hxxps://5bb2[.]educdn[.]net/e/c85em/UofGn6?__$u__

Analysis

max time kernel
45s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://5bb2.educdn.net/e/c85em/UofGn6?__$u__

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2184 firefox.exe
Token: SeDebugPrivilege 2184 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe
2184 firefox.exe
2184 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2184 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2184	firefox.exe
Token: SeDebugPrivilege	2184	firefox.exe

pid	process
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe

pid	process
2184	firefox.exe
2184	firefox.exe
2184	firefox.exe

pid	process
2184	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 4940 wrote to memory of 2184	4940	firefox.exe	firefox.exe
PID 2184 wrote to memory of 1620	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 1620	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3496	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3672	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3672	2184	firefox.exe	firefox.exe
PID 2184 wrote to memory of 3672	2184	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://5bb2.educdn.net/e/c85em/UofGn6?__$u__"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://5bb2.educdn.net/e/c85em/UofGn6?__$u__
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.0.608981065\892903988" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c56fdc4-9a5a-4db2-99ef-e94a2e22b5fd} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 1964 2c2e32f5858 gpu
    3⤵
    PID:1620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.1.386829313\1924273741" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2144 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44ebe583-6298-477a-97d0-623e2937dabc} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 2384 2c2d6970b58 socket
    3⤵
    PID:3496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.2.831353747\1157886076" -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0890b8e9-993a-45d1-86b0-58b95659e62a} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3168 2c2e720cf58 tab
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.3.1709170868\359048703" -childID 2 -isForBrowser -prefsHandle 1260 -prefMapHandle 3552 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31924b2d-7fc3-46ac-bcff-d4dc780070b1} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3888 2c2d696a358 tab
    3⤵
    PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.4.1325707160\735114329" -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 4952 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50469e02-f2dd-4ff2-972a-3c6913b96912} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 4992 2c2e9b87558 tab
    3⤵
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.5.1416789278\914707773" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 4916 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8814b22f-f704-4cdc-8a72-19b7720745c9} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5128 2c2e9b86c58 tab
    3⤵
    PID:4560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.6.50424132\1637332053" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c922308-6046-4e16-ae8c-6d2fefb8e744} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5208 2c2e9b87258 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.7.954234374\961237361" -childID 6 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13da8081-ec22-4fb2-a4e1-12b47d8ed734} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5448 2c2e962ae58 tab
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.8.1647813531\416922500" -childID 7 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21488464-94d2-45cd-8727-8bd733177337} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3784 2c2e5da6d58 tab
    3⤵
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x00o19f5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
a1bb4b3a8c6fa56cc4a05f482e973aaa

SHA1
5eed7af08963b64ec59302640b1f5ab8c5b2cdf5

SHA256
b101c1db4c15f2c0ab13a7b80387a65d436ed9329f4d5d74326282e76ab67084

SHA512
c7eb15eda0ed30662d2abe41ea020069080a7a2aa336cb4bf834418d0c5f9072f2fbc747d5a964e401e4e4b089a40c20141b4fc5f328ee83b01602e32f9a83b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs-1.js

Filesize
7KB

MD5
9001e38db7ab9e6a09800fc9a82e11b1

SHA1
d38c600efc3570d47d5f093983b88ec74602b26e

SHA256
d2435dfd66604895ce77de8255606cb265721a3484dcd4578f608350abd3805c

SHA512
f19edc758aecaf19fb8cef0207829f1b9008f930965b9769aa90f86b21206937b897194af56c3d26480f6b08ffb0105ccb985ae67a2a9b56abb62f479ee9447c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs-1.js

Filesize
6KB

MD5
295748b60f99bf4814b78352b7b758d6

SHA1
6b2088e9614c02c351c28ad3a2f1db22e719bf6d

SHA256
c51028bbfbfd6234106e9e0a3041be8bbaf2e26aab43edbf6a1527b703c8f9e5

SHA512
22da429dd17f6aa5b8be51e3706e908323e3b058287a857ed1711cf4e62d4d1123685e987101207d02a9c2d1af83945225ce02f5788771f1f51ba1cb03bd9b58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs.js

Filesize
6KB

MD5
58f9ea8b9acb7a93d65ef793c3c45a97

SHA1
a6631317ba3060152279ae4d8bf38374451b0f04

SHA256
b61095c3e50b966577d1aefb8d6156c86159b326eaf8a693793491fce218331c

SHA512
dededca61f2853ca6fb9d81709e1d05cd3b2fc9fc8ef7f967b73dd1dc214ddb3e903b917ab2eb36f13561c6aee255c738edde7b9b4dd1587370072745abbcd21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
5742be131a279a560ace1ef31ff2146e

SHA1
7cb130b3c7d6a1a4f21437629551c993eea96df3

SHA256
5b2b4ddf27b9600a233de32ab935e9a86d1326e14d4d3449ab0ab04a96e7548b

SHA512
e801cac73da27c4367047294643cf183743551f62249a110490f2b641c979872240371fba0a3bca8f2813feb906c6bfe4e1d91a5d54bab129795e6951b2bbdb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
db50997f7b3e4179f8e46694b5b1354c

SHA1
5566a68ef79b8fb7b516cd8150738a76251b20c9

SHA256
d8ebf31659be17a1c82853928cbf615c2445f04e5b8163a9ccacadfbe1f52ef8

SHA512
c5c6ff18b567c03ffbb9fc31041696199bf9f4e6a5789c5eb224962367410e66ed811fce3a3efb44c82204f5ffd2447af38fbfa1f4ac2187464877ac9935e4f9

Download Submit