Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://bursain-8bbh...

windows10-2004-x64

5

Analysis

  • max time kernel
    47s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2023, 05:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bursain-8bbhgsguiuw09098979w2y8099897.cristobalvalenzuelaberrios.com/[email protected]/benefits-enrollment

Score
5/10
microsoftphishing

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://bursain-8bbhgsguiuw09098979w2y8099897.cristobalvalenzuelaberrios.com/[email protected]/benefits-enrollment"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://bursain-8bbhgsguiuw09098979w2y8099897.cristobalvalenzuelaberrios.com/[email protected]/benefits-enrollment
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.0.1126334929\1031083391" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4a35ac3-e5d2-44b3-9278-7a2741a5b0d4} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 1944 1ca789d5758 gpu
        3⤵
          PID:2772
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.1.1900052942\971124833" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79964695-bbfd-4411-b586-1b5252485fa1} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 2412 1ca78547858 socket
          3⤵
            PID:4136
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.2.1458005749\1274014922" -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3064 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54aa269b-3402-4625-b81e-29edc99e316e} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 2960 1ca7cacbe58 tab
            3⤵
              PID:4504
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.3.827849613\1998258048" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f253482-31a4-463b-91a5-3ab9a6424713} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 3648 1ca64f62b58 tab
              3⤵
                PID:1352
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.4.72029996\164692785" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4920 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42fa6248-af90-4936-b67e-e6e64e2a494d} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 4888 1ca7d3d8c58 tab
                3⤵
                  PID:716
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.5.1140208344\1582789425" -childID 4 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97741da2-099f-4f37-8ac1-ad6a5506aec5} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 5004 1ca7d3d9258 tab
                  3⤵
                    PID:4800
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.6.2014007380\352874296" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3519f42-15ff-413f-9398-a7f7ff86eee0} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 5204 1ca7ea39858 tab
                    3⤵
                      PID:4372
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.7.2018773381\1244068243" -childID 6 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e508771d-79f4-4bbc-8cb9-cb556a1095f1} 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 5668 1ca80dc5158 tab
                      3⤵
                        PID:3008

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wp0zrwot.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    22KB

                    MD5

                    5f54be2ead2bea920047ebccaea1d517

                    SHA1

                    71d0589325acdb5689e0d332a7ea44ee6c6ee267

                    SHA256

                    314d5670ac32867e12758ab4a55d24c1e76280731a0387d11a3bf5c9f78ec173

                    SHA512

                    217d285fa432a759ff8ff32826530887188e748143e221300502f58c4fa4ad551fcf571d616f7cca8b6a6b5a448f2e4325ae0f9cd0d0bf843e2318ce0dafd9cc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    793b23669cd53c875df582c502b9e116

                    SHA1

                    4883100e274c47d5ddd29d45999a0988897ebebf

                    SHA256

                    a6d5c9d66ca3c5b6e97a58cbc06e7b922213e3b95dcf4a943964c9e6fba4a0e3

                    SHA512

                    ef13a09d48a65736803d295984c8bebf3e6f9fcddc40011d9bef7f5cd37b96796f6301208cd33e47b746e4841a8c777f59e2a6c201a172b103ab9b839f481940

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    7617e279fd31f167510c4099f1cc8a8d

                    SHA1

                    5772064816dbb6a907df64af2f82d3800aa2a809

                    SHA256

                    44b2bf163cc7a033a061cc7c19af7efa8dca9502b9f4343d1b6f6ce60b4ca92d

                    SHA512

                    31423a52de5d213d15dbbbc4c7e43ece1bf9d2cda0b8b4e80cfd8e6f0459ee14aa504a50fd2df6636ef1346edf4df3d5b421fd8306bb5b4ebf8b39ac9dd56853

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    cabf109d0ea795c846b74b99e80128dd

                    SHA1

                    472b1a6b28ad7ff44f7fc3ba9d655337cb2dce0d

                    SHA256

                    afc95d9cbaab44fad1e312fc203b137a93f17f999eea805a5acd6382c1374896

                    SHA512

                    ddd3d7e65ac4ea100e1bfdc47bd0f41d888d1f707cf761f9f80578c1aa7dbdfee199e1aa983228cc6c2c1264dc95a59f02a2eeeb629851483d8108ff1d2c9610

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    ac5057492e92fca30ed1b6ca3bbbe3f2

                    SHA1

                    dc01137d291cd0f1836c1da72f487c99bb3df7e2

                    SHA256

                    09496022ffca3d059dcd9b9b8d63bc64f454297ebf4a6aac7e9f28e3937649ec

                    SHA512

                    9030dd4b4671d0dcb6b5e0ad6a84ecb0befb862b00024a20521db034e2037f53de52298953493227fd5b697209b996a82ae0a09e8d4d2209b71785bd7b8a1c85

                    Download Submit