hxxp://comercializacioncorporativo[.]canadacentral[.]cloudapp[.]azure[.]com

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2023, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://comercializacioncorporativo.canadacentral.cloudapp.azure.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	firefox.exe
Token: SeDebugPrivilege	4520	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 2528 wrote to memory of 4520	2528	firefox.exe	83
PID 4520 wrote to memory of 3904	4520	firefox.exe	84
PID 4520 wrote to memory of 3904	4520	firefox.exe	84
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4704	4520	firefox.exe	85
PID 4520 wrote to memory of 4196	4520	firefox.exe	86
PID 4520 wrote to memory of 4196	4520	firefox.exe	86
PID 4520 wrote to memory of 4196	4520	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://comercializacioncorporativo.canadacentral.cloudapp.azure.com
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" http://comercializacioncorporativo.canadacentral.cloudapp.azure.com
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.0.753086114\1470631304" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed3ed233-f3b4-4f2c-8fd6-09241b8088a0} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 1924 1aa451c3558 gpu
    3⤵
    PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.1.278116049\842418120" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2cf954-5bb3-453d-b0e5-6cce6766a4db} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 2424 1aa38272b58 socket
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.2.1260974500\1086881838" -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3108 -prefsLen 21711 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86daebbf-de8a-455f-abed-1f2b24d50200} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 3124 1aa48fc1858 tab
    3⤵
    PID:4196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.3.2115282829\1368421684" -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be9c027e-d03c-492d-86fd-aa6a8da46966} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4000 1aa3825b258 tab
    3⤵
    PID:1200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.4.973718835\496776169" -childID 3 -isForBrowser -prefsHandle 4880 -prefMapHandle 4772 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dbb9a00-978d-4a7a-ac58-55ffe46b06dd} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4872 1aa4bd6cb58 tab
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.5.1986424390\1425642056" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38b3ef5f-8675-421d-8edf-c0a7c5a47567} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4968 1aa4bd6ce58 tab
    3⤵
    PID:3520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.6.770276001\648698002" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {031e8d1f-edee-4969-b9cf-dd56770dfdfd} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 5172 1aa4bd6c558 tab
    3⤵
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.7.1746374875\1824722472" -childID 6 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 28506 -prefMapSize 232645 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {444e0aad-675e-44aa-8c85-702f972e6f51} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 5676 1aa502c3158 tab
    3⤵
    PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
148KB

MD5
c8348f508fe692cd23e61fffa40097ed

SHA1
73838a8f021fb7b28145f21c05c144ce0f75edac

SHA256
34e167a54392ee583320700f2b805c9c537cbba6cfd03e9d892ed00d9c92d36f

SHA512
328f24088e4e8a02ae94b26c0b10ee032c7d01328c92ce29c19216f290dfc9ff97ab449c94533fcbbb9384e681004d56c9b1b5c9626091b21ed181dc0c150906

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\14132

Filesize
790B

MD5
6cd539b668d7c1a5f3de53844ccdc487

SHA1
6df1464eee1cc0ca3c16770689a9f63c957bf007

SHA256
47a262060c6fb17ff54341f0528d4b03549b1cf5f1696da00225d06971376c0a

SHA512
2a6e3383007ccf4fa39502bcfb669d64da3b512bef4d65752ee658a24c5c15c0cbd523dda245efc120ad85a271245b5483d9d095c61e5e6e0a382a3fc56164c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\2844

Filesize
850B

MD5
565d69ca4682da68f9f83f8e7d056b30

SHA1
0d942b5d04009c7c20c0911fcbaa8ec11ac31e8a

SHA256
07e034abcdc72c8319fe853959ea3716aff9a9c3abca20952f68a2a64f9ea835

SHA512
2d06f1798366e22dc06f86a7b7c3478d0cd489aab21c7cf842a97ccb729ac22a7ae4f46ec2933350108b77820c311fac0c0e4ee7be352bd4ef3f7acce5ee5ce5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cache2\doomed\32315

Filesize
790B

MD5
af32e95bcf715e8c887e0d2a001261a5

SHA1
e498cf5f6ba349d5bfcd84ef5c2f4d33a9528dae

SHA256
c7f8f9b41b4d13e67359a1e76d5c8bc8236a1b2ee1cdfc53ef0eb6553964fe3b

SHA512
2561963905a4418a1288bf12ec0c56e502433a142be4f41f1fc805ac90d3840f9e000dc7d832deec631395929d1007a6827908b7ccb78902bebdd1904560e830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
938a88828d0323ed08150294b86fae46

