Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://www.transici...

windows10-1703-x64

1

https://www.transici...

windows7-x64

1

https://www.transici...

windows10-2004-x64

1

Analysis

  • max time kernel
    600s
  • max time network
    596s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/04/2023, 12:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.transicionxusta.org/eBROU/confirmar.php

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.transicionxusta.org/eBROU/confirmar.php
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.transicionxusta.org/eBROU/confirmar.php
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.0.1256901038\580491793" -parentBuildID 20221007134813 -prefsHandle 1588 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a02bb0-b182-4b90-a270-ae46b202bcb1} 400 "\\.\pipe\gecko-crash-server-pipe.400" 1716 26effba7558 gpu
        3⤵
          PID:3784
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.1.260227504\846813301" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9d3da47-7121-4f85-93ca-75e3b8d1c4c7} 400 "\\.\pipe\gecko-crash-server-pipe.400" 2168 26eff212e58 socket
          3⤵
            PID:4148
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.2.1674801058\699354205" -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bcae4b3-c1c0-4e5c-9230-4a1790952bb9} 400 "\\.\pipe\gecko-crash-server-pipe.400" 2668 26e85d51458 tab
            3⤵
              PID:1256
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.3.1708334299\629373083" -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98668728-5244-4482-acd8-86ee896ea39c} 400 "\\.\pipe\gecko-crash-server-pipe.400" 3796 26e87276858 tab
              3⤵
                PID:3536
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.4.167894571\573111939" -childID 3 -isForBrowser -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a19eb8-97b0-46c3-ae7b-0ffaa59df0c7} 400 "\\.\pipe\gecko-crash-server-pipe.400" 4504 26e881dc658 tab
                3⤵
                  PID:4888
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.5.1499098117\1282751755" -childID 4 -isForBrowser -prefsHandle 4664 -prefMapHandle 4668 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {204ea0ab-5aec-4983-9e6b-140241d32455} 400 "\\.\pipe\gecko-crash-server-pipe.400" 4656 26e881dba58 tab
                  3⤵
                    PID:4892
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.6.1123091049\500421166" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4876 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {318acc76-08f3-4eab-b41b-00ea68a947c9} 400 "\\.\pipe\gecko-crash-server-pipe.400" 4860 26e881dcf58 tab
                    3⤵
                      PID:4920
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="400.7.1403449911\604046688" -parentBuildID 20221007134813 -prefsHandle 5288 -prefMapHandle 5284 -prefsLen 26702 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e917e67f-ab64-42c8-b282-d8c1ac83fb9b} 400 "\\.\pipe\gecko-crash-server-pipe.400" 5304 26e84c16c58 rdd
                      3⤵
                        PID:4360

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          146KB

                          MD5

                          6392d1f0f80628804ba1ce629cec6cff

                          SHA1

                          90ccfd1b6b74618f7ae1d57c9cb1d22e3d240808

                          SHA256

                          6b6852cbff9917949a638a61f90b26578d1b9c05d58c59baba8a9ab19e0e5c1a

                          SHA512

                          5a8e6a1a1940fbd1bd1d09c58122d62178ee7e1cb53bfd80ef9d2661a1091c860317da4cd5a38004873a890643f6c5f1b90d4e8b7c9981f80812ee35f7e3a40a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\cache2\doomed\383
                          Filesize

                          9KB

                          MD5

                          78327bbfb305ac3f8135464448591b49

                          SHA1

                          ad8a7c8b7cadbed2f2b4b082351feab901aca703

                          SHA256

                          f6e4c54fb354d67aff2eeaa45bb5686cff52c317dd7d6d5fecf7fd9e2641c1a5

                          SHA512

                          dbffef21f939caee89abafeae10f1c3d744753e777e33e065ec951719a3c03e10932ca176db0760b234c2367b9561668272ac69b338d5e9da815df0c015a1caf

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          4edabed13efa55d7f978184eb20cc891

                          SHA1

                          56f4afaec87d9a0231762cf0a73d1fe7971e6057

                          SHA256

                          2d6818b629f4fb1f40d3feebf61d12db1d0f34b6bd1def08a7c3256863d991e4

                          SHA512

                          d0ac3f33081b5fe14d7763f71f1493f3ecb3f34e1e2e2aea27ad50b9a0429fcb15aeb68712b8ac16c1a376eae14d3239673be2d64980bd5c9dc90788cfdf1b75

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          c205c8a6591363331cd60c7286ad4ac1

                          SHA1

                          7d4c89374e88116484984f5d0b5df0d59aa63ecf

                          SHA256

                          81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

                          SHA512

                          fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          1d171ade1835121df4a1b880d86c22dd

                          SHA1

                          283e97eddb7bd7d96c507d46fd470f7d648026d8

                          SHA256

                          579d9f3a4fb313fde32dae49684df4a5fccdb1c85e940bba89d811c8d4c284d4

                          SHA512

                          0da96b1a14a27a65fd7fa7439542ad83e6c5f1613456a83972f74c4848cd56173abc764e5a22a94ca2002d4401e0b8718ff5ad861bf1690a77f55a09755e9d80

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          123de91700573dd38f0e9ace0d513e88

                          SHA1

                          541c6c61c5701f543b536ee8cc0bafdbe51c85c7

                          SHA256

                          a41f5b16703686fda63630bf08cf1e63fd8601b450514021dfe16fc2618845a8

                          SHA512

                          fe17c993c80abbcc4efd7bcb853f6fa969729598aef671f85f56901fc43f97cf078167e6163dd009363bf104b4c7c31c42b7a85d1dff378a52158ccd273f67c7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          643cd63a8abcd7eab522adb4d02ae609

                          SHA1

                          942172af5063027de9d7cf192afdb4bda2d525f9

                          SHA256

                          1986ca783bab9b41c6b6318739e11fb4f3e0dbf96656597c947f7300985b2060

                          SHA512

                          9622b7aaf84f8dfe272987e0c76ced9ddf9588fd51838e32b71a81129fbc5ce77c1180439887dac3cd37c4964a0fc180f1a0026eb2eb8f31584abb38e65e14f4

                          Download Submit