Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2023 09:20

General

  • Target

    https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.721444818\540626723" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7406e82-f4f8-43d5-a543-340689ad39ac} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1916 174b63fcc58 gpu
        3⤵
          PID:316
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.1479228816\391343148" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1324a5-b9dc-47d5-bfed-7b5fcd800f9d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2424 174a9577e58 socket
          3⤵
            PID:224
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.849751106\1204071053" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 3052 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b87769a-0e0e-4aa3-92f2-07a17975ceb1} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2936 174ba1fbb58 tab
            3⤵
              PID:4560
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.291193630\1902996905" -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac974729-d1f5-446a-9645-8bc89fe38a08} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4024 174ba832e58 tab
              3⤵
                PID:1532
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.802571807\1184923392" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4908 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3390f8c0-db28-4320-8bda-9ab655a0a01b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4928 174bd110d58 tab
                3⤵
                  PID:4012
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.1974045527\1878639090" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e02d0270-bdd4-4417-8497-be975d0eea4e} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4932 174bd47b858 tab
                  3⤵
                    PID:3560
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.955623179\1302900830" -childID 5 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0222f7-3507-4571-bb24-63ecc6117f1d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5080 174bd47eb58 tab
                    3⤵
                      PID:3816
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.1687998393\1006881932" -childID 6 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d14ec47-db94-43ee-a5a3-de6ca26230ff} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3020 174bc8cfe58 tab
                      3⤵
                        PID:4264

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    150KB

                    MD5

                    c8d9b8cceb44db88642dc9c5b06bf92c

                    SHA1

                    1b135e795f053f7716e340cb4dac4a42bc146a55

                    SHA256

                    6d80650836052c40f97544f32056a87d1d34ac040537b84c8c5c0104995f1436

                    SHA512

                    319fb0e17d014f8fb0c38c419a08036c346b2394bfdd02b6b6f9205cd2eb910b74fbdc6670e1e4a7351c1b1be1207532fe3be30c96a40dc524374deb8bc017dd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    379c9429758466a324fbbaa9b4d18d0e

                    SHA1

                    2a43f5dcaf3abd14ecf1c24b43c450afe5db179c

                    SHA256

                    b5cd3b66713a6082e218dfba592745cde63e86159ee9af57dee831c086c04b5d

                    SHA512

                    0df2e9f1590524674a1403d4ab3ccc67eb3a74127560dc17530aa4d571332702607d1d90086a4e79b5ba01dc557999ab74c667c5a98bfaa5e6ce071b2d183b54

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    f95a8a4d013c3c50d475b50229203dbb

                    SHA1

                    b931bcb44b6b864ca74a4e273eea031d05b8b729

                    SHA256

                    343961cb2f22f94f5835acb5af7731e7d18e8080bc9034818ebf54e60b1439ae

                    SHA512

                    3b2c204c35af9f6c990c8e62e31b8e507b3b54541198d1ea13b5de241d6909bee2714972efb7cd038d54b8d83230683323dd4c75591f796877b847c752a76413

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    1076ec9c7ddc00ffbc5ad1ad87c1a1c0

                    SHA1

                    065ebf8a25bd373ae7afb6aac10833aa447bbb70

                    SHA256

                    2c94fc0712fed08e08383cf05d46f503ad6721ab3852f216050e3b7697e7ca9c

                    SHA512

                    6be71bd5d3c44a962e93dd35b5aaa5b354bc6508dfa9d076453d57d4f8d16fcfa3bdded51d97f3071dde5961d93666c228210760f54c9fda480b260fceb4b181

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    1984b45f201f1fd79d2154406648433b

                    SHA1

                    42f082dc6d4d43333688690bf4dfa7c7f8b618ab

                    SHA256

                    000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

                    SHA512

                    e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    eaec8a2ccaaf77ab9864e5a50a24ae4e

                    SHA1

                    63fc99df2412ebc5e79c0def932dcf873c3fdc3d

                    SHA256

                    1cdfdd7c89485b3f50a81d1d21e6fde814bffbeb87bd0dfd931e9d418258c96c

                    SHA512

                    f7f679ec6fd0d51870cefcff56b23380e8e81ef0fe2075eae1faacbcc6f49510e74aad50ed8725fae98e58befa7b74d50582febdb4d1671bdd0ac470e2b77862

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    7KB

                    MD5

                    68151522bc0fc10d7cc891ecd1d27527

                    SHA1

                    82ea80fd0fde578d14024a2bd2cdd4beada987b6

                    SHA256

                    285df67653b3325c4c58aa67548c632039b9da2efa77736a3b09aa10088b2861

                    SHA512

                    d84b637f9b8a3b72365a57c2b2e94023ca4a7605f15e678d8014473d5b50d773738465380242798e23d221909a539e4ceec9f7ca90686f083fe01974db856f3a