Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://www.billorei...

windows10-2004-x64

1

Analysis

  • max time kernel
    51s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2023 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.billoreilly.com/site/rd?satype=40&said=4&aaid=email&camid=-448442788726870215&url=http%3A%2F%[email protected]

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.billoreilly.com/site/rd?satype=40&said=4&aaid=email&camid=-448442788726870215&url=http%3A%2F%[email protected]"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.billoreilly.com/site/rd?satype=40&said=4&aaid=email&camid=-448442788726870215&url=http%3A%2F%[email protected]
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.0.1378080789\2021497600" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45f3d97-0a62-462d-b6e4-b1529302392a} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 2008 264cb8d4558 gpu
        3⤵
          PID:416
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.1.469162597\1201945429" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9624109b-32f1-4ede-a5c4-e92b894796f5} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 2400 264cb5f5258 socket
          3⤵
            PID:2208
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.2.1555873148\1453298662" -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 2940 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a5ab5c-cec4-4e0a-b7d1-617fd6bb85fb} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3144 264cb860758 tab
            3⤵
              PID:3632
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.3.1826411632\1062350572" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b17a50e-4c38-45a9-be9a-5b9218d8b71a} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3692 264d0927b58 tab
              3⤵
                PID:3840
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.4.956487413\1407487481" -childID 3 -isForBrowser -prefsHandle 4924 -prefMapHandle 4920 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3afc17f6-a015-43f7-916b-4a301fa05c7b} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 4932 264d1847758 tab
                3⤵
                  PID:2252
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.6.490904694\1106502358" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {884a4b7d-9ddd-4693-83a9-c51e0822a6f1} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 5256 264d21f9b58 tab
                  3⤵
                    PID:2004
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.5.1619502886\1653757577" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78868b1b-b763-4cbf-b889-db066654c9e4} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 4948 264d21f9558 tab
                    3⤵
                      PID:3376
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.7.84873431\1576264995" -childID 6 -isForBrowser -prefsHandle 3372 -prefMapHandle 4396 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {185b87c7-32f3-41fe-85e9-c1d737cf3660} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3476 264d278eb58 tab
                      3⤵
                        PID:4380
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.9.298138475\1255126091" -childID 8 -isForBrowser -prefsHandle 5016 -prefMapHandle 1636 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6748305-2252-4261-8abd-359b9e0b8819} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 5732 264d2f6ce58 tab
                        3⤵
                          PID:4632
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.8.1939917204\2009659618" -childID 7 -isForBrowser -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a012c696-6422-46a5-b5c8-93e8f427549b} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 4976 264d2f6a758 tab
                          3⤵
                            PID:1744

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\suuk1m1w.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        153KB

                        MD5

                        d0e3e992c490a265324c01f43ac934ee

                        SHA1

                        fda588a55818243e414c8e0905ed262d7044b4fa

                        SHA256

                        85cba4e48c9fd23ce8b359a2881371484804e467b468b209c3989ee27822fa2a

                        SHA512

                        da6d5b48e6758ddf7abdbbfc8f9d2a870a4cf7fa6d6ca372a0ffc7a8546519460f53f0030f1fa97c1a23abe27b7853d4bd260c1fa7110c5c67433c454087cbc0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\suuk1m1w.default-release\cache2\entries\ED9826654AE8BD972BDE17A9E0A449D3F881E430
                        Filesize

                        14KB

                        MD5

                        f9f7fc7be27a78c7fa08bd8e69241aff

                        SHA1

                        464b2a3082472c34b1e59d2ebb285fd6d1ee5ed6

                        SHA256

                        94702a6d4da496f5f4c2eefb52b7f6f49580498d54ac2175f7ca7a1fd79038c7

                        SHA512

                        da1a9e144a6402a251d1c0275bd4d532c0b93ab7b735e3099d0b8b0407a705371e0f902ac6efbf7bfd724f2bde1ad043123339e459115813ff779f93d9b677b5

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                        Filesize

                        442KB

                        MD5

                        85430baed3398695717b0263807cf97c

                        SHA1

                        fffbee923cea216f50fce5d54219a188a5100f41

                        SHA256

                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                        SHA512

                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                        Filesize

                        8.0MB

                        MD5

                        a01c5ecd6108350ae23d2cddf0e77c17

                        SHA1

                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                        SHA256

                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                        SHA512

                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                        Filesize

                        997KB

                        MD5

                        fe3355639648c417e8307c6d051e3e37

                        SHA1

                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                        SHA256

                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                        SHA512

                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                        Filesize

