Analysis
-
max time kernel
17s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 09:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck
Resource
win10v2004-20230220-en
General
-
Target
https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4388 firefox.exe Token: SeDebugPrivilege 4388 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4388 firefox.exe 4388 firefox.exe 4388 firefox.exe 4388 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4388 firefox.exe 4388 firefox.exe 4388 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4388 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 3576 wrote to memory of 4388 3576 firefox.exe 84 PID 4388 wrote to memory of 3384 4388 firefox.exe 85 PID 4388 wrote to memory of 3384 4388 firefox.exe 85 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 4788 4388 firefox.exe 86 PID 4388 wrote to memory of 1212 4388 firefox.exe 87 PID 4388 wrote to memory of 1212 4388 firefox.exe 87 PID 4388 wrote to memory of 1212 4388 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.0.572665097\1233169657" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38d4a787-d634-43bd-807f-0b0884b4ac7a} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 1932 1eb4bde3058 gpu3⤵PID:3384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.1.1526808825\1784290663" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65ebdaf1-496b-48f0-b299-0b1c0387187c} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 2440 1eb3ef73858 socket3⤵PID:4788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.2.1891444219\559510074" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2924 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9bec9fb-84d3-4f6e-b14e-a811479cfaf0} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 3084 1eb4fcf0658 tab3⤵PID:1212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.3.224290234\2025922390" -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fe9682f-3b09-4520-839d-6b6db368f982} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4068 1eb3ef6f858 tab3⤵PID:3372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.5.82020418\1483630587" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c1e84f9-bca3-4398-888b-71b85b41d3e5} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4980 1eb5107bf58 tab3⤵PID:2460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.6.1239013968\627561918" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 4980 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8373f0b2-536d-4257-bd42-8053bc8eb60e} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5064 1eb52475d58 tab3⤵PID:2508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.4.1694306728\1260038150" -childID 3 -isForBrowser -prefsHandle 4692 -prefMapHandle 4524 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cd027f0-2d2e-4dcd-840a-fc6563f27a55} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4728 1eb3ef61158 tab3⤵PID:4676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.7.1885968724\2028133042" -childID 6 -isForBrowser -prefsHandle 5444 -prefMapHandle 5564 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b556efb-7d59-4f3e-a3e9-0dccd46ab811} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5576 1eb53428f58 tab3⤵PID:4960
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize133KB
MD5ff15a3b0f41ab54a9cd895e1e0ad4f08
SHA142b604472b3008f464e326e665bcdacf701b2741
SHA25677b7ef4dc4f6ad0ffd34b73756a7ba0e0bd75c0fca30c870fda7d8f8fd8d1f31
SHA5124471b213d10a18be08acbb377329739138cd2c74f9012a6ed23d074c507e26000d38e9e7a9e879ee1b5094e87931271d3f7a4d65027dbd0d449bcbd63e55d7df
-
Filesize
6KB
MD518c1f65bb045a360292834bc1c14a6c1
SHA150e8dee3d9ea8c7d530f38bbab4c98e942022b24
SHA25622c63c3436458d243c86f20e985e7b4e9e5a412d7cb3ccaff455a35c064533b1
SHA5120a1f0b8fee9a6591f3163dc3b8f72ce9854d9c3f0d941c079469bb27e6c93fc2a6eb7eda617bff58efba93902b48a6244de68841425cf79008e5beee2758e0b2
-
Filesize
6KB
MD51984b45f201f1fd79d2154406648433b
SHA142f082dc6d4d43333688690bf4dfa7c7f8b618ab
SHA256000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9
SHA512e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc