Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 13:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa
Resource
win10v2004-20231023-en
General
-
Target
https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/984263168396230666/DWJ_RK2rtVcxAh2GlY7NfTu7SQriLRe-3j65Z4y0izQOlXZo6MbPVfb-o1yds-Frpk56
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
rbxgen.exerbxgen.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxgen.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rbxgen.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
rbxgen.exerbxgen.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools rbxgen.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools rbxgen.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rbxgen.exerbxgen.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rbxgen.exe -
Executes dropped EXE 2 IoCs
Processes:
rbxgen.exerbxgen.exepid process 3580 rbxgen.exe 4744 rbxgen.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 154 ip4.seeip.org 155 ip4.seeip.org 156 ip-api.com 164 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
rbxgen.exerbxgen.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxgen.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxgen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rbxgen.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rbxgen.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rbxgen.exerbxgen.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S rbxgen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S rbxgen.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rbxgen.exefirefox.exefirefox.exerbxgen.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 rbxgen.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rbxgen.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
rbxgen.exerbxgen.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation rbxgen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer rbxgen.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings firefox.exe -
Processes:
rbxgen.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rbxgen.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rbxgen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rbxgen.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rbxgen.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rbxgen.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Archive.7z:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Archive(1).7z:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
firefox.exe7zG.exerbxgen.exerbxgen.exedescription pid process Token: SeDebugPrivilege 3308 firefox.exe Token: SeDebugPrivilege 3308 firefox.exe Token: SeDebugPrivilege 3308 firefox.exe Token: SeDebugPrivilege 3308 firefox.exe Token: SeRestorePrivilege 1656 7zG.exe Token: 35 1656 7zG.exe Token: SeSecurityPrivilege 1656 7zG.exe Token: SeSecurityPrivilege 1656 7zG.exe Token: SeDebugPrivilege 3580 rbxgen.exe Token: SeDebugPrivilege 4744 rbxgen.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
firefox.exe7zG.exepid process 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 1656 7zG.exe 1656 7zG.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
firefox.exepid process 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
firefox.exepid process 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe 3308 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3868 wrote to memory of 3308 3868 firefox.exe firefox.exe PID 3308 wrote to memory of 3196 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 3196 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 2028 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4912 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4912 3308 firefox.exe firefox.exe PID 3308 wrote to memory of 4912 3308 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://1cvyl2-my.sharepoint.com/:u:/g/personal/mackie219_1cvyl2_onmicrosoft_com/EdPOs3rl8PhEu6cmuqXkvAYBT0-iQlNhb1OExXH72UH_gw?e=Rkqpoa2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.0.365464597\1105341842" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1cdf5f-369e-4b1a-9c88-3f9ae146f263} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 1944 1ddafd15b58 gpu3⤵PID:3196
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.1.654678349\1740768646" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d8cfa2-db34-43c5-859d-f13f2b0c2463} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 2368 1ddaeaf0a58 socket3⤵
- Checks processor information in registry
PID:2028 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.2.592354202\770753706" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2980 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a8c7f8-558a-4884-adc5-d2f618071469} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3068 1ddb2e27d58 tab3⤵PID:4912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.3.1718297424\853477937" -childID 2 -isForBrowser -prefsHandle 3756 -prefMapHandle 3744 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db3a3db-a4ac-4d69-9f36-59dca15dcb48} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 3780 1dd9b16c858 tab3⤵PID:4524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.5.1102786328\1181814385" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051b3ca6-52de-40d7-8f60-ab04f0f818b2} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4988 1ddb5087a58 tab3⤵PID:3544
