Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
12-06-2023 14:06
General
-
Target
https://coloursatelec.com/vac1/?alt=media&token=033982e3-60ca-457e-b182-18a03119de12&data=d2ljQGNvLndvb2Qud2kudXM=&subf=Open%20Vacations.pdf&foldr=Human%20Resources&file=Vacation_Submissions.pdf
Malware Config
Signatures
-
Detected phishing page
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://coloursatelec.com/vac1/?alt=media&token=033982e3-60ca-457e-b182-18a03119de12&data=d2ljQGNvLndvb2Qud2kudXM=&subf=Open%20Vacations.pdf&foldr=Human%20Resources&file=Vacation_Submissions.pdf1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.0.570992099\54551467" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54393ac1-0ec7-477d-8556-89cf66e81583} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 1916 236c1516558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.1.198512020\1374495626" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f36bf943-eba0-42a0-bc50-f3ad47207036} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 2316 236b356f858 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.2.2057324420\1209484247" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2816 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9538eb66-a10d-4198-bf57-fefd86225b4c} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 2820 236c0491958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.3.331586327\853474027" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {758bb810-f3ac-4fd6-bf7f-df479fc617ad} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 3492 236b355ca58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.4.333797113\430358761" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d7f4fd6-80f0-4c4c-be4a-a2add436ca88} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 4000 236b355eb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.5.2144270443\1601948940" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 5028 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45598f5b-4fe3-4565-b748-c80acacfb4ec} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 5124 236c6b2cb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.7.2118417682\1827739810" -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8527f6f6-bb2e-47a6-8ca7-057af16a4d65} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 5480 236c6b2e958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.6.535017851\317617825" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef7740f2-6316-4cea-a92f-63943ea72382} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 5352 236b355b258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.8.1306888671\943698230" -childID 7 -isForBrowser -prefsHandle 3576 -prefMapHandle 3592 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46ec8a25-fbd9-4f14-b3cf-73a232bf0c2a} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 3608 236c5072558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3480.9.1517693729\1599549111" -childID 8 -isForBrowser -prefsHandle 1204 -prefMapHandle 3752 -prefsLen 26832 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa9377f-4375-4fc9-b126-965d13f4c546} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" 5172 236c5071358 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5f00c651bd023e439cef538cb61938602
SHA17e49f7ce3c00bde7692a5fd85497e1f60b1f616e
SHA256ac671834dcc3d8ef96272da936597334cccd7c1106beeac5919e6cb308f9bb66
SHA51291ddece9b7c3fe2ab0d9b4891fbe522f344b58fedf99b5eee0f06e573770dfb96d69c0727102b94a22d34a671fa28cd51d90e4fd35b28443b260195a9ce53de6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5213747b20ca61e6b514a954bb29207c5
SHA1b4cb2550ac3c10cf3f4c6ad63b72cbd85975c955
