c4e17068cc4fb7a98775eab4177a3c7cfaa9fa7fe62e02abcc535cf3cae4c0dd

Analysis

max time kernel
45s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
22/04/2023, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

step1.html
Size

24KB
MD5

2b82fa5b3d7b356ff2fa59156d3f0867
SHA1

08870bb3430bcb37288f6e1d549b87e7dca6aec3
SHA256

c4e17068cc4fb7a98775eab4177a3c7cfaa9fa7fe62e02abcc535cf3cae4c0dd
SHA512

01873f5e703db8b40ae55df1869fc19f9906dbf897fa6eb8ec25cb713b694075a1b370b8ca044ca26cd5186f5f4dd56bb3dd10a444751bc4f6a78f0e4f00b165
SSDEEP

384:3aFz9FKVU+dWoNY9roAC8saTlOG+uLShUNpK6NiUnajc1pk/sS18TxXbLIThPZGm:3ml7TB0aTlOGBqdcxSKTNghPt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeDebugPrivilege	3048	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 1304 wrote to memory of 3048	1304	firefox.exe	83
PID 3048 wrote to memory of 3280	3048	firefox.exe	84
PID 3048 wrote to memory of 3280	3048	firefox.exe	84
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 2712	3048	firefox.exe	85
PID 3048 wrote to memory of 4264	3048	firefox.exe	86
PID 3048 wrote to memory of 4264	3048	firefox.exe	86
PID 3048 wrote to memory of 4264	3048	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\step1.html
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\step1.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.0.689840358\1126947676" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9819e96e-2565-4ffe-852c-b6610a4810d1} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 1932 25da1f19858 gpu
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.1.546725411\180026589" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {888374b1-9119-4caa-a207-5e65147da7b7} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 2440 25d93f6f558 socket
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.2.401264824\1433349487" -childID 1 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {555dd175-f210-412e-950d-181436a9cfc5} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 3496 25da4c31158 tab
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.3.249788673\10446236" -childID 2 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7945500-b173-4748-9af1-384f7ad09726} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4132 25da61b0558 tab
    3⤵
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.4.1240393832\542984870" -childID 3 -isForBrowser -prefsHandle 4960 -prefMapHandle 4952 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efa7b940-83d3-437e-b1ba-d18b8d925d4f} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4968 25da70d1c58 tab
    3⤵
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.6.1966590899\1965461458" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4ad917-8c3d-4981-b904-e38fc2c3d4da} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 5300 25da7a0b558 tab
    3⤵
    PID:1268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3048.5.1370613288\965543295" -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb0421d3-0a9a-445a-9ecb-60a05bcd6da4} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" 4992 25da7a0ac58 tab
    3⤵
    PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
bd99489d351145f32379fe16f3967177

SHA1
a81cbf341d1ec2ac984342abea2c59f819f6ff16

SHA256
a05a515386f571388d5a186f5d9da57cb9c0692d3ded7e110cdd83f5c705e0dd

SHA512
bce97d047279224eddcd3b69cc86c9e7836773b54e5353b80680830105875f60aaaf77fa198e8a48610c5900c4c199e90ff38b010775b85bd242550ea5a5164e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
07926a3c02d75ba7cfd7eded8b32abc0

SHA1
c83e3276a038213f5c7fd6c9619cd50a2b01bd4f

SHA256
d1a83600b13861fefc5b3e652d61d29874f04a34345b79c04557fa37ef2f44e2

SHA512
ce71b5922d1fd15c98d26f93b62b372510a19af823c94b1505e696db0ea8b5933ef604e1ae5b2d7a8d25f6d3cc19eb202d9ec09cb24c10009f49a0cf14098cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
4d54714cbde87e5abf0a813f8cec4388

SHA1
6ed37ab3063dc9c7af378d52bd515e2c81b0220d

SHA256
aa1618dfe38f6c6d41ee53816c071fa085c3f50504f9509517165aebb38c819c

SHA512
0649658cde05cd6e639d387f346f76e1b873da8fae8d8be8ec81b1159d3dc414b8ec20bce675048129ec1230a69cf12a8689b16e9555756c81802b85d0e4465a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
7KB

MD5
07aa92ed34706d83969cef78126190f9

SHA1
58bb03a8713fd42f391ef132816cb300733712c1

SHA256
4c80979516969a4cac3b2e7a90c2ff1372f0ea9cc2541d81c13a90ec8d0f495a

SHA512
135c5c216e5b270b2989cbca06a8a4b535aaeaa4534c9d051c799d86223994b93ec9b8fbbd0542c0c8d11f1f5a3108bf55c9b26269eca7350abdde1c8f8dcb9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js

Filesize
6KB

MD5
207077fed406e49d74fa19116d2712aa

SHA1
3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

SHA256
b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

SHA512
0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6920fd529d268407a345e8f9df3a7439

SHA1
a461ce06e369e3c6f9c42c23b9ef826239de491f

SHA256
bd94dd4f1ad4be776813a4158ea642d78a243b4f63f299583007d7a09b6a2143

SHA512
62c8d300b8aaa94434879282f3f110bd65d809985f4375fb5f76897c5836e50cee93f8bb9ebcf626c62543770803b3fa485726ab245572cd52a12e944b14f32f

Download Submit