591b6fe4

SHA1
a53282d02c5a395178052b8db5d19d51edff403e

SHA256
4f02fe07c8137638dda44719b8fc580cbcdbfa4f60d1e5a62d4d2e379f8ce99a

SHA512
9049f7e90a449297cb617e4ec64ec8be000dd86643cdd841b5bb6ab1a64b38c6d5654a05094684270e26b99de221a7ad0cd83eab87f14aac2bfb1e25d6d5674e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\cache2\doomed\3891
Filesize
9KB

MD5
c52d7fd0a80034361965c2b243a6222f

SHA1
cff3462f0d2dbac9f978c205b9e6d55a0437ab0c

SHA256
497068c514928d2598e9300e12a954b48b718540054ae6ae119e86bd0d695068

SHA512
1bb8198af5a5e359c7992751f6242bef871dbe41563363ced8b35527261a3018f080e1c7db9d7947919b79e7ccb0a99f9b73a5636636be284d0cc004b60296b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
74798b34e0d004025c47d7ffba68486f

SHA1
f7381fb77290e9e7b9566a49d5d86fab3a105c4a

SHA256
1c58e03e7802b0d4f7d21ba3fda150d11c9d559b28079e691bf845155c3e2e37

SHA512
7add65f68dadbdfd39ff6edf29ffb6d65a26983d4c8196982d8bf18d3d48b59e68aaefaa4f58c5e2f2f44e40673a7ac1dc267c1062a557dd545c9cf5a68978ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\cert9.db
Filesize
224KB

MD5
8469c86b053cd3c5fe907f79fc33247b

SHA1
06cf0ded6c2d6883b8456f8ae9e3e6860c8445ce

SHA256
25211521b469375e5f2c9d7a4374df651f714c108855f33ec4dcfa9e8773e0ae

SHA512
256e811dd8cb7ea8f9861f5060245f3db73b2041b7309d28bab5f5dcb99c1c424580ea83bdd93d3e4283356a7bd3d1d84462c5d7f3a68c9f62ca934cbde81f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e5f35b6eafe705929007af59adffcc3a

SHA1
98b4e34f0a3d09317c0858bd25aa602a98f1386d

SHA256
8e0151f2a759d8b0069c15430438f5599595999cf54e8a5a45868bdd4e1d2ecd

SHA512
b99549505a95eb4ab4f29ff33ea636ef12f474254e471de1f8ae97fe0dc057730059ccb6d074647c87b109a452cf660d292eea7074216840554598be5c67713f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a55152d417394c9d403fac8ef3b6be22

SHA1
686de53c7576d262ece817b714e05b94747373b0

SHA256
55c524887a862c1f810edcddb33aac670d8b434bb06d43cfc9cbc89d761b8ea3

SHA512
57430e170aeb29ab9a94e0ab6726bdee80517cc44c1b740fdeaeabe01723d8b1cb8745866fa241ce878a57bde77c1e8df3a1f10d691a0c846eef366a4c5450f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
13f4ea7224417985aabae4a2f59fc2ba

SHA1
2d20752d98ce84d37a69d349d2c008e302748b59

SHA256
929688d666a67a627252819b523a1a80c92a092a94b155728b8ae603ec370c4f

SHA512
0cf9e68368fff17491537a97f62cd1dc0ac9d1d7330cb2ad3f3e252ad973097fd53e416c70e9c0abb7a5cf97ac92e58f364fa96c47c95c071df71aca94dd8501

Download Submit