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.6.145596445\1221511835" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5136 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de369be-aa77-4442-bef1-10cc3ca1ffc1} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5252 1ddb50bb058 tab3⤵PID:2384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.4.977141970\1705630305" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4796 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8be740a9-72fe-4864-a11a-9de42bcb0489} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 4832 1ddb4e56d58 tab3⤵PID:1856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3308.7.949519804\1260576102" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1180 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b297f46-d0a8-47af-838e-138ad2919f8a} 3308 "\\.\pipe\gecko-crash-server-pipe.3308" 5760 1ddb7098c58 tab3⤵PID:2368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5272
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Archive\" -spe -an -ai#7zMap1869:74:7zEvent309261⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656
-
C:\Users\Admin\Downloads\Archive\rbxgen.exe"C:\Users\Admin\Downloads\Archive\rbxgen.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Users\Admin\Downloads\Archive\rbxgen.exe"C:\Users\Admin\Downloads\Archive\rbxgen.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\err804pm.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5248b6361dfd560480f44610e43ed847d
SHA14874d418c9e9ff5dc00ecc1eb2135f7b665d7a71
SHA256014b64121ecd232bb5c39bae5fa8383b09db0e0dc9cf31fb3bfdc52b46b29043
SHA512b2470cea300c021603eb88b85e8d7079937529d53a90e22f4c731ab7848983d70a210265e7c585f4cbbe371be8d08d8701e9a00fac61c4e9893ececfcf4dca0a
-
Filesize
6KB
MD5e53a6734a92b567c525097c8b7e8b009
SHA1f88c0147f2fa284952198b15df774f7d95744371
SHA2568e938c3a9ee6c6a939ca6fe8cc58365baf5f62ca1d622ee5e0e61471606494ee
SHA5122823ed66dfb1bc30b44707ed446ca84e023cf812472aaaf03f5a50108decaf661626f0fe7f5f209940f79db31dc8111c2d9cf1584bf2a9b75aa51e4eb9098b66
-
Filesize
7KB
MD5671022480aa40a352614634e2c8c8425
SHA15b29bc014c45ab3f48e46b06abc8223136e617b4
SHA2563f1a33dfe63d378c1605c1738acda372e281680836dd17f39c125e8cb6bc0ac7
SHA512a169cb47ceb1e99f48b5449ccab1d093dcd33bf144d32f55ef98347b8c30bc80e0e3d1878007679fd715a941c54b7b355988636c4adcfedc0c7138c73c2a5c2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55200240cafb83f3b9a8c37a50edced1d
SHA11994a117db0ce4e5d1ecdaebcb01d0174186d2e2
SHA256e71e2eca9446ea56ff153cef1928b6d90f48a38a17dab454f51a5f738b90431d
SHA5128c293a39fe0730bff52217709b3ca808959bf382415d7e5e82ea0728a1c22cfe1f3b42cf706f0d5634e4543276ed9ce74540699484da5925cbd7ee908c6e725f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD50acdd6893775f4f973db634880f96199
SHA178ee570c855a08bf6db8143ba2c0db88946bd0ba
SHA2563aae3fcf6498f844da94bc8421d9e2347274261bbb8848eee5848c870cd6bf76
SHA512be22cecb24f09a726ef2c204f320885e02106d05e2811506744759403ef0b93bb5e1aff79d5fb7e2504494c500f3e25e9ac783e4a79997b7016e04cc0ad4a282
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f10d634663436ef0e53cef0e03ed81d3
SHA1eb8bc6aee3fc8edfe4aa7a8cd5f4c74320e038a3
SHA2561ae98b497426f65b8a61a7732934c5db1a05026d62c948c44c4ef00fe0eca58f
SHA5126e71cf5c9baf25feee2c99a504b3f615e7185c345375a2759f8182c735896661ddba3e5d3e66ccc8486b9ef8257714286e2f52fb37ba99a238da49ba163965e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\sessionstore.jsonlz4
Filesize4KB
MD53d580a7d2708230799a7c734016805e3
SHA1b7b015467d08a725a1d16751a3cb637b205dd554
SHA256e4cae90b6333d0c17e948feb103e8a23046b62066391f24ee81b578709494fce
SHA5128aa20fae0e3cf031919b27ef1893a205922db5fa79a60ee90bf0720daaed9369d7a780a32b1d04222562051c8064ec2452dba33223df86803f723c862d3251c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\cache\morgue\73\{ec16874b-1a1c-4a2b-a15c-5fd650f49f49}.final
Filesize2KB
MD56a992e9294a845a4331501eb759c0039
SHA13cd2061b7792f2584735bdf144866662968131de
SHA256745ddd45bd380f03d3cd13a5267e051ea1f98337cc9059bc1a3afebb0c757d5c
SHA512cf4b98e1c4beed09cbf41ddd0c94178ab37a7099d570a075db1a86ef4d2c4cf9348c425b45a7c1584293f2ef0bf2612be2bb2e9f552e1d5c3d4b00f77aaddcd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\276181416SyWr.tTeemle.sqlite-wal
Filesize12KB
MD5e203fdbb05ac350641c72cd957baab7b
SHA12378b2d87c9ff574df9ba900b26c6d00832269df
SHA25647d4325a5fab7f571da9ff466e8149c05b6512220af8223b77d69d7ac81d1cbf
SHA5120cf10f868c867b62fda56d988e25b3071f00f63a2646ef8603a94246de6f53f265d6ece062f052f666018ef9ba3e7b7a109acd6ac64844159c847948e2113d46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\err804pm.default-release\storage\default\https+++1cvyl2-my.sharepoint.com\idb\3217723701OBDDS_P.sqlite
Filesize48KB
MD5062a69a186f75831215cfb20fcc870db
SHA1fc92d46bb0a0355fb7f1c63084a41c086606849c
SHA256b2b429164afbd3e611cf7e5665b79ba2e3c0d321c342b6748087182374d9de9e
SHA512fb45d90ff95d4ef2aa52743d6c9ccb8abc4ae5cbd6cb9193a0ab372c7b7ddb27426fa0f8067466be4a7f610ca3b69bf315f3877062dd20ebd126e7bc9d6fb234
-
Filesize
686KB
MD550db46bdb3624dc6eade9d0fcbfe602c
SHA18d52e704d39213065155354cca5d52aef5408ed0
SHA256bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd
-
Filesize
686KB
MD550db46bdb3624dc6eade9d0fcbfe602c
SHA18d52e704d39213065155354cca5d52aef5408ed0
SHA256bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd
-
Filesize
131KB
MD54b5098e511b13ff333b0c9bf4aeda73d
SHA10d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA2568e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a
-
Filesize
131KB
MD54b5098e511b13ff333b0c9bf4aeda73d
SHA10d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA2568e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a
-
Filesize
131KB
MD54b5098e511b13ff333b0c9bf4aeda73d
SHA10d87e54d39ace7fc85fbe4aecad754c5d536a94b
SHA2568e05f7cdce16a1af53997297375327b66c83d5145797863d6ddea243efe8f371
SHA512b251d68217e2e4a768be100a0af895ff58243c603fa7dadbfdb8f562992f7736ec024cb00353d4d587e113691858bd736af7b97e7da832ff86442f3c27e7b54a
-
Filesize
686KB
MD550db46bdb3624dc6eade9d0fcbfe602c
SHA18d52e704d39213065155354cca5d52aef5408ed0
SHA256bdf6a8895a935714cd03fcc3b2a96dda4d5794b60bf0bfe8139cd6a2d7262fa9
SHA512e6bc9231286e78eacaf4e433a0661c4158addd01808a58be5f68d52322b098cd49d5884c10caf5f9de5e47c4fc081b917f1b0a2c9d2a34fb5f1f968818abe4dd