Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://vk.me/join/A...

windows10-2004-x64

1

Analysis

  • max time kernel
    396s
  • max time network
    369s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://vk.me/join/AJQ1d0NzWSnZK/9ZF5gMuCim

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 49 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://vk.me/join/AJQ1d0NzWSnZK/9ZF5gMuCim"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://vk.me/join/AJQ1d0NzWSnZK/9ZF5gMuCim
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.0.1215086066\822303092" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b3eb80-b015-4692-9373-355a61f795e9} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 1976 1877ceef158 gpu
        3⤵
          PID:2732
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.1.243115085\1041257767" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {930622a4-40c0-454c-bd52-43b35f5eb94d} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 2400 1877cdfa258 socket
          3⤵
          • Checks processor information in registry
          PID:3724
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.2.30578444\780399275" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3240 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9de2ccd-6184-416d-9bf5-6dcf834bafd1} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 3204 1877ce5d858 tab
          3⤵
            PID:5016
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.3.82886682\63437061" -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5775a15a-83ec-4ed3-b152-b235f5029cb3} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4000 18703434e58 tab
            3⤵
              PID:3748
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.5.1867727077\562493935" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83ec4ea8-b856-492a-8c42-07b2443adfa7} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5020 187046a7358 tab
              3⤵
                PID:2936
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.6.1574191771\602840784" -childID 5 -isForBrowser -prefsHandle 4828 -prefMapHandle 5040 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f618f0a6-49eb-4f5f-8dc3-1806a865a438} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5020 187046a5b58 tab
                3⤵
                  PID:2688
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.4.667663302\458722572" -childID 3 -isForBrowser -prefsHandle 4760 -prefMapHandle 4740 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b474318-8e08-4c9d-964f-abf60190e292} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4784 187046a5258 tab
                  3⤵
                    PID:4676
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.7.1946875237\1299083967" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 3168 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1af7f476-3042-442f-95af-edf57ceba174} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5584 18705795d58 tab
                    3⤵
                      PID:2752
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\WaitEnable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  1⤵
                    PID:1916
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\im gay.txt
                    1⤵
                      PID:2596
                    • C:\Windows\SysWOW64\werfault.exe
                      werfault.exe /h /shared Global\671ddd60de3d46b194cf254ea8a44ccd /t 1648 /p 1916
                      1⤵
                        PID:224
                      • C:\Windows\system32\control.exe
                        "C:\Windows\system32\control.exe" SYSTEM
                        1⤵
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1900
                      • C:\Windows\SysWOW64\DllHost.exe
                        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                        1⤵
                          PID:1608
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
                          1⤵
                          • Checks processor information in registry
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:4700

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Modify Registry

                        1
                        T1112

                        Credential Access

                        Discovery

                        Query Registry

                        2
                        T1012

                        System Information Discovery

                        1
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Resource Development

                        Reconnaissance

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzw33i5d.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          22KB

                          MD5

                          e0c2d61ba2442a43e35b2fea02861178

                          SHA1

                          3bd8f632d1819bca9669279dfeac942257ff6152

                          SHA256

                          3613462e04766766c97b9e0bb926a5e5b342948560fad1e84a85cc4ca16e2f44

                          SHA512

                          8eae86b5dc71a9e15afa2d899fae89246e3f48825e12d5099b0e97b9a0e87b02627b05d0ef3c1d6a3aa275ed4e01fa3ce03c8e03f2772bbb2e6768fb3baa4be5

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          803f79a9ff0832f21587cc7494f3d0aa

                          SHA1

                          f4976adbb744bcd7fc6d87752848e220b96ed723

                          SHA256

                          e6b820212ca97f95e16777c1ab8f9481c1ae9b4211292d513281d7057defa1d2

                          SHA512

                          f07647f4f55a665bcc736a6b32dc637c87c67030d77b9be639123447624a7ec404719fea8872759d604fc165e071e754161a9cbfeb4a959a87726695694b31de

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          7KB

                          MD5

                          cf907666f7d15f4fa812032b528e3297

                          SHA1

                          115fb4a22b163b14831f98aa2b69b79a86f8bb9b

                          SHA256

                          1ec5d42e906f134fc53c570c6f2d3cb9afb9fc72efadb3c55b1c18fd63c94110

                          SHA512

                          1c7869284e90effd38904412dc5f3848d5e585c75946fd18ea45429a9f9054d97922017dcb840af10a86967313cc3daabc209b9f2320db00428acbb317e90515

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore.jsonlz4
                          Filesize

                          10KB

                          MD5

                          994f24ce13d1610020154e64fb446553

                          SHA1

                          a103226edfdb370b8cd2815e85b556d03aa84ada

                          SHA256

                          2d0bb57c8af3e319d93fe0077b033beb6e03bb2f729776e2290f70919996f32f

                          SHA512

                          d6bb034b52db7ac9e1c5c3c8be120591500cb1c2235f1885a3b34313409f32e8530194d9fddb71341ec78ca13f36569dbd6517f3fb8e976af896db39ecd3889b

                          Download Submit