Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2023 09:20
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
Resource
win10v2004-20230220-en
General
-
Target
https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1704 firefox.exe Token: SeDebugPrivilege 1704 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 2232 wrote to memory of 1704 2232 firefox.exe 83 PID 1704 wrote to memory of 316 1704 firefox.exe 84 PID 1704 wrote to memory of 316 1704 firefox.exe 84 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 224 1704 firefox.exe 85 PID 1704 wrote to memory of 4560 1704 firefox.exe 86 PID 1704 wrote to memory of 4560 1704 firefox.exe 86 PID 1704 wrote to memory of 4560 1704 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.721444818\540626723" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7406e82-f4f8-43d5-a543-340689ad39ac} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1916 174b63fcc58 gpu3⤵PID:316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.1479228816\391343148" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1324a5-b9dc-47d5-bfed-7b5fcd800f9d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2424 174a9577e58 socket3⤵PID:224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.849751106\1204071053" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 3052 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b87769a-0e0e-4aa3-92f2-07a17975ceb1} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2936 174ba1fbb58 tab3⤵PID:4560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.291193630\1902996905" -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac974729-d1f5-446a-9645-8bc89fe38a08} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4024 174ba832e58 tab3⤵PID:1532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.802571807\1184923392" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4908 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3390f8c0-db28-4320-8bda-9ab655a0a01b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4928 174bd110d58 tab3⤵PID:4012
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.1974045527\1878639090" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e02d0270-bdd4-4417-8497-be975d0eea4e} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4932 174bd47b858 tab3⤵PID:3560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.955623179\1302900830" -childID 5 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0222f7-3507-4571-bb24-63ecc6117f1d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5080 174bd47eb58 tab3⤵PID:3816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.1687998393\1006881932" -childID 6 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d14ec47-db94-43ee-a5a3-de6ca26230ff} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3020 174bc8cfe58 tab3⤵PID:4264
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize150KB
MD5c8d9b8cceb44db88642dc9c5b06bf92c
SHA11b135e795f053f7716e340cb4dac4a42bc146a55
SHA2566d80650836052c40f97544f32056a87d1d34ac040537b84c8c5c0104995f1436
SHA512319fb0e17d014f8fb0c38c419a08036c346b2394bfdd02b6b6f9205cd2eb910b74fbdc6670e1e4a7351c1b1be1207532fe3be30c96a40dc524374deb8bc017dd
-
Filesize
6KB
MD5379c9429758466a324fbbaa9b4d18d0e
SHA12a43f5dcaf3abd14ecf1c24b43c450afe5db179c
SHA256b5cd3b66713a6082e218dfba592745cde63e86159ee9af57dee831c086c04b5d
SHA5120df2e9f1590524674a1403d4ab3ccc67eb3a74127560dc17530aa4d571332702607d1d90086a4e79b5ba01dc557999ab74c667c5a98bfaa5e6ce071b2d183b54
-
Filesize
6KB
MD5f95a8a4d013c3c50d475b50229203dbb
SHA1b931bcb44b6b864ca74a4e273eea031d05b8b729
SHA256343961cb2f22f94f5835acb5af7731e7d18e8080bc9034818ebf54e60b1439ae
SHA5123b2c204c35af9f6c990c8e62e31b8e507b3b54541198d1ea13b5de241d6909bee2714972efb7cd038d54b8d83230683323dd4c75591f796877b847c752a76413
-
Filesize
7KB
MD51076ec9c7ddc00ffbc5ad1ad87c1a1c0
SHA1065ebf8a25bd373ae7afb6aac10833aa447bbb70
SHA2562c94fc0712fed08e08383cf05d46f503ad6721ab3852f216050e3b7697e7ca9c
SHA5126be71bd5d3c44a962e93dd35b5aaa5b354bc6508dfa9d076453d57d4f8d16fcfa3bdded51d97f3071dde5961d93666c228210760f54c9fda480b260fceb4b181
-
Filesize
6KB
MD51984b45f201f1fd79d2154406648433b
SHA142f082dc6d4d43333688690bf4dfa7c7f8b618ab
SHA256000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9
SHA512e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5eaec8a2ccaaf77ab9864e5a50a24ae4e
SHA163fc99df2412ebc5e79c0def932dcf873c3fdc3d
SHA2561cdfdd7c89485b3f50a81d1d21e6fde814bffbeb87bd0dfd931e9d418258c96c
SHA512f7f679ec6fd0d51870cefcff56b23380e8e81ef0fe2075eae1faacbcc6f49510e74aad50ed8725fae98e58befa7b74d50582febdb4d1671bdd0ac470e2b77862
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD568151522bc0fc10d7cc891ecd1d27527
SHA182ea80fd0fde578d14024a2bd2cdd4beada987b6
SHA256285df67653b3325c4c58aa67548c632039b9da2efa77736a3b09aa10088b2861
SHA512d84b637f9b8a3b72365a57c2b2e94023ca4a7605f15e678d8014473d5b50d773738465380242798e23d221909a539e4ceec9f7ca90686f083fe01974db856f3a