Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://cytiva.net.ph

windows10-2004-x64

1

Analysis

  • max time kernel
    37s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2023 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://cytiva.net.ph

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://cytiva.net.ph"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://cytiva.net.ph
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.0.1363720478\2101204017" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82987f77-017e-437b-8dbb-ddebef7b5b2c} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 1984 2174b6da658 gpu
        3⤵
          PID:3752
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.1.2034508519\570226943" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e800be6b-4881-4b03-b060-4e6fa9359eb9} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2456 2174b246d58 socket
          3⤵
            PID:3404
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.2.1937197151\1615278748" -childID 1 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c75528-1423-4538-8a77-31a6a5f4997d} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3168 21737a68158 tab
            3⤵
              PID:1548
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.3.181967421\1132767613" -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b950ba-9334-4989-8872-efbe4d6a38c0} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3888 21750940658 tab
              3⤵
                PID:1920
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.4.10207412\923049754" -childID 3 -isForBrowser -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {024cb8ad-45e0-4620-8f2c-ebbb36190a21} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 4864 21751f08558 tab
                3⤵
                  PID:2692
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.5.1856350259\1041403435" -childID 4 -isForBrowser -prefsHandle 3552 -prefMapHandle 3444 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3dafb4-d5b8-4749-828b-2ab553b463ff} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3452 2174cdba658 tab
                  3⤵
                    PID:3368
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.7.1437935212\7151253" -childID 6 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b960f9b-42d3-4f20-a9de-acac21c303b0} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5456 2175258a358 tab
                    3⤵
                      PID:3824
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.6.267807214\119545171" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {500b22c4-d91d-4eaa-9168-a8f192b7bd76} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5264 217506eec58 tab
                      3⤵
                        PID:4388

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json
                    Filesize

                    22KB

                    MD5

                    380569a7a13f07b3beb2a9f9d63d6424

                    SHA1

                    fbba2dfacd40630f4c61819596943d2b2da00e8c

                    SHA256

                    1b4aff04c1ccdebc868b90737c6b925c3c0c0f8055a771b252e1ce98809bace6

                    SHA512

                    609b4bcf983f81ff34c0384ee400da81aea512b022c99801daaba01fe0a3293c6a7048d5a348d1a0035917a2385e4cd30e4b942804b93fd71cb0a80ae52cf426

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    c3a468cd0f87615743d6fc05be9e3763

                    SHA1

                    90d5905063ce9f7a60f9b2454de001c87734359a

                    SHA256

                    4076c8f2119bc7b43a05623f146c07a58da1ccea3313a08d7e8fe0b6db808936

                    SHA512

                    c009c1c1dff51ebde9d64aae9a8e186b2527105b49730aa22c8d853c95ac6cb23e35a79ad2f1128ff1c661ad72dd387f912f5dc901d351ec722b91094da90263

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    4c807d5d91812ab65eb6d865f397e905

                    SHA1

                    f695ed03ceaf94b8a8395bc067fbc353ad320386

                    SHA256

                    73eef8f27361ae8a80271ecb5114c27ef4ce5bfa567d95d85a44f3aabe071b72

                    SHA512

                    51c2d86aead1437b869045f42b47430f1762a795947a6bfb4c37b05bb72c4b16b7ab47b55bfee6ee38e594e5191f72aecd09d8460a55fbf5010936dc7b99f8d7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    176KB

                    MD5

                    9b814a373511faa38d130346b66d06f0

                    SHA1

                    57648c44743beedd9cab41951ac362654bea54f4

                    SHA256

                    5b8643bcac8112df8231f28795b292ae64e30f686a6472ba68178433a577ae9e

                    SHA512

                    c254072b17509bd17dd128bbecb2d19c9df5f7670dcc81018062998ee107f3a88369d1e3bed01b79e173bbb338ae377125080d82644ab49e018338d7ec186314

                    Download Submit