hxxps://ms-edu[.]tatar[.]ru/tatar/

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ms-edu.tatar.ru/tatar/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	firefox.exe
Token: SeDebugPrivilege	916	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
916	firefox.exe
916	firefox.exe
916	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 224 wrote to memory of 916	224	firefox.exe	88
PID 916 wrote to memory of 3512	916	firefox.exe	90
PID 916 wrote to memory of 3512	916	firefox.exe	90
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 1288	916	firefox.exe	91
PID 916 wrote to memory of 4456	916	firefox.exe	92
PID 916 wrote to memory of 4456	916	firefox.exe	92
PID 916 wrote to memory of 4456	916	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://ms-edu.tatar.ru/tatar/"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://ms-edu.tatar.ru/tatar/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.0.466487888\1841372350" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1836b80b-c360-42ce-abbc-b46a3f77be93} 916 "\\.\pipe\gecko-crash-server-pipe.916" 1976 2602c0f7358 gpu
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.1.613477525\1510373406" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d4909b8-94e4-4cf2-aebb-94e06e65d333} 916 "\\.\pipe\gecko-crash-server-pipe.916" 2404 2601f76fb58 socket
    3⤵
    PID:1288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.2.1775751366\1576427290" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 3292 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18725fb8-399b-4067-ac5d-ee21691ef90c} 916 "\\.\pipe\gecko-crash-server-pipe.916" 3296 2602fee6d58 tab
    3⤵
    PID:4456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.3.1787503360\1500767930" -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bec09dc7-d192-415b-b4eb-ae9e81c1ecc7} 916 "\\.\pipe\gecko-crash-server-pipe.916" 3924 26030ff1158 tab
    3⤵
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.4.865812504\1809065109" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035108f3-c436-4b2b-a1db-3b3859880ce3} 916 "\\.\pipe\gecko-crash-server-pipe.916" 4888 260322b1958 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.5.678102039\2092068675" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e8224f8-085e-40df-a33d-c3de8cafed8a} 916 "\\.\pipe\gecko-crash-server-pipe.916" 5020 260322b1c58 tab
    3⤵
    PID:988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.6.1428254611\1813541099" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c380062f-e28b-47f7-b07e-f556ebd76c78} 916 "\\.\pipe\gecko-crash-server-pipe.916" 5212 260322afb58 tab
    3⤵
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mlil8stk.default-release\cache2\entries\B573808F9B4F64D3E5F0B069BDAA48EF4086E712

Filesize
13KB

MD5
3e6a0cd82cd466263a48925bfedc0b1d

SHA1
63f85b0c93f7fcaafd81f6f8bf8e0ef4b1aa5125

SHA256
228292995614dea3a95bdcc0b455316e2b08f0bcaa30b33cf5d6255517e41a04

SHA512
6d0351426efe7c1a3ac2720a7cb6e7cc91d062ea3458be70de488af03ff39d96093de1337900c91e289c486bac26aa544aec30d9bf36a72f96ce1b96c9ff5801

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
214KB

MD5
bcdc28f7927196424fcfb34c58e1707d

SHA1
7d8afb589642a983b43d17d62518599224adee8b

SHA256
ead0d03cef2e100e8764474672fb5283b7f98aeadf3f0ac1a7fd7327aabecedd

SHA512
6cb37bf075e35517bcc45c50a3492013868b9903d31a35ef389bbe4ce798b30571f1429fe81404337c9c4df29d165c7f6f96c3b4750a9444676555bb0a1bc114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
846fd3ac1c0101bcf5d68512fc8d429d

SHA1
1027c0563a3129314fbe703734acef7719165e59

SHA256
2f5ded7cd7552968c6ee1f8029525c893f07543b751b2da2212e095fe1bb1722

SHA512
cff0a9af67d1eead8a57a0e4ff6874ef5f73da64c748ffcebc77b8ef34d52f4df6ae895aabf6484e85b7a1f28808d82bfdab748df58c561eb0846898f4d75e2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f9bfe324c622f5c5b7b7c38c1e04fadd