SHA256e1a90ee30545ba3b345998a13064c5ab5d459bfaf6315e3ed2606c074b24aed1
SHA512a31b15ef977fd588acdd1cea13a79d7230a8a81ac24119af0309a31fea0ab7b234311d7db0e0b4bfa8b84651fe6c126a8cdad40df7cddb6ad6e06a7271580445
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ0AI98S\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmpFilesize
147KB
MD50e488198ba06e318a8c6c3bd4c5a5291
SHA1f03d1eafa1dfbccb49a260a0e8e8febf66eee6ca
SHA256ab000b327200dffcd7ebb35419d1ff327a522e57768a279a59a044eb98c89e03
SHA512819c76e72768dbcbaefd55f45351cce87a828c991854266865b33ec6ba7c0173ee5320cc7af6bb31dce0963867bd157b3f175677e50575dd2c4c6d50342311ec
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\cache2\entries\58D46C4012E4AD3623A4EA72BB3C1CDD25B3FF87Filesize
14KB
MD5c25513da19582c570e471c875cf225ba
SHA1962a9702303654f0d5cc1df0e518a61d0935ae4d
SHA256075dd646744d954e5cb9427e85388ca6b1645a830a6ee7906fd6bd57ccf35c95
SHA51295b0f5f69cfa6912795fe43a77230d97ce9bdf4b4a4f2a96716f8556dded4aa7684e2d76fc260071e123651d86d27c445d7d6eb9cb0a6263de4a8597831bca03
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.jsFilesize
6KB
MD5e63c3df19793e28dbd16a5b2c2889b5b
SHA1160fd8573ce23122318740de4fe7009cba417afa
SHA2566280ec42ec474e5a8ed55cab8638d01cc1aefa35bfbaca6c1ee08a83be75c47f
SHA51299c8637fda51a2b0bde49550169ccf954827517c6a19208069d57ebf396d42c4c0d097111b2e55b554b8162d3a1623e9c40ff7df792e2211ef712bb31a1206ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.jsFilesize
6KB
MD5f091abd4451af48a939d07fcd1005b04
SHA1b216c4659a806280a22677bd7d4961a768ab2d78
SHA2566beeca5ca02fd6750ebfcd7653c9f59c779d47240907bbded39e84c3d838d120
SHA512ee52340325f15e1a637597b799ba82ecbc5b5aa8547b8cca12b2ae00f3ffb79a8fc5d111ac429f0d60de99a474c3354a7c9c081f9ace8fa6ee4c19eaf4a1ff70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.jsFilesize
7KB
MD519cbb4b4b7bb4257cd1de16fc4869c77
SHA12e3f93299633032d7deac8a27e306c6c6a95eef0
SHA25622d738b55636d24d09acc6f49d410feb4fccc87526499e22012eb4f95128bb64
SHA512970b08dbc54c812c12ca244ab0c92ba43e28558ef6d354bc3930a9d2e692b40437e23ddb7eab70ec7f99a9d88f1bbf885404285d4a914055986d005a2d5aa0ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.jsFilesize
7KB
MD506276f863b3d8b12325e97c2e7efcbb9
SHA194bb96c0e7db7f8156eb11f11169b444ae3fafec
SHA256df16addba4579c9fc99da4612e7fb24ac6cd71f0f9a4f89150ac10c42c36297f
SHA51281e5ab8a80972c901069bae8525f2748cfae8431d8cf922ad8b3962c14601c4bccc2a52d117ebcccef5a2e7a6a1aa0e49ad49c511b2a3f3b64c3f77061581f86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.jsFilesize
8KB
MD578565e6be9678178f5cb383a17415a63
SHA183cf7880c1bfdef01d8043992d5f3084822d3072
SHA256e200899fb13d69886706493268bd5b47dca349e4ad5718c815894ff2eafcad36
SHA5122a0c10767731e3a35f4a1c5804228d15e647bc77d7f65ff8e19ee3287ed8bb05c581992d043f06a8ff3c7bbf0beebfdf3bc4d6c6db449b7a2934263fa9bcedc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.jsFilesize
6KB
MD5207077fed406e49d74fa19116d2712aa
SHA13ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee
SHA256b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58
SHA5120c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
36KB
MD59c78197915402c332ef45adce459b1f7
SHA1ef9cee9cf9ab7112a1a6ce4033d60f31a7dd7111
SHA256d350ffbfe051a39b84364c2de98dd70befa85310012f05c309ceec45e5e74acd
SHA512b07685e04ccfc6e86824209a875fc974a1b166138b91c13b4a0a4f88f6220471376a84388fed99aad1ada3b2ddf9342e6bb53c76eafe4ab3b683000b0efee705
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
37KB
MD5f5a605c9c4e051f95df0f11e21ab9d8b
SHA1f444062c49e680a2fd2ed2827fb61262eafce4a9
SHA256070e46b029524b577154ebbd44587303221f607f8af7c9b11362a62905e8975b
SHA5123cfd5358c79eebcc012ab7c9b4f09067f9ebfb3a2dc3a41a3b0ba1805024de4d6ff6c526084638cbba11cf49b7d5dc34bd12b00c8d39f9d9395ad45146d006c6