hxxps://casacocornermudgee[.]com[.]au/Validacion-eBROU2

General

Target

https://casacocornermudgee.com.au/Validacion-eBROU2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2036 firefox.exe
Token: SeDebugPrivilege 2036 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2036 firefox.exe
2036 firefox.exe
2036 firefox.exe
2036 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2036 firefox.exe
2036 firefox.exe
2036 firefox.exe

description	pid	process
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe

pid	process
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

pid	process
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 1220 wrote to memory of 2036	1220	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1172	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1172	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1172	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 1596	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 916	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 916	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 916	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 916	2036	firefox.exe	firefox.exe
PID 2036 wrote to memory of 916	2036	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://casacocornermudgee.com.au/Validacion-eBROU2
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://casacocornermudgee.com.au/Validacion-eBROU2
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.0.2079665665\332371091" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6b5fb0-8731-4889-8dd2-31d67ac01442} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 1256 142a8558 gpu
3⤵
PID:1172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.1.145089643\1195903821" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71c164af-b361-4886-8c64-e7232294636c} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 1472 f70758 socket
3⤵
PID:1596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.2.209541338\153334599" -childID 1 -isForBrowser -prefsHandle 1840 -prefMapHandle 848 -prefsLen 21899 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f164540b-e58b-4f39-a32a-52b07c7218a0} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 1976 1ace0b58 tab
3⤵
PID:916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.3.2020480100\505304132" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57254756-b881-407b-a2c8-a1a3324a21b3} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2812 1cd36658 tab
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.6.2114377843\1700452884" -childID 5 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bb8d48-42f1-4590-bbaa-704e9967d317} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3576 1e1b1358 tab
3⤵
PID:2412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.5.1085952912\912049953" -childID 4 -isForBrowser -prefsHandle 3400 -prefMapHandle 3384 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2687f5f0-8355-4c75-97f3-c6cfaacffeea} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3504 1e1b1c58 tab
3⤵
PID:2400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.4.1912415950\1006300918" -childID 3 -isForBrowser -prefsHandle 3452 -prefMapHandle 3200 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e176145a-7aa1-4e1e-bcbf-430ff534b262} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3468 1e1afb58 tab
3⤵
PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\841yyxv3.default-release\activity-stream.discovery_stream.json.tmp
Filesize
141KB

MD5
afd55adbe2d1439a01dc1b0964b80064

SHA1
0106eadfaebcb4f4506c7c227d2c1a3150d23f62

SHA256
9cdf8c1b208149a22b471d267e59705c5da8d5746714a5004a0c0cbf85f56664

SHA512
b05d9de2dffd405d9e7c573e1cadb08e79d92fd2fc0c9629813ff846ae9fbf752feedd2b3f7cf85ca0aed26531afc5783e1b8114ab1b58c647b3f4fd060204a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
519062cda7c21f2ff5d989b4655283a7

SHA1
2c70a0e1436ce170b0fe1129908e1b8743a55e25

SHA256
680a70190ff545ede266bbf58cc4943ab2844e6350fbbdad547c4bf098e1bd2f

SHA512
c566ed341ecdcd485670c4b5445d28af607ab718cce79c5bb43833ba81767ce8653efb265b532a0186afb04b499358d1227219afc3ce7f14143329d80adce23e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\841yyxv3.default-release\prefs.js
Filesize
6KB

MD5
af5e0d0f83969aaeb4fa6e78d6f95a24

SHA1
2bd8d80e93e21ac00bcd76ace582b012c30a7e66

SHA256
ea920c40489f3fe7fc1e02d86070da051c38ac5ef6950a15955116f7bf2e0891

SHA512
7124e5e077ff990e53c23f8b4c87ccb485ea2f7e28b1e465846aa2f1b4190fc1ccd905a8a2d10b7c7373f0bb5e4a4f0b37da769e5fb877099b61201fbed50b52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\841yyxv3.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
25e50fea95200772d78c1c7b92a00fd3

SHA1
57cf945968dfb9897f28fb57dc99b90100ebc427

SHA256
05a753c02eae7fb42e5381ab5932c6aa37e45155cf9d3095dad2f9a3b6ddcd71

SHA512
5141e6b9d3a31877962304489433d4a2939f672f99cc9bfa47dc314f01aea23923e9e4799fb9f0581cabf8ebcb1381eb114f3e6f5eb74f08371273e4b1170e94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\841yyxv3.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
938B

MD5
ab4dbe05e34dee83845bbe22d3dbf56d

SHA1
e986803c463d7b341041f3a8640ffa6027acae66

SHA256
913f21357d4bf3469d6542af5a805a789cead270c8b62a39dc6436c3c281c18d

SHA512
90f74fd33e6c2e2a6031dd1a871e640f9dbb113a971080e43d90a58b078dcbde18252ee4cbe7a168be548dab34a466254eb260f024eb8781b3faf7778dbde6f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\841yyxv3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
2a48c93f6e80d3db2dbb31544e1772ee

SHA1
9bece495f40849902266b2074287b1390c66563f

SHA256
84148e2e5162bb191feb358bad138ed7eeac5d059ce8bf29ade690359218416e

SHA512
1dff93d2b80db14e1acf5b43524598554dc3a75fd73e668c550a62d66dd59b3eeb657d06a1f8344765bdf6dab230c83fe894a0f9e416ea2c7392ec254833c009

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads