Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://netlify.app

windows7-x64

1

Analysis

  • max time kernel
    105s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2023, 11:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    http://netlify.app

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://netlify.app
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://netlify.app
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.0.782844637\177644034" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac320b00-b173-4d2e-8e64-218cd4eefd3c} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1268 143a7858 gpu
        3⤵
          PID:1684
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.1.2094324071\1941935414" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1250871b-8e66-4873-918e-99db91a38d53} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1472 412c258 socket
          3⤵
            PID:1016
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.2.46684672\713841412" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2044 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a71e816a-276b-434c-a3a7-e5e187d8c24b} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2036 1a8ea758 tab
            3⤵
              PID:2032
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.3.1535673389\655236530" -childID 2 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0665a73a-1a8c-4fb7-869f-da8efda62c0f} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2788 e5e558 tab
              3⤵
                PID:1104
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.4.525822131\114982106" -childID 3 -isForBrowser -prefsHandle 3244 -prefMapHandle 3256 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ea8b1d9-ea13-4ae1-9a5f-13c73cd3b304} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3104 1bf5fb58 tab
                3⤵
                  PID:2348
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.5.1986762407\503788150" -childID 4 -isForBrowser -prefsHandle 3356 -prefMapHandle 3384 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3210780d-f297-43e1-a60c-d6184f440398} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3320 1dae0058 tab
                  3⤵
                    PID:2364
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.6.1555138140\1329242026" -childID 5 -isForBrowser -prefsHandle 3684 -prefMapHandle 3688 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 908 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e8c85f1-6ee3-4e9c-8a2e-bbe58df3ba14} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3668 1dae0358 tab
                    3⤵
                      PID:2440
                • C:\Windows\eHome\ehshell.exe
                  "C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\CheckpointStart.DVR"
                  1⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2004

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzjlrayv.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        143KB

                        MD5

                        56c548de4ee084ddebefdf6f40a2e9cd

                        SHA1

                        2a34f64c1a561df0355138156e9fd1ec38bcae00

                        SHA256

                        b5ff04974238f769cefa86d39b4ec4bd666844a078c28383bd0c8de292e147e2

                        SHA512

                        c5912f599ddf28c7aff96360fd52f2b87bfc86bbfb7f4a8f9a6fc7263812fa673c76bc375ab2f00ae532800721149d4a856b78e514b2662f6534c7c270fd5ec8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        26b09660b11450d3ead4bc6a2a4d0077

                        SHA1

                        d69e65efae83a24184703949b308de45d0217880

                        SHA256

                        633729ab3e06b4e256b80cf5d77d5d51fff9e509e35bfa2d3fa44eabd76b7ef2

                        SHA512

                        fbca4293de0bc263568762c6f19ad31fd57c0538060f8a4370a472e3fc6a9544468267ebd7c1e74b1ff18e98e33f633e1198220c7c6a5d88f07fda16dd15e377

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        933B

                        MD5

                        afc2ebfeb37f386ddb6ecd9be12d0fa8

                        SHA1

                        9db604d22fa99b672cebf90be0ff76f7fe43fde8

                        SHA256

                        2750b09bf413d8b68073d55d62d41cd306dc851739b4814e26f9dd7f157119e6

                        SHA512

                        9e4b91cf4a1c0fffeb30d6cf2bc422138a5172178c7337c2ae281f03b8e9515e6a3ba6f86e9f23c79575d6eeac9d622c550ed8a102ab2e69f4d2d5fa1460883b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        e9c24ab05c7c49ec99d47b02eb2f8b23

                        SHA1

                        ae45e04cfff8af51496377ab4b39e347a6743de6

                        SHA256

                        873581a6a03daa2417718fb3c51e5ac59bc4e62896cc51ee0af47a47f370c30e

                        SHA512

                        5d7266c2ed1780eb3703a2ad80a37a75a0a997fa0f9660b566d58139c772efd03a2008556734724a7cdd2eb344435a5136aaa55027eb8fbcff44a830cf6f091a

                        Download Submit

                      • memory/2004-153-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-130-0x000000001E2E0000-0x000000001E464000-memory.dmp

                        Filesize

                        1.5MB

                        Download

                      • memory/2004-133-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-138-0x000000001ADE0000-0x000000001ADE1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2004-62-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-127-0x000000001DCD0000-0x000000001E2D8000-memory.dmp

                        Filesize

                        6.0MB

                        Download

                      • memory/2004-169-0x000000001D400000-0x000000001D49E000-memory.dmp

                        Filesize

                        632KB

                        Download

                      • memory/2004-172-0x000000001EAB0000-0x000000001EB68000-memory.dmp

                        Filesize

                        736KB

                        Download

                      • memory/2004-173-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-181-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-189-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download

                      • memory/2004-197-0x000000001C840000-0x000000001C877000-memory.dmp

                        Filesize

                        220KB

                        Download

                      • memory/2004-119-0x0000000002290000-0x0000000002310000-memory.dmp

                        Filesize

                        512KB

                        Download