Overview

overview

1

Static

static

1

step1.html

windows10-2004-x64

1

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    22/04/2023, 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    step1.html

  • Size

    24KB

  • MD5

    2b82fa5b3d7b356ff2fa59156d3f0867

  • SHA1

    08870bb3430bcb37288f6e1d549b87e7dca6aec3

  • SHA256

    c4e17068cc4fb7a98775eab4177a3c7cfaa9fa7fe62e02abcc535cf3cae4c0dd

  • SHA512

    01873f5e703db8b40ae55df1869fc19f9906dbf897fa6eb8ec25cb713b694075a1b370b8ca044ca26cd5186f5f4dd56bb3dd10a444751bc4f6a78f0e4f00b165

  • SSDEEP

    384:3aFz9FKVU+dWoNY9roAC8saTlOG+uLShUNpK6NiUnajc1pk/sS18TxXbLIThPZGm:3ml7TB0aTlOGBqdcxSKTNghPt

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\step1.html
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\step1.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.0.689840358\1126947676" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9819e96e-2565-4ffe-852c-b6610a4810d1} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 1932 25da1f19858 gpu
        3⤵
          PID:3280
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.1.546725411\180026589" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {888374b1-9119-4caa-a207-5e65147da7b7} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 2440 25d93f6f558 socket
          3⤵
            PID:2712
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.2.401264824\1433349487" -childID 1 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {555dd175-f210-412e-950d-181436a9cfc5} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3496 25da4c31158 tab
            3⤵
              PID:4264
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.3.249788673\10446236" -childID 2 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7945500-b173-4748-9af1-384f7ad09726} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4132 25da61b0558 tab
              3⤵
                PID:2732
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.4.1240393832\542984870" -childID 3 -isForBrowser -prefsHandle 4960 -prefMapHandle 4952 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efa7b940-83d3-437e-b1ba-d18b8d925d4f} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4968 25da70d1c58 tab
                3⤵
                  PID:1084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.6.1966590899\1965461458" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4ad917-8c3d-4981-b904-e38fc2c3d4da} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 5300 25da7a0b558 tab
                  3⤵
                    PID:1268
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.5.1370613288\965543295" -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb0421d3-0a9a-445a-9ecb-60a05bcd6da4} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4992 25da7a0ac58 tab
                    3⤵
                      PID:2360

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  144KB

                  MD5

                  bd99489d351145f32379fe16f3967177

                  SHA1

                  a81cbf341d1ec2ac984342abea2c59f819f6ff16

                  SHA256

                  a05a515386f571388d5a186f5d9da57cb9c0692d3ded7e110cdd83f5c705e0dd

                  SHA512

                  bce97d047279224eddcd3b69cc86c9e7836773b54e5353b80680830105875f60aaaf77fa198e8a48610c5900c4c199e90ff38b010775b85bd242550ea5a5164e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  07926a3c02d75ba7cfd7eded8b32abc0

                  SHA1

                  c83e3276a038213f5c7fd6c9619cd50a2b01bd4f

                  SHA256

                  d1a83600b13861fefc5b3e652d61d29874f04a34345b79c04557fa37ef2f44e2

                  SHA512

                  ce71b5922d1fd15c98d26f93b62b372510a19af823c94b1505e696db0ea8b5933ef604e1ae5b2d7a8d25f6d3cc19eb202d9ec09cb24c10009f49a0cf14098cd4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  4d54714cbde87e5abf0a813f8cec4388

                  SHA1

                  6ed37ab3063dc9c7af378d52bd515e2c81b0220d

                  SHA256

                  aa1618dfe38f6c6d41ee53816c071fa085c3f50504f9509517165aebb38c819c

                  SHA512

                  0649658cde05cd6e639d387f346f76e1b873da8fae8d8be8ec81b1159d3dc414b8ec20bce675048129ec1230a69cf12a8689b16e9555756c81802b85d0e4465a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  07aa92ed34706d83969cef78126190f9

                  SHA1

                  58bb03a8713fd42f391ef132816cb300733712c1

                  SHA256

                  4c80979516969a4cac3b2e7a90c2ff1372f0ea9cc2541d81c13a90ec8d0f495a

                  SHA512

                  135c5c216e5b270b2989cbca06a8a4b535aaeaa4534c9d051c799d86223994b93ec9b8fbbd0542c0c8d11f1f5a3108bf55c9b26269eca7350abdde1c8f8dcb9b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  207077fed406e49d74fa19116d2712aa

                  SHA1

                  3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

                  SHA256

                  b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

                  SHA512

                  0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  6920fd529d268407a345e8f9df3a7439

                  SHA1

                  a461ce06e369e3c6f9c42c23b9ef826239de491f

                  SHA256

                  bd94dd4f1ad4be776813a4158ea642d78a243b4f63f299583007d7a09b6a2143

                  SHA512

                  62c8d300b8aaa94434879282f3f110bd65d809985f4375fb5f76897c5836e50cee93f8bb9ebcf626c62543770803b3fa485726ab245572cd52a12e944b14f32f

                  Download Submit