Overview

overview

10

Static

static

1

URLScan

urlscan

10

https://business-con...

windows10-2004-x64

6

Resubmissions

23-03-2023 14:38

230323-rzqf8sgc89 10

23-03-2023 14:34

230323-rxqzzsgc82 10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://business-confirm-appeal-4baff.web.app

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://business-confirm-appeal-4baff.web.app
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://business-confirm-appeal-4baff.web.app
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.0.1638675146\1380646338" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66135962-63aa-43e6-82cf-6094a52b53d1} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 1920 1eb45982b58 gpu
        3⤵
          PID:4816
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.1.779023119\1996186824" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12754e27-7fda-4244-a922-d1795522303d} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 2408 1eb3796f858 socket
          3⤵
            PID:3080
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.2.1493704542\375920412" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3000 -prefsLen 21776 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf11a8cb-573c-4763-82ef-2a57e0998dae} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 3140 1eb488dbd58 tab
            3⤵
              PID:4872
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.3.2113919047\1571149133" -childID 2 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d26e098a-8124-4aab-8580-dab41d406cc5} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 4104 1eb49d3e558 tab
              3⤵
                PID:4356
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.4.1501961807\2000693163" -childID 3 -isForBrowser -prefsHandle 4704 -prefMapHandle 4708 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5771c381-2b3f-4681-a905-9abce0e4583f} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 4804 1eb4ad5c358 tab
                3⤵
                  PID:2808
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.5.1385040230\1403023774" -childID 4 -isForBrowser -prefsHandle 4464 -prefMapHandle 4788 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23c95553-be18-4020-9f85-7000402bf42c} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 4396 1eb3796a858 tab
                  3⤵
                    PID:260
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.6.346114434\1376168634" -childID 5 -isForBrowser -prefsHandle 4800 -prefMapHandle 2184 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c546333-f672-4558-bcac-bcc8d6dce433} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 4400 1eb46cace58 tab
                    3⤵
                      PID:1468
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.7.1784154432\1178862714" -childID 6 -isForBrowser -prefsHandle 4908 -prefMapHandle 4400 -prefsLen 27172 -prefMapSize 232645 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43b9b211-a86c-412f-bb16-23e9d6ea2879} 2244 "\\.\pipe\gecko-crash-server-pipe.2244" 3936 1eb46cab358 tab
                      3⤵
                        PID:3140

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    152KB

                    MD5

                    ff97c273beef00872b1452d918894377

                    SHA1

                    3aec87818805957b96960e6f8f2c4e7ec2015167

                    SHA256

                    8e8add5ab89e6914874987f34830f52615e98be91d93253b7f6ba7390b778252

                    SHA512

                    14f6383622078b9e1822da075e7f967621f2c390a36968c0bbf609a9067ca52a84e0a803ffc2372110aa276af2d9d1bbb33aa4608681928559d99d7c06d6e7c4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    0ab2d1975dfe27d98aefdf6146daf47c

                    SHA1

                    55a9ee331e344db0c74e6ee37dc8a242db7039f6

                    SHA256

                    46c9f0d974bebe2819b60c61d5b224cdb29e9a75e4397463bc72f30fd60492ab

                    SHA512

                    4a3f9a839089b3d681a994956e517736e38b6b6898cbba4908718f6251c0088d9d2af0f85c78445ec7ace66b72b2cfbdd61b60de1797a0a6bb5c4ac1f4c445b4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    e4a2aff47e27b3e859583feff0e4757c

                    SHA1

                    0eb11cd34bbddfc0b649974365edcb250a2e06f6

                    SHA256

                    742b88e82ca44cc2b39bca30416231a0d8437dfed1473a887bf40c3a5f5f64a1

                    SHA512

                    600519e95bb4ea2cd1395bf82e282fcdda346be5a89ec64223f86101916ecf8210d0d785319632b4214e6984fab23136e1255aa9d7959edb4ee9896cc1e57eef

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    9602a058a6e3a47ca7e92148af726f39

                    SHA1

                    43caadac1f494e815c7a0924b278beaaaf3f493c

                    SHA256

                    b95ec31d4c8b29cc2374e4c16867090ed5e1823667953a532ac211a70a35fb8f

                    SHA512

                    56110719e50033031b2266876c96f86ab973b3a712309fb6b84abaa8dc16810cbec7f2f54bf730061f31d774c92276bd3992ce04b57e98c29069f567ed41a388

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    5c36d8ddc601d98b0d2b85369e9ed708

                    SHA1

                    afadfe840aadc6fc56409b03b5d3831e51ae0a14

                    SHA256

                    7fff4e1a1bfdc785a7b9c6efb22e08930ce1133b7696e07349e373f69d38c51e

                    SHA512

                    9e35a6dee7b9b9f56a97f63916bba4390aca83d8b32e77ceb7fb33a060a41444c12e022f73d53710441d934f74f511fbccdb060bf031e1adae269a4391a88ab8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    9ba84c145b670a39c9bef63d3eeb26d1

                    SHA1

                    f272aac445f12b1c2c9690eb8bd098efc8326503

                    SHA256

                    1af234b42a93a9c3a0f34fc3ec7b733c2f2d2413fb13d4bac682d15ab2893d3d

                    SHA512

                    e601461edef53b1f379619858ddb02b38957c862b3262c30ec1826171ef095510a0a61bf8c4184fb0c3619c67a946dbc0e92d539f1db4a31b11ac61094f2a1c6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    9971fa8fa89a208685d3e30835832fb5

