Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://www.mercaplan...

windows10-2004-x64

1

Resubmissions

30/05/2023, 20:13

230530-yzdk1abh7t 1

30/05/2023, 20:11

230530-yylj8abe86 6

Analysis

  • max time kernel
    75s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    30/05/2023, 20:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    http://www.mercaplan.com/

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.mercaplan.com/
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.mercaplan.com/
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.0.1959692443\471190898" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {713753bd-86b0-49d2-9fc1-0b0111c25356} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 1916 20182bdf958 gpu
        3⤵
          PID:4192
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.1.1230387484\2124631947" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fea0b111-6935-483f-8d92-425e2de2a52f} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2424 20182b06b58 socket
          3⤵
            PID:1452
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.2.1124171828\809968149" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2816 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {028b7a4d-220a-4f27-bf3a-1cc482178f71} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3036 201869ee758 tab
            3⤵
              PID:4688
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.3.229554942\1608908929" -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f6d098-55eb-48e2-9282-0a865762bd8f} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4048 20187fdd058 tab
              3⤵
                PID:3876
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.4.149095843\1259510887" -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 4172 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a836ab79-3b3d-44ca-bda6-e872985671fd} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4684 20187a2e458 tab
                3⤵
                  PID:4036
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.5.1834406886\2073773582" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {059ec929-f454-4be3-bbc4-610a2355820e} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4620 2018904bc58 tab
                  3⤵
                    PID:4792
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.6.1706524133\1521197970" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 1660 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec9c1170-c799-4639-97e5-ab2d12571ad1} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5108 2018913c858 tab
                    3⤵
                      PID:2708
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.7.350656377\191380428" -childID 6 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd4be2c-477e-4b13-93bf-89d5b5270474} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3168 2018982c058 tab
                      3⤵
                        PID:528
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.9.333680821\67216212" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5808 -prefMapHandle 5084 -prefsLen 26578 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3262aee-ecc2-43ce-8c4b-2ed3ac5599f9} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5248 2018a4dc358 utility
                        3⤵
                          PID:2912
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.8.738348520\119095497" -parentBuildID 20221007134813 -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 26578 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {959a866f-c6bc-48de-8f65-15fc57a97834} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4520 2018a4dd858 rdd
                          3⤵
                            PID:3680

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
                              Filesize

                              141KB

                              MD5

                              20832ce759ef24369d16575ac3c34f52

                              SHA1

                              9c0cf8fef3c0460cf64023c76c263e0d8f99e17d

                              SHA256

                              d507ccc8c142ed88899da5c737e1f3dd624689f691813f1eeebec09944221df9

                              SHA512

                              5efe9a05c683c75f5d8304825ec75c03e7136ad3665cf6b0c7a661c9aa065145cedc960e2d5fe5bc24be34e90686490fd405f8f646d43bd0abf60e0514657795

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              524d14bc010219c82ec64b6b79e74d21

                              SHA1

                              f94c8f1ea70677c779020644d76919badc47fc58

                              SHA256

                              acbee5b1db8a8ebde3c5a82dcf7475715fabdcfc152411d3403cdd6e94f9aaf1

                              SHA512

                              8aebefec0a932985fb2e01414b0a02af7ec7b014e15be148c3f982a8b5f3a6fee22127299c2a2b64923acdc7f7519d0f0cb94d1d39019b277f07e013fce912fa

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              b0640476cc275779393c53b274f0b803

                              SHA1

                              68a2b786d8af06f606d65325009c9d06c45659fa

                              SHA256

                              95b50c6b7df261e89509771ed93580a31b68818f487d180ba3297d1e00998d6c

                              SHA512

                              c5dab62cb14dc69a24f2cd7fdb5f1a901a97d167068d57bc929579e5485b2476ac6531fc3b7341c8fa7fbcdd988164d89b475beb86964ce772a673e0db321241

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                              Filesize

                              7KB

                              MD5

                              a485ef7bacac6c0698cc0bd3bc36f14c

                              SHA1

                              7a9c07d3984f373964d6a35a3a7b3ff556041dd1

                              SHA256

                              95f3f12a9d85d05f97e77a827740c48e43a0bc215a9c542e533dacf28dd82163

                              SHA512

                              ad8ff3e0dc11cb46e900746ccfb01730e67782dbdec9576767130281e36265016ee668af1a1a887617d4254fdffe59a4f436fd148fd2e72be9292a9e6c7c9bc2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
                              Filesize

                              7KB

                              MD5

                              45a351c060bc4b337d3d7748308856d9

                              SHA1

                              110a45406edf5742feba58ac1463e969751ac3d7

                              SHA256

                              e7004ca2ba1ab5a2bc51dfd8a256493f3e966f652706bef70ce2aa19ae7659eb

                              SHA512

                              08118b90f7342f25e3b24b651384304649b9a3a8260b71ddd9957e9e0aaff2cd2a161aeff83f2590be59eca713b6befa1b8013fb88295a1657bb687ecc2e67a8

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              2ca68eec3c1fdbaa1ae996ee759fc3c8

                              SHA1

                              54363409a7393613ff528d0488d1cc16796ef2d8

                              SHA256

                              4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a

                              SHA512

                              e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              2KB

                              MD5

                              2e276139a5168d1b9b7f8e28ab1e3f10

                              SHA1

                              cc998c3882c7792d0d3d3c92525fba8bb2edd25b

                              SHA256

                              707acbc584524a4d516a9953cd861be32e8ad817c2d6c5f906e8624b64e11c09

                              SHA512

                              1ed387237de53757e9213b816b060dac4ab2b1065a08ced849bbdfd6c30db58885d6811613ccd46a18fc2bac2b2ef7ecf69c6ea1e63752b4be467024d4f49194

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              2KB

                              MD5

                              80b8f7adaa0739e21eb6280774e7d5fa

                              SHA1

                              f97d5a91b4d97d6dfef5bf59280e7bb24c9bfb1c

                              SHA256

                              533212f5469e7af9ca43058f27670c4030763218e62e10f9efa5a028633ad7ee

                              SHA512

                              8e508bdb1a22dd43e83a86a70b8564a03d3593395999290baa230fd2d0846ab26e2c5f67e8312b256f6a05a58c5333b0d9717a715743a3b0d103c5eff5bd4417

                              Download Submit