hxxps://felav02[.]c[.]sat[.]gob[.]gt/NotificacionFEL-rest/rest/publico/descargaPdf/WC9nS2xINUo3NU1GclNSVFRvcWZQMFkxWXpRZ2p5VE1CRGRzZzdJbWFQTFB5QkVIRTBTYmI3RmViNUdQVmpHN09EZUpBcUFYTVZlZTJuUE45SnBBVHc9PQ==

Analysis

max time kernel
42s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/06/2023, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://felav02.c.sat.gob.gt/NotificacionFEL-rest/rest/publico/descargaPdf/WC9nS2xINUo3NU1GclNSVFRvcWZQMFkxWXpRZ2p5VE1CRGRzZzdJbWFQTFB5QkVIRTBTYmI3RmViNUdQVmpHN09EZUpBcUFYTVZlZTJuUE45SnBBVHc9PQ==

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\F0E74E53-4B24-49C5-844F-88511DEC5813.pdf:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe
Token: SeDebugPrivilege	4492	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4492	firefox.exe
4492	firefox.exe
4492	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 3400 wrote to memory of 4492	3400	firefox.exe	83
PID 4492 wrote to memory of 4504	4492	firefox.exe	84
PID 4492 wrote to memory of 4504	4492	firefox.exe	84
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 4032	4492	firefox.exe	85
PID 4492 wrote to memory of 2004	4492	firefox.exe	86
PID 4492 wrote to memory of 2004	4492	firefox.exe	86
PID 4492 wrote to memory of 2004	4492	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://felav02.c.sat.gob.gt/NotificacionFEL-rest/rest/publico/descargaPdf/WC9nS2xINUo3NU1GclNSVFRvcWZQMFkxWXpRZ2p5VE1CRGRzZzdJbWFQTFB5QkVIRTBTYmI3RmViNUdQVmpHN09EZUpBcUFYTVZlZTJuUE45SnBBVHc9PQ==
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://felav02.c.sat.gob.gt/NotificacionFEL-rest/rest/publico/descargaPdf/WC9nS2xINUo3NU1GclNSVFRvcWZQMFkxWXpRZ2p5VE1CRGRzZzdJbWFQTFB5QkVIRTBTYmI3RmViNUdQVmpHN09EZUpBcUFYTVZlZTJuUE45SnBBVHc9PQ==
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.0.209710375\58135078" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40fd8cfd-4dca-47cb-bd46-e2ff01734224} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 1952 1a0053e9158 gpu
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.1.143798613\872037721" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99404f4e-0565-46ab-8a2f-fd7a0d86c0f2} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2440 1a004844e58 socket
    3⤵
    PID:4032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.2.362102448\1732000546" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 21711 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b9863bd-85d9-42da-9f9c-ecaa9b577f06} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 3160 1a0091db258 tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.3.1602709575\685987335" -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7008312e-eee1-489a-93cc-546edc6bca70} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4068 1a00a483e58 tab
    3⤵
    PID:1160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.4.1420044987\493603895" -childID 3 -isForBrowser -prefsHandle 4664 -prefMapHandle 4736 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04e7aa51-c872-4a4f-b6f0-4ce620f6df40} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 4700 1a00b266058 tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.7.669202193\786687906" -childID 6 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b40d18-6ca1-4a0a-8ade-96d5ff25fec0} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5168 1a00c64c858 tab
    3⤵
    PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.6.1749222772\1986105802" -childID 5 -isForBrowser -prefsHandle 5132 -prefMapHandle 5124 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01b2f23a-5242-4e30-857b-a62e7b67c0d2} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5168 1a00beca858 tab
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.5.737411635\814035890" -childID 4 -isForBrowser -prefsHandle 1668 -prefMapHandle 4932 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67fe5dec-c016-4093-bbea-8f5050f34289} 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 5144 1a00bec9958 tab
    3⤵
    PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
140KB

MD5
f49c7b830d737cc1c7d0fbf255eeef07

SHA1
8403db3f33d2b7232f47ffd9467c96f3495fc411

SHA256
a0210f54de2df0df57ec29ffba868103f41c3e82e1e1240da4d9cd4eb86657ea

SHA512
98bbabe069be7f016a71e4586df4d05cdb42530bcca0dca58c76dbf317bcabec868636613dfda82dbdf48ee2699fa551193e3e653845736a64a8630b89ef8688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
8322997b6f423b0995201f66cf34ce20

