Overview

overview

1

Static

static

1

URLScan

urlscan

https://www.facebook...

windows10-2004-x64

1

Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.facebook.com/n/?notifications%2F&aref=1689729597406422&medium=email&mid=600cc8ad57a04G5b06054a1eb7G600ccd46b7cd6G32b&bcode=2.1689729598.AbyFD4SaCj-uKeufBu4&n_m=gilad.kaufman%40pias.com&lloc=num-all-unseen-notifications&rms=v2&irms=true

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.facebook.com/n/?notifications%2F&aref=1689729597406422&medium=email&mid=600cc8ad57a04G5b06054a1eb7G600ccd46b7cd6G32b&bcode=2.1689729598.AbyFD4SaCj-uKeufBu4&n_m=gilad.kaufman%40pias.com&lloc=num-all-unseen-notifications&rms=v2&irms=true"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.facebook.com/n/?notifications%2F&aref=1689729597406422&medium=email&mid=600cc8ad57a04G5b06054a1eb7G600ccd46b7cd6G32b&bcode=2.1689729598.AbyFD4SaCj-uKeufBu4&n_m=gilad.kaufman%40pias.com&lloc=num-all-unseen-notifications&rms=v2&irms=true
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.0.63720816\86356364" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1872 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69efc305-3103-4e9d-b311-0f12ec2ee161} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 1976 1f7d1bdb858 gpu
        3⤵
          PID:1132
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.1.1767164836\869147706" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b03df6-8ead-4014-bf0f-5ff8dae9b726} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 2400 1f7be0e3a58 socket
          3⤵
            PID:3724
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.2.1254430337\1625825429" -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 2932 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f03d05-f5d8-44eb-878f-d728b10e856b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 3344 1f7d5af8558 tab
            3⤵
              PID:2292
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.3.799880499\1204119658" -childID 2 -isForBrowser -prefsHandle 3360 -prefMapHandle 3372 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07270087-1dd0-467b-a79f-f9a12e6a5f1a} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 3644 1f7be069358 tab
              3⤵
                PID:1068
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.4.1807469377\1268652930" -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 4364 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92d1901f-9a9d-4113-afd9-bc78a6e5b480} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 4708 1f7d7f2d858 tab
                3⤵
                  PID:3940
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.6.1660861994\602469020" -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecf3020-6393-4905-93ee-4e5931e6bcfe} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 4900 1f7d7f2db58 tab
                  3⤵
                    PID:2448
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4516.5.1167779113\966732576" -childID 4 -isForBrowser -prefsHandle 5000 -prefMapHandle 4720 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d49f64a9-97d4-424f-b88b-8a81f4db8e73} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" 5020 1f7d71f4158 tab
                    3⤵
                      PID:1064

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hw21aoqh.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  146KB

                  MD5

                  68e14033ea47a002d6e8a72ea55eb24a

                  SHA1

                  03b21f70898029d8205dc5e6d0710e9358652b54

                  SHA256

                  caf1ea1be719f5fd350f2a0633b63addf6249be1291acd81ce9d8051bea7255d

                  SHA512

                  8828cc6df785574c26ca79cccb97cc4c27470275dc062f77e15e29ac6d4cdb1b851af38adfe0e1401d86b0ef7680ab3e82914ccf4fd8849aa42f97857aca3e7c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  a721eec93879db480e0fd13abd68d0e0

                  SHA1

                  ce6df988b262dfe0c26e28c3af8b35a808840811

                  SHA256

                  9a26a6c2b24eb356fa04dc72794802cf51282b8f2a8955d4c60ec169ea0cf573

                  SHA512

                  87de64199c25f5c41d5591c5c645fc2f4a8d6f6e32e0a268c5577f61641899d35bffd1cbb00a4c59c1a0a451f2af77dfad4953fc5b15d463c226070eb32e2b1f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  7KB

                  MD5

                  9298ca8e7b69782016546253dccc9340

                  SHA1

                  bd27c3b59ea402509f87b4d9967e7c7947c0d20a

                  SHA256

                  06556952bfe9460cb43e313654a8fcb29899dd712311adb2eebb1608c38cd29e

                  SHA512

                  4868b504fb396a52470ef867ce13f45f9471dc48296f552dd784a422d1d11a26afde6798c2fea724303537eb9fe1e6a16b537b4a81d1ef48b5493726a6eb109c

                  Download Submit