                    SHA1

                    5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

                    SHA256

                    13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

                    SHA512

                    02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    19KB

                    MD5

                    8b8e75dcbfbad45ed3872f4bbb493671

                    SHA1

                    909719c3997c6233969627f2dd0583dd23de37d0

                    SHA256

                    60731f5f01b8ad9d5bd6132262bb74f350e0104e7b951f7f6f55cd8c30c9a24f

                    SHA512

                    d4058156e66ac8185fb1ec686bc08c3cda6fe44e635e5e94758f341cc5236235e42f8d1b73d99583247f390716e97cbbcc5de6f528930a69a144845f30ff4681

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    19KB

                    MD5

                    744ded80bc78cf944ccd48466b43ebd0

                    SHA1

                    b44102c5c1e93da48091180fef15b7088694a4ef

                    SHA256

                    0e6135d59986b016c107b158ee6788e1f26a27af52a57f6256038239d1719d94

                    SHA512

                    4373aff4a41dfdba6574d9c2492e414721f90cd506a25e0e2f724a6d31ac481ddd40c5364778c01d8755ce1be1809a8fbcf7e18f58ea8414cac4147079241dde

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\cache\morgue\205\{4516ea36-1b04-4f57-81f8-00e272f09ccd}.final
                    Filesize

                    1KB

                    MD5

                    aa1157a6d293f679da85cca47a48a18b

                    SHA1

                    a03931e58bb280c737c0325717653d7197496728

                    SHA256

                    d9ed306d2c3021518e9d57bb0403fd311b8e81838bf47c4192f2b7024ab2f9d8

                    SHA512

                    a2991e15c6786fab0a0cec1a9efdf5c0e77055ff84c1f882d7b76562276317267fbc184a96df25894e59162f3f5c407ff48624e321eb6686d0e438828233af14

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\cache\morgue\205\{8489310f-b2a7-41c7-af7f-c7d916b396cd}.final
                    Filesize

                    341B

                    MD5

                    2085433e53ae1790db220609995f15b0

                    SHA1

                    871188a1e748fc2ee92c33f8df6108ea6ae0a69c

                    SHA256

                    0dcf24b02a48c9ea8f0e5510a22fa2973c3360207ab69e729957175c96148aef

                    SHA512

                    c13d1799d10a09950134a43cdab105f413485449e8dffeef51324470375a1d1893c263ebb90bb4218a2c8ca60f55667e464ee1910b0c34301b00d583e10f950d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\cache\morgue\215\{03cab402-abc8-427e-90d3-9f4f9aa813d7}.final
                    Filesize

                    4KB

                    MD5

                    b0466a3316b81f5706e089693fa7811d

                    SHA1

                    4d8658113c1de6dd9be9b563302eebd9032726f2

                    SHA256

                    04777a27b4001f933e07f8f468b6cc60b9d48d8ac49cf5effcfe23b8d07ee8ce

                    SHA512

                    ffb06a70805309ea2d77023684e59fdd77e5cce6af3a65c06022df979c9cf89b38d9a4f67cf7a7d42b37d7d707032fb437e17b50137446898abbb890a4a9ae20

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\cache\morgue\27\{4549c6e3-bd7b-4ba2-8f3c-e7cef670fb1b}.final
                    Filesize

                    276B

                    MD5

                    ad09fe22c0cc8d78a5428208c177e7bf

                    SHA1

                    e69d092d261714dace869ec26f7e23d5f46e957d

                    SHA256

                    3a6eb3956280ccc09e312675b5dba4774153be4bf6bfd67a91aecaad887b3b4b

                    SHA512

                    e436cc7231ede3809c990f85c76eb1cd48a5352c336005f959f2dd20e378871c9d109d85feb40349cac3c84e023d88efc97838b25a5adb9f7a236eac1df780be

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\cache\morgue\63\{83d29041-5309-4106-b839-6c0d734ea73f}.final
                    Filesize

                    1.1MB

                    MD5

                    7053a420b2068004d7b5e02606d7bcb4

                    SHA1

                    f973c49ffe97ec7eba40cdd547c4871d0e6d924f

                    SHA256

                    667d3934bfab3a1d9a5fc8605eec3b11000d727451117b8bd6f3aaa0aa283dc9

                    SHA512

                    e8bb119da065b4dc4a78fa435a740b95c5b4ed789bdcaa0ee396ebf72c206911b7477c183bd3c0d2b65a1d2b09e8268f3d0780c9e2944042593cb5e473e5a2c8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\default\https+++business-confirm-appeal-4baff.web.app\idb\2926346687feisraebbaatsaed--hte.sqlite
                    Filesize

                    48KB

                    MD5

                    a5cb273520cb59dab27ce049bed5e575

                    SHA1

                    929a67a213e75dd5c31ed92b3185417788644e56

                    SHA256

                    4950b64ca7b4b0f335a710877da5063ebe7c554913da6e33ac1f762dbbbb4fcb

                    SHA512

                    51f7494bc3fc37b6c2279b4f8f24e2235351d0d8457226bff9063a4af5f0bacd0a4214593688491e99ada5b6f8ac4b7529f2960cdccd327d01c4a459d16cc274

                    Download Submit