SHA1
0b2a6a8a1825217f492428fe249e3a3773606fc3

SHA256
9a1c4d986d13a9e26185ce490fa1464697ac6038517a4bd1b96bc6e95c4adbec

SHA512
e7db7e96d1cc7c52e05a66e27797dee40ae07b2b2697440e4c32dd604e0c94cde5a9316815176128630534189fb233d2487a1998ea04a1e2b2128b633e0b75e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
ca2a62499910af4e2cc688ca5cbcb856

SHA1
3a6a297a1314e6881241b78154db86ad587e9c14

SHA256
0ce2426e1dd6ab76afdf06ff418a57323404698b97ef0ec8c40a44b4109645cd

SHA512
da394861b9ae55e69526ad5df6485bd6a27ad891cd94391f42348fd38d5819bf97803ef2229b6110bdc6086a54d36eb4befb0f253ff173e225ba4c1b46ee92cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
91cf5c9dfc4e02c441c09ca88b28f5d4

SHA1
ff6be68265b79f5f7b544f4a79ba78465b0818e7

SHA256
f884e2986f091b287174624bd77f01cb500c67fa0ef435104cc447a4dbed7af0

SHA512
fbcb05345777257212d06322dbec9cd0a73a45585a82efb9598956755a8ced5e645acc1cf38a7c4cfcf3a1d1a7e90f09ecbe669e77178c3734601b7890c99852

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
738ab1f61b4356a7dd93b7b5fa4776f8

SHA1
0080e6ea5bfd64fdcc386cb8890378d3c8232eb9

SHA256
74ac20cb751c73ac9421d1ef93a6d2f11fda3120d6a01e7d116ddacb7f0c2b26

SHA512
08706b340f367da16e4aa986ca30973be3bd05d4bd3e3e32d5f6ed05b8cb78cec5ba8b4fed9d37c84c3076f36ae3be65da3839fbe973038f3f1aee85a7121191

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
675aabbb25d35455546ebb385b453280

SHA1
732155ed4b336f5c5a4e9508881718f1eae7f19a

SHA256
5994ab183cd27d2f5af858c79a0e3ac3b2ee1c384ed73c938a21fd7efa6b309b

SHA512
a61dc88dc65ac24917b16ec240d3e4c56ec38c4833fdddaf0bbf55c0a3ce2c6ff3a2beb742c3e75d5402315d6726f821a8c715e8be22d44261eb9b2eb305d518

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fc76eeb2b0f746d302fae35ad872a707

SHA1
b3505bf82c21fd2fe7e67eff33777de1959e5656

SHA256
03a479caf958f66e8a93122ab18e7192a02ea99d9c90dddf6febb008040f56cc

SHA512
3e0139ef796169d7ec2aade8a26dbc1dbb1431d74ac5371d0c87b6eb8b4d6c5ef42a1faca831d5b2671f4691bdd5575e71f9f5a9463991d8863e666aca99a42b

Download Submit
C:\Users\Admin\Downloads\F0E74E53-4B24-49C5-844F-88511DEC5813.pdf

Filesize
3KB

MD5
817049b1055de6c6dfc24f45126bb3c3

SHA1
cd89bc958c5a5c87c7422ce83ec4493ea9ac8f1f

SHA256
b1e5076239c29ef99cbb9a986da2c69059c01c4e5928d537b6607807c3ba3f37

SHA512
3ec4332cbef78964ad80154c958f140618229e6d8b6a9044f497213f26bebe9e273bf6f23df022966890c9b56effba5099c28c2aae3f2aa1406f9e65e0522b70

Download Submit
C:\Users\Admin\Downloads\lvEytOkP.pdf.part

Filesize
3KB

MD5
817049b1055de6c6dfc24f45126bb3c3

SHA1
cd89bc958c5a5c87c7422ce83ec4493ea9ac8f1f

SHA256
b1e5076239c29ef99cbb9a986da2c69059c01c4e5928d537b6607807c3ba3f37

SHA512
3ec4332cbef78964ad80154c958f140618229e6d8b6a9044f497213f26bebe9e273bf6f23df022966890c9b56effba5099c28c2aae3f2aa1406f9e65e0522b70

Download Submit