SHA1
72b3ba1ffea90981e321f27913467d4f1e4f3ff9

SHA256
e10bd0a208e699d6a710a177117c2b5082dcb299e4947292db4373f0ddaf4547

SHA512
16006014e8dd99a3a8548d84bd29b4029137d2881316d7402c858a831b520fb1527889223b7edf4916ec9552c09f7f7c42161c47b33aed4eb259aa7bce0ba922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\pending_pings\d3a3bd59-8e43-46c5-9e77-6f2a4d27b0a4

Filesize
12KB

MD5
e3d52b113c683b48f2ef741773418605

SHA1
84f68a717a3e794437c85829cdbe4b99703578c3

SHA256
7ce2954ba6bc403c378f3c70477355128c774867f3439f889e91625a68f74f20

SHA512
4b8889572cdd8bbc3262ce22944d1bab147983eeb9debc9b6ec4a705803b4f63c61c6666b8930454deef5fa922f450f785bf1f512d801ef9b28b27694cdd596c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\datareporting\glean\pending_pings\f846ca81-f402-4f29-a5d7-04a67c4f44be

Filesize
746B

MD5
53d9186e5d05a9b7a405123e16533a40

SHA1
8cd409443407a64de16922fff9021e642fd681dd

SHA256
94fee5b44bea8eef9272b9db094cd67e2aca2e10ecaca71e1cc9933add006b1b

SHA512
bda5202c04d28e879f191bde3db280937664b2309009ffeecbd24da3f5b64f661bfe5d68344e60cef5396606241cca2b2f745cb5cdb83e88fa038daec687a5c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
44KB

MD5
6c13df218bee8d941f9816b3597713ab

SHA1
f3edbeede124ea1b12995d1f60b5f5c1f9447f3f

SHA256
405341472a43de2f5ddd8a8af4b7276b8b730451c26c757676896853d587d416

SHA512
7c7b9d0efd6c3881ce9ce2675b53d9c1e49ded8072cb1f6c094220ddf5a8bf38a246cd2be40cfc97923b1470da92704254e52fc73e8cab0460a15fc9d34f5db7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\prefs-1.js

Filesize
6KB

MD5
91dfd9ae71a122cbc50e1938228ca73b

SHA1
a88b69b60631b27822ae30e559925554b2ee9c9c

SHA256
16a132b32e6e0ea8f2312497f899e3e1d9efa1d01ae6884025ad93549a4e152d

SHA512
2d6e96d4a71258d5b75a4b50d0b3672e3077c2d611b1e5cfd50bd619ac8978a5c30bca5f354dacbfd92b367799e3a7c07de7244c1cc0f7cd714e03bb7acc16e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\prefs.js

Filesize
6KB

MD5
3882757962db6765e125b4104535f2f3

SHA1
17c146929d407935bb89a72afc8a56cfe18ae5d1

SHA256
336523656fef18390bb9f5ac00b12ac9a25babb8e9f95fe15eea0bf46914661a

SHA512
e62065c36c651cb11a52835d93c1bbc9f4fa1f8c3d61c4d84a130d55911c5632af344ebe1b0731bf38c33f77662a5d00a04521946f9275db614553553caef1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
992B

MD5
a0b8c7df289a6c9a33594ab56b83d43f

SHA1
930781a2f0728a2d1620578535ce57a963b95a13

SHA256
4eb2fb825c3f044ff27386b4b2c6fe0b2404f736a7620dcc80d860efd4b2d2cc

SHA512
e9535c7fde547ade7339c863029457759220e622c2b6b9d503c5d61ac1032a2324567ad864141f50fe197aa25b1c1e3f80da7bbff589044314d212729841833a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mlil8stk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8469c84a00192d81f4616e7b1fd0fb35

SHA1
169d509cd66c688a15972a92cc2588f859299191

SHA256
bdf1da5e721a7bbf268001002240539c8107a42e1bb518f88371b640f2887cab

SHA512
ac6fc61e203d5f5f3dea7dfe954b1e1d245219b7ec170cdea555a6c23b470e0950a83fc15bde358db5f93b337f77ca7512a71a3c9797c9dad4e30d0cf916e1c4

Download Submit