                        116B

                        MD5

                        3d33cdc0b3d281e67dd52e14435dd04f

                        SHA1

                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                        SHA256

                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                        SHA512

                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                        Filesize

                        479B

                        MD5

                        49ddb419d96dceb9069018535fb2e2fc

                        SHA1

                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                        SHA256

                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                        SHA512

                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                        Filesize

                        372B

                        MD5

                        8be33af717bb1b67fbd61c3f4b807e9e

                        SHA1

                        7cf17656d174d951957ff36810e874a134dd49e0

                        SHA256

                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                        SHA512

                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                        Filesize

                        11.8MB

                        MD5

                        33bf7b0439480effb9fb212efce87b13

                        SHA1

                        cee50f2745edc6dc291887b6075ca64d716f495a

                        SHA256

                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                        SHA512

                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                        Filesize

                        1KB

                        MD5

                        688bed3676d2104e7f17ae1cd2c59404

                        SHA1

                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                        SHA256

                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                        SHA512

                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                        Filesize

                        1KB

                        MD5

                        937326fead5fd401f6cca9118bd9ade9

                        SHA1

                        4526a57d4ae14ed29b37632c72aef3c408189d91

                        SHA256

                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                        SHA512

                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js
                        Filesize

                        8KB

                        MD5

                        3197b6e905761bcc7d2f4a5a1a129148

                        SHA1

                        556a4583e6ca5d9b6324ba994f474af76e2d6153

                        SHA256

                        8eb54f455392c402fc73373ae8cdbaf96ba081b5a9bedfc764ede36c70d3f287

                        SHA512

                        c423b2dac3a28335ef1c603f72a683473943a0859a69e2a6f0fec31bd25d10fd5a5bf62251074ba20028838c002f883c278ed1025be05234e46d787777b8425e

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js
                        Filesize

                        9KB

                        MD5

                        ae134631e9bd7d8f8ac590e2405a43a7

                        SHA1

                        c3483916ac708ef7208d90364b5346e450d1b176

                        SHA256

                        c676ca999a241925b9333df7b11173f7e33695396769e8cce0473337476d53d1

                        SHA512

                        d535525f3ac5e2956d93f7c487dc3cbdeb878d25d5d9c79718cc9ca2bdbb65b1876c1cf430f2caa3ac692c2fc18714d41593ab46514ee20340719840fdf1e119

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        10f0a032dee2792bfd176c05bfbd2e0e

                        SHA1

                        f8c3a5a2c70f38a3f36dfc5b5f68d9c43c107872

                        SHA256

                        c2659f21f6d26a0f39c2308bac477989ddc88b5e9b89436d69732ec84bdbbf93

                        SHA512

                        fa979c15db8fe24fcb27a647f82dc4b57a1f99dfc20961b4c551cefdd55745525dafd124dfa1f3cf2119be14cb1aafb7b7db5289fe32b5269f52d85724d7ec89

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        899fb20c726ab24e0b3b1e16c27701e0

                        SHA1

                        1c8a1c557c563b5c3a3ea98ad64f0a112c9f00e2

                        SHA256

                        1ba01c075ddf2e34d64be86cc21680a1821256656274b624e4803f189263000b

                        SHA512

                        1f80c6a2a9ea3bed60833ef4aadc5b21c7ec0efd30aaba1041747206c9718ff42e7f4b5403d342d936f11063711a0e4621a1586537cea8369243fcf82440efe6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        2KB

                        MD5

                        007f54ed22223ba1bc17c96e2a16f94d

                        SHA1

                        a42dccb6b0008340567b6b3e7617db52f372eb06

                        SHA256

                        9b26096fbfed40e7b20fb761c46290588b7e55b63a214938822f0f504cbf58bd

                        SHA512

                        84e846ccdc695f54c0e5ede4098c988def3bebb864d6cf46b626ca9749786eb9a5e24e31c8703fc967ec954e7cb78747434751ed9558a3b96fdaa2458d1a9104

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        1.3MB

                        MD5

                        e2be00127ffb448106c5fa8dd924a16a

                        SHA1

                        14f45e875fe5fa8c2671814af51e9c3278068d54

                        SHA256

                        845bdfbffe055f370b1a7a2ee0ca434f6a886965241262f8de2263fb81373738

                        SHA512

                        7cb65e5ef51b5cac1951259398c7146254fef391b84d140b54166f83ee422421b1c2bf2485c3c76a5e1f3e76f2ec36ff567b5cba1ea78859eb4888c33c1d5904

                        Download Submit