Overview

overview

1

Static

static

1

URLScan

urlscan

https://we.tl/t-VCeN...

windows7-x64

1

Resubmissions

01-04-2023 15:00

230401-sdfwcacb3v 1

01-04-2023 14:59

230401-sc7mnscb3s 1

01-04-2023 14:56

230401-sbgpvsaf95 6

01-04-2023 14:53

230401-r9pmpaca9t 7

01-04-2023 14:50

230401-r73rjaca8t 6

01-04-2023 14:48

230401-r6gsnsca7s 1

01-04-2023 14:45

230401-r4v8aaca6w 8

01-04-2023 14:42

230401-r24rmsaf49 8

01-04-2023 14:39

230401-r1h4jsca4s 1

01-04-2023 14:36

230401-ryy2zsaf34 1

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-04-2023 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://we.tl/t-VCeNt9Cn60

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://we.tl/t-VCeNt9Cn60
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://we.tl/t-VCeNt9Cn60
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.0.1515349512\451045191" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26628812-77a6-45df-8a76-5ca1f1ae77c3} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1260 13daa058 gpu
        3⤵
          PID:1008
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.1.1645395202\881213604" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e4d2ff-b25a-43a2-a02d-6c22ae847f37} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1476 d6fe58 socket
          3⤵
            PID:580
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.2.1767241682\1794123682" -childID 1 -isForBrowser -prefsHandle 2156 -prefMapHandle 2244 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {101135a6-23d9-4634-80fa-9cbf5c2007d7} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1824 d64458 tab
            3⤵
              PID:1208
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.3.1154011188\319079408" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {623b6531-5908-4e59-81d6-fc21b8d44695} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 2812 1c29e858 tab
              3⤵
                PID:1504
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.4.169366121\1308060507" -childID 3 -isForBrowser -prefsHandle 3416 -prefMapHandle 3408 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97b42f5c-db87-4945-b85d-1105f9ac42c2} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1076 10cfdb58 tab
                3⤵
                  PID:2220
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.5.980680653\795030776" -childID 4 -isForBrowser -prefsHandle 1068 -prefMapHandle 3468 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dafca38d-115d-48e6-91ec-aed9dcba4f9b} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 3440 1d5dbd58 tab
                  3⤵
                    PID:2228
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.6.938701821\1728051351" -childID 5 -isForBrowser -prefsHandle 3572 -prefMapHandle 3564 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19e61c07-8b9c-4d60-9cfe-3161f43a28dc} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 3636 1d5ddb58 tab
                    3⤵
                      PID:2244

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  154KB

                  MD5

                  0db5d84db93ff017154d0bece9efdb7c

                  SHA1

                  b4243be3127024a7b6fde362bcc253e3c805297b

                  SHA256

                  112e5d9a72b1c6ac0bbfabf8f8db64ecb694b06aefeeecf0776cf99608aeb8c1

                  SHA512

                  54a9c4c432c4cdb0e67e172c95aec05a110995d0da7871d57cd478b2a93e1f729397f7cb46c63d103af747d35f8f0593465c3a34eb02566993e7929867b71cf8

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  580aaebcc2926902dc1a82b71a1c70e5

                  SHA1

                  844e9d6832ad15e30e1f1e02b2fc1978c3955cf4

                  SHA256

                  2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd

                  SHA512

                  6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1014B

                  MD5

                  6002363fd86798552faa0b1aa3f53a54

                  SHA1

                  6e0878280db2de6452780775b2a4c70073daea0a

                  SHA256

                  37a6f33e11c8223f4a009b7714549f88f4befa91936440bd1a22ad045cefab91

                  SHA512

                  1fb078d4b22fc262ccd1f286b9c565b99dc08a00ca0d5cc27a7d9a02716e189af91791c075afa7a3b820793df4ed292c1b9fd3489d30ad93e9225bc074a41405

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  3bf2337566f8cdd2e441d210b429b4dc

                  SHA1

                  91fb3fb9362cc0427798e6d7d98973c5cd10af9f

                  SHA256

                  b874478ace0ac99cae65dc69e5fc1e6642223244ded9be62db8b2989eda7bc8d

                  SHA512

                  bb55659ce27062249ef8a8add235375378471c3895f96e6c53752baded907c4bb655d6dd5cd8bec38eef888ec23356b58e405d05e77e0c9394332cb20691c1c6

                  Download Submit