Overview

overview

1

Static

static

1

IRS.gov_Fo...c.html

windows7-x64

1

IRS.gov_Fo...c.html

windows10-2004-x64

1

Resubmissions

03-11-2023 20:00

231103-yqxyaabf64 1

03-11-2023 19:57

231103-yprpwahe8y 1

Analysis

  • max time kernel
    35s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IRS.gov_Form5071c.html

  • Size

    2KB

  • MD5

    117686efcd9ed95c9b7c300854fb9102

  • SHA1

    299c6767032540195d4e0f4b5815f1f03e8d4f28

  • SHA256

    e73046a28c0736bc881eed591613cbfaa88f370309f745a06f19bd4979e752da

  • SHA512

    535e214d9ea05d4636aeab0d383a5e5efe605146ba6522b4525adba75aaa22691f64e76cff32812fabd7349b5cc3d0ddbced8341c62ddfdde11145b713ac0598

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\IRS.gov_Form5071c.html"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\IRS.gov_Form5071c.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.0.1996573649\1380998730" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2453c0c-cfe1-4096-81a5-c470f5639a69} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 1984 280bd8b5758 gpu
        3⤵
          PID:1896
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.1.772819661\655085976" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2384 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44a33103-6240-43a9-a639-14128c6f2514} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 2404 280bd7e6558 socket
          3⤵
            PID:1140
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.2.442261000\785579945" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3132 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f2b299-407b-460e-892b-37b1cb75b22b} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 3052 280c16d3058 tab
            3⤵
              PID:900
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.3.2119776828\1587834421" -childID 2 -isForBrowser -prefsHandle 3320 -prefMapHandle 3364 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b6a0d31-a310-48ee-a5ab-e8c487d8c9bd} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 3432 280b0e62258 tab
              3⤵
                PID:2596
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.5.1473865022\471405640" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ebca93b-1ebb-4868-831b-8637fee63e30} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 5064 280c3cdb558 tab
                3⤵
                  PID:1280
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.6.2118503065\102015633" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb0fc0d-11f1-44e0-b6f7-a1d972a047b7} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 5252 280c426af58 tab
                  3⤵
                    PID:4332
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3236.4.14351791\116820700" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4904 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c35fa8-1a8e-49c1-9fde-da879acdddb7} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" 4924 280c3cdaf58 tab
                    3⤵
                      PID:3716

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  22KB

                  MD5

                  2aea2033300e6369f7830d3b6f8acb0d

                  SHA1

                  87769e5e7b91de637d73ce76fe4486e7920d4a9e

                  SHA256

                  d8233db8713e9490975019873cb7da92d746581733e40fff6227de93312717d7

                  SHA512

                  eea767a962e041f42ac2f3c2238e9407f4d00cdfbe701ac94576f27a3fe162e7cc8042a824f54ba41208252b0105bab8b7c56d86db70fea5614360c74ce93e7b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  f6020a195ed71ae41c64e04b942a2bdf

                  SHA1

                  676d6c64657c870ce139907d3e26c1dd5aa3b4eb

                  SHA256

                  86bf46788c77c1b53b1a5c2cbbf08df2c662c229f6184fcf3c1ec7371fb3b2e9

                  SHA512

                  a4eaf52a92e36a5bf15ffa1006e881d30fbf9e30f26a31f97801943d7c627cb72515eb131c0e0dbdb3f4a5dddd3b3cc4cbabff5f1665e4ac93722aafc0456920

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  e1fb3052874c6469c0b398046edfd784

                  SHA1

                  d1b5fc8bf3e57dd69a70bb6811d7cc54af865f52

                  SHA256

                  35e0e32d99a58890c854d907d67731dc1aaa11d0302d50a6873c10da8eef1e7d

                  SHA512

                  279efc9da00c94e724212a0768c348f20bf3239d6f045c2f4d2e3ba702f309f9f645479f1f1bf38cd30c8561ba88b007c57b7e432a5d00dbbcac1f9f7a64f7ef

                  Download Submit