SHA1
88f59ce0863cf1b83d3ec607f2b90d9479eeca5d

SHA256
4b9b8fbe923678dee3ecbc120f40db483ed3ff3189a8195713628d817097c104

SHA512
7613beece0ffa43c5e17bb88616d115d16f55975238d841542efb761b28465ee74874c327e67b153d8600454d401727789d86096b8d5aedb6ddd2a80d8472ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
88174b5e66baa2d511771c24683b37e9

SHA1
c220262e4f50b8c14c5bb8a3aefc8cbbfdd15c67

SHA256
d99737f468d948c78f65d6b08dd39b059665ca85f08fbf6ab53d5c821b79faa9

SHA512
9a45b56e61e6541dd54dbcf8383ac2cf9aa58841ac2fbdf617d83bb3ba38b1446d7d63a0d9b977f54b22cf9a28422722257338af4436ca07558d1af6baecbdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
d1728c295242279da281894bddb443e7

SHA1
718a3edcc48313db31d3ee0ffa888735e185406d

SHA256
e2e4037ba16d9ca88497086ad871a536bc8a0ffab074bbb257c8360f56fcd80a

SHA512
c46b214296547dd9d54fe8f27c7a9d9271473f69ce222a6b39c64e6fce1a04404f0252b8473ccdfa010f2d820b0652fad01b96965873e44ccbad289e889b4864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
7KB

MD5
40845fa68b67d9dbf9923175afc31d7a

SHA1
c751d8677fc8cbc75defc3f9ac9a0fa0a9f1077c

SHA256
917bb635bbf6e1e36a88350544b195b450af37080e8bcb2519962f7d3165484a

SHA512
9157ef63dadef90d817ce13105a24fd5540ca6bd97a3ba37d6235aad3c06a2472c4499bab31f74e592841410aab15750261feebd1c1261019731452fb466e766

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
7KB

MD5
5468299a40382d777b198aef316fb97a

SHA1
f9bf7ff2aae93a0888c2835636b44310dd5b1664

SHA256
759aeffc0b605915d394d12be4e3d6a9b05ff63568c7d7fdfaeb1b8d1263f651

SHA512
035963c74e2736cddebb7dabb323351628f0a3e9d88915aca0ea7cec59c29d9622ad2da8b849a28dcb668d4b7c16fca379b751a840c10efcbf91b3868f166d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
7KB

MD5
b66a8d538aa6b438067cb8e89ef338b7

SHA1
fd530165a25dd80a92cc74f08859a77cf63f9152

SHA256
4d834a48095a51f81d1485a40d7cfd59196d901cbd8d8135a4591c7600bb8f05

SHA512
490c00ad911d5dd154752b48ba31cb165fbda21c6cc1774e2eafe9f30ccfb2bba5816f29fac8c6334350aa7b4268ba028853cad445af651c7dd577226c92f30b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
7KB

MD5
89ec8ba16408bd807002338b9cb4bf0d

SHA1
ad452658c40face51092656203fc4e1cb9e339fb

SHA256
eb968dede4a1f5d39038dbbeb50d11d7810cf258e1194fd650e4023362e78cc7

SHA512
a9dba2fd7a30cefb56f4a3b7611cf61a4a812bb8af8ee9a619374125462fa22f870c44e57d5a3cbda906f642bd69db588af31656bca9b75fc5d0e4feb65382ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
5b1d629ddf29677d5d8fe07bcf488b66

SHA1
c9ecc74ffe2e12a7853db21278b036b145b9fe09

SHA256
c778a4a542390468fbb96f611cb9f8baac14bdc668b617bb189136a7e5810d85

SHA512
323c313103c7ce4a27c2d401cf8faa496800d1af909d0ba2e2d524256de1efaa85fb86672b38377e55a318e0b8d8e6c78b3c78555ee921c0158775e6c9790626

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ca5ad1f9f26381421fffa79d04713711

SHA1
cb3dfe4c7d016ed33e887ce913b563a2c311383e

SHA256
b4dc9ac2586cd9be615b83038cab3a44c2f1e461a925f752792ec2a1342aea20

SHA512
e3b502441907e5bc314e4d2366c54d4d1e21259fb1f7721d5ed189dabf69c1d8a390721fc3304baf99004ff296d0792754c86f6b254d935ce70e31c29e34ad77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f8641fd249bc9816a1b4b125b32a16fc

SHA1
ff7a89397aa70c9afaf49f2e9500ac9efa89596b

SHA256
5807d4273fdc4ae96f1ab2d91513daa441ef98203daeec2867f374fcdd631ef4

SHA512
1234ee522979802c3edeae964f7fee1b36c37a3abe733ee0898edfbbb9e9ea17ad5c570cebd5447bc0a695fde62298853cdf580340aaf1ec02136478ee0b5920

Download Submit