hxxp://cepheida[.]eu

Analysis

max time kernel
50s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cepheida.eu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	firefox.exe
Token: SeDebugPrivilege	3104	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3104	firefox.exe
3104	firefox.exe
3104	firefox.exe
3104	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3104	firefox.exe
3104	firefox.exe
3104	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3104	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3280 wrote to memory of 3104	3280	firefox.exe	68
PID 3104 wrote to memory of 1016	3104	firefox.exe	87
PID 3104 wrote to memory of 1016	3104	firefox.exe	87
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 2300	3104	firefox.exe	88
PID 3104 wrote to memory of 4208	3104	firefox.exe	89
PID 3104 wrote to memory of 4208	3104	firefox.exe	89
PID 3104 wrote to memory of 4208	3104	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://cepheida.eu"
1⤵
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://cepheida.eu
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.0.2114110814\1609638770" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25240d59-09d7-4510-8310-b59f80034475} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 1948 1dd4f8f5158 gpu
    3⤵
    PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.1.1763188272\1020520709" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e0865d8-6ef8-4740-880b-7979be9990bc} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 2372 1dd4f5fb158 socket
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.2.1930748728\933890878" -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3184 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc02c99f-2664-4d46-8b5a-6ed5adcc8e0e} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 3148 1dd4f85bb58 tab
    3⤵
    PID:4208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.3.1781543789\453613674" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c690265c-8414-46e6-b8b7-2620227eab0b} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 3632 1dd42e62b58 tab
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.6.317989457\1458571554" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef14faa3-cc19-446d-8593-f3d30ee28466} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 5176 1dd56121b58 tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.5.1212747127\70509043" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acd759a0-1533-4036-98fa-a558e76f71ce} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 4996 1dd5611e258 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3104.4.30252628\1861302730" -childID 3 -isForBrowser -prefsHandle 4836 -prefMapHandle 4716 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf7874ac-2c67-47c1-9f12-42c9140e7dfe} 3104 "\\.\pipe\gecko-crash-server-pipe.3104" 4848 1dd42e2d258 tab
    3⤵
    PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
d32e239203f73165c89da78d7122aee0

SHA1
ac857d129e804cdbaf00de18d896386b021943ab

SHA256
7b7cfdd3fdd5a169ef2a88679989e828b1ba46e8b229a1a6c9dbe8d2592ed0dc

SHA512
2bebb87ff02bfc3af178376c7ed9a5125806c670d4421a15e871a4f3dceb89358c3cc727274df692d00b68fe7cff86af47bb5b55167433fe0d7b516e477c4c9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

Filesize
7KB

MD5
9856303fdbe9dc47772958b35384986a

SHA1
cb9d96d364526359e959b215f1b805380ee40ce1

SHA256
32cfb3b12675c24c0e2218781d7f9f55f90577a20f1c8dc5bd86cffb407aefa3

SHA512
d528265cd30939a8f8b1c8b0d7ed17ecd7168578ba0a898ed9e306794d2058695957c7df2ba6bbd1d38cf02aaa615fe3690435638f4f5d6c9a1f0c86a6facf8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
878e5eacf7a7e4ba371cd3e26e7b7a00

SHA1
6bc145182d29cc5cd31cd9083864697882bd806b

SHA256
0bda779bada750c1f906babed9687a9f7dd64c3a07bcec6465d507d8b1f2ba44

SHA512
f26cc03710ecdc8ca24dabc8139f40d88c2a8da6c43e21921c74b847d2e12889bff33da0ef522d29332331549ea2a9e3e424d80659ade1083632ea1cda85abbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b757a6178470c0f2954205726e77ae4f

SHA1
1f5c6937403c019fafe2c45cb103619b97b65d31

SHA256
e22c42a32df838552efc5bf0e2861d64a60e1d81cbf1d4838a0a247b722af943

SHA512
c6f530daff769d262f04f50b91b9e4ab94665ae188edb4c46890b76de55000a61bb45374821358eecf002e1f7d46ff2df713c7539c3efb6f112e8a22fbfee002

Download Submit