Analysis Overview
Threat Level: Known bad
The file https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected] was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-17 09:20
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-17 09:20
Reported
2023-05-17 09:21
Platform
win10v2004-20230220-en
Max time kernel
45s
Max time network
48s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link/ddoonnvpl.html#[email protected]
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.721444818\540626723" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7406e82-f4f8-43d5-a543-340689ad39ac} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1916 174b63fcc58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.1479228816\391343148" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1324a5-b9dc-47d5-bfed-7b5fcd800f9d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2424 174a9577e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.849751106\1204071053" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 3052 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b87769a-0e0e-4aa3-92f2-07a17975ceb1} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2936 174ba1fbb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.291193630\1902996905" -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac974729-d1f5-446a-9645-8bc89fe38a08} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4024 174ba832e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.802571807\1184923392" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4908 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3390f8c0-db28-4320-8bda-9ab655a0a01b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4928 174bd110d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.1974045527\1878639090" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5040 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e02d0270-bdd4-4417-8497-be975d0eea4e} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4932 174bd47b858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.955623179\1302900830" -childID 5 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0222f7-3507-4571-bb24-63ecc6117f1d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5080 174bd47eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.1687998393\1006881932" -childID 6 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d14ec47-db94-43ee-a5a3-de6ca26230ff} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3020 174bc8cfe58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49746 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:49757 | tcp | |
| US | 8.8.8.8:53 | bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link | udp |
| US | 209.94.90.1:443 | bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | bafybeig7mxs5e3ond7rnzglxgcrctzlr2uibrvxicray7cieg5fpvngjo4.ipfs.dweb.link | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 52.88.229.135:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 1.90.94.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.100.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 135.229.88.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | aquadream.rs | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| NL | 172.217.168.202:443 | ajax.googleapis.com | tcp |
| US | 104.18.10.207:443 | stackpath.bootstrapcdn.com | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | stackpath.bootstrapcdn.com | udp |
| RS | 185.102.77.43:443 | aquadream.rs | tcp |
| RS | 185.102.77.43:443 | aquadream.rs | tcp |
| US | 8.8.8.8:53 | aquadream.rs | udp |
| US | 8.8.8.8:53 | aquadream.rs | udp |
| US | 104.18.10.207:443 | stackpath.bootstrapcdn.com | udp |
| NL | 172.217.168.202:443 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | logo.clearbit.com | udp |
| US | 8.8.8.8:53 | image.thum.io | udp |
| NL | 52.222.139.117:443 | logo.clearbit.com | tcp |
| US | 8.8.8.8:53 | d26p066pn2w0s0.cloudfront.net | udp |
| NL | 13.227.219.108:443 | image.thum.io | tcp |
| US | 8.8.8.8:53 | image.thum.io | udp |
| US | 8.8.8.8:53 | d26p066pn2w0s0.cloudfront.net | udp |
| US | 8.8.8.8:53 | image.thum.io | udp |
| US | 8.8.8.8:53 | 207.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.77.102.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.139.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| FR | 23.72.248.219:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 219.248.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RS | 185.102.77.43:443 | aquadream.rs | tcp |
| US | 8.8.8.8:53 | aquadream.rs | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | aquadream.rs | udp |
| RS | 185.102.77.43:443 | aquadream.rs | tcp |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 209.94.90.1:443 | ipfs.io | tcp |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 8.8.8.8:53 | orlmilicevic.rs | udp |
| RS | 195.252.110.174:443 | orlmilicevic.rs | tcp |
| US | 8.8.8.8:53 | orlmilicevic.rs | udp |
| US | 8.8.8.8:53 | ipfs.tech | udp |
| US | 8.8.8.8:53 | orlmilicevic.rs | udp |
| US | 8.8.8.8:53 | ipfs.tech | udp |
| NL | 84.17.46.53:443 | ipfs.tech | tcp |
| US | 8.8.8.8:53 | ipfs.tech | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | 174.110.252.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.46.17.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
| MD5 | 1984b45f201f1fd79d2154406648433b |
| SHA1 | 42f082dc6d4d43333688690bf4dfa7c7f8b618ab |
| SHA256 | 000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9 |
| SHA512 | e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c8d9b8cceb44db88642dc9c5b06bf92c |
| SHA1 | 1b135e795f053f7716e340cb4dac4a42bc146a55 |
| SHA256 | 6d80650836052c40f97544f32056a87d1d34ac040537b84c8c5c0104995f1436 |
| SHA512 | 319fb0e17d014f8fb0c38c419a08036c346b2394bfdd02b6b6f9205cd2eb910b74fbdc6670e1e4a7351c1b1be1207532fe3be30c96a40dc524374deb8bc017dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | 379c9429758466a324fbbaa9b4d18d0e |
| SHA1 | 2a43f5dcaf3abd14ecf1c24b43c450afe5db179c |
| SHA256 | b5cd3b66713a6082e218dfba592745cde63e86159ee9af57dee831c086c04b5d |
| SHA512 | 0df2e9f1590524674a1403d4ab3ccc67eb3a74127560dc17530aa4d571332702607d1d90086a4e79b5ba01dc557999ab74c667c5a98bfaa5e6ce071b2d183b54 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | eaec8a2ccaaf77ab9864e5a50a24ae4e |
| SHA1 | 63fc99df2412ebc5e79c0def932dcf873c3fdc3d |
| SHA256 | 1cdfdd7c89485b3f50a81d1d21e6fde814bffbeb87bd0dfd931e9d418258c96c |
| SHA512 | f7f679ec6fd0d51870cefcff56b23380e8e81ef0fe2075eae1faacbcc6f49510e74aad50ed8725fae98e58befa7b74d50582febdb4d1671bdd0ac470e2b77862 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | f95a8a4d013c3c50d475b50229203dbb |
| SHA1 | b931bcb44b6b864ca74a4e273eea031d05b8b729 |
| SHA256 | 343961cb2f22f94f5835acb5af7731e7d18e8080bc9034818ebf54e60b1439ae |
| SHA512 | 3b2c204c35af9f6c990c8e62e31b8e507b3b54541198d1ea13b5de241d6909bee2714972efb7cd038d54b8d83230683323dd4c75591f796877b847c752a76413 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | 1076ec9c7ddc00ffbc5ad1ad87c1a1c0 |
| SHA1 | 065ebf8a25bd373ae7afb6aac10833aa447bbb70 |
| SHA256 | 2c94fc0712fed08e08383cf05d46f503ad6721ab3852f216050e3b7697e7ca9c |
| SHA512 | 6be71bd5d3c44a962e93dd35b5aaa5b354bc6508dfa9d076453d57d4f8d16fcfa3bdded51d97f3071dde5961d93666c228210760f54c9fda480b260fceb4b181 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 68151522bc0fc10d7cc891ecd1d27527 |
| SHA1 | 82ea80fd0fde578d14024a2bd2cdd4beada987b6 |
| SHA256 | 285df67653b3325c4c58aa67548c632039b9da2efa77736a3b09aa10088b2861 |
| SHA512 | d84b637f9b8a3b72365a57c2b2e94023ca4a7605f15e678d8014473d5b50d773738465380242798e23d221909a539e4ceec9f7ca90686f083fe01974db856f3a |