hxxps://this-is-a-cannon[.]skin/

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://this-is-a-cannon.skin/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3340 firefox.exe
Token: SeDebugPrivilege 3340 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3340 firefox.exe
3340 firefox.exe
3340 firefox.exe
3340 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3340 firefox.exe
3340 firefox.exe
3340 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3340 firefox.exe
3340 firefox.exe
3340 firefox.exe
3340 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3340	firefox.exe
Token: SeDebugPrivilege	3340	firefox.exe

pid	process
3340	firefox.exe
3340	firefox.exe
3340	firefox.exe
3340	firefox.exe

pid	process
3340	firefox.exe
3340	firefox.exe
3340	firefox.exe

pid	process
3340	firefox.exe
3340	firefox.exe
3340	firefox.exe
3340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 2380 wrote to memory of 3340	2380	firefox.exe	firefox.exe
PID 3340 wrote to memory of 1168	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 1168	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 4688	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 2008	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 2008	3340	firefox.exe	firefox.exe
PID 3340 wrote to memory of 2008	3340	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://this-is-a-cannon.skin/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://this-is-a-cannon.skin/
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.0.578554623\636846794" -parentBuildID 20221007134813 -prefsHandle 1952 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7295ed-79df-41ee-9148-767ca7dd825a} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 2028 2a4648f8658 gpu
3⤵
PID:1168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.1.2087037852\1753221910" -parentBuildID 20221007134813 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c72dbc48-6faa-4e7c-9bf6-6241c68afbd7} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 2448 2a457de1758 socket
3⤵
- Checks processor information in registry
PID:4688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.2.444969909\1030456124" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 3000 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84a2a3fc-a428-4354-9c7c-315d5003a939} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 3180 2a46485d658 tab
3⤵
PID:2008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.3.1722031236\2053273800" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ebe4f79-8357-4ef3-a7ce-2e72cac2f37e} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 3652 2a469774258 tab
3⤵
PID:1504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.4.1827411304\763947536" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 3768 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0808d89d-cb28-4c83-bb34-9014e8e9ea47} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 4628 2a46a56be58 tab
3⤵
PID:1796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.5.290491261\1632890690" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d35681ca-b06a-42c1-a80a-01671a242175} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 4700 2a469459e58 tab
3⤵
PID:3200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3340.6.1379892153\1008548885" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1056 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {922ab358-9003-4b43-b6b5-0af47fecb670} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" 4680 2a469777e58 tab
3⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin
Filesize
3KB

MD5
4b16eca31f41dff293bbc4a0e38920e6

SHA1
d30102adcdc5dd85bd6ab3a2f16a0b806db43172

SHA256
9a3aa96485b7e933545324142dae7b59bc8ebaf439e3d2897219b6ef4d474300

SHA512
d384966c9cba8c953ba2d8a4f77b4b4c71614b5b82c1bed5ec5a2886eff6f2c560b15793275fe6561b92b206e74ea53e6c7b464e3b23c142437cbdb0c634c4e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\247b647a-17bd-4b86-af99-c87b46b3158a
Filesize
12KB

MD5
c690a989707c37924af3cd4c00f9f370

SHA1
2df950da26298195264e8805e6bfb5a4a370e6b9

SHA256
c209f96772e772801b3067151bd5504c9c3aef79ad2f6fcc0a95d0e09c1c2373

SHA512
33650da047827a9be19cca1346e99bc87237719f53cd14f919c61e58d603168f46592948fda6b05bd041e074891f1e8755b5576d795954a0646661c640734bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\98931169-2c56-443c-b59b-53bb63ea4ac8
Filesize
746B

MD5
34df17e9e2bb72361a12ba9b4a1ccf68

SHA1
a5498f0421d5c9d52cef28d2638341accca7713a

SHA256
0d717f227ed5fe9bd8ef06035da1c5e179ed784840337c6440173b6729270434

SHA512
b7c6d02f91f6cfc2531b64f242f66af7c007820414d10edaa4d481be042b29612664a6545a38cceeb246ec1151544f443a6413d601370c2425a11c3bde3ff1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
Filesize
6KB

MD5
3a35a52884302ec79aa5fdbb620340cb

SHA1
17fc197cd7e06a70d1472bb839018bf9632f1b79

SHA256
b472e1b715a44b3d9b6e4537556fbf28e6ed8e358d5f6b23a1299d7948abd009

SHA512
273171dc2f2944c3b9235c62015937cae46a202159bee5d2bda84f8f20e430886a2bc5991ee3a3e2584d47a5ea7c93e100a90c70d8f47a96f30591833083b12a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
Filesize
6KB

MD5
f0affc5cb7cfc3baa05337def562436d

SHA1
5b463b23f2882a61e089e8bfee69a37db5177988

SHA256
3094191dcad8e284eb6a5950e3fd914555e477b0b056742f05568dd25bcd78af

SHA512
de0abd814c6bd0755b3ef29ca2e1793d2d4cdcbe79d299ce5c0e43c97b3f6ba26721947b385d6e23a740401be0b9cbb1df3667fb4c1cac252990686d98913dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
235535b8a69dce37e282c26208bd1c9b

SHA1
b1f231618c74d12982c7fdadcea6e9402ffa6378

SHA256
de9d2ac998ef000623b756236bcfb2ecf29a0d20863d3d504d7e6245a6b9a852

SHA512
1bdecd7fc3569c90db70df6b27d541a2d6cb2f47261ca1d672bd156fccebb0702cb78ba466e6ef33d2a5753d764483132ec03b9e999458d8797d681bda604368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a3313967b40e6ea80858c8609fca6daf

SHA1
a7d4d74693ee0d1fc58ed13f1f716e5046f9e4d6

SHA256
29364de307a7997ec3ef5ebeaf7183701833722afdc14b1a70251b64f17f7122

SHA512
a5466be0ecbb4e6c7f913b69c8fecd99a0b4e84d75019da2c92cc54657e8cb5cbd4b282324977bfb0e34b93bb8a61df58624acd018f18528d51c115436be51c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
c4ef9c23bf117a83a64a34ee9b95700f

SHA1
670aaabfe17d921b46e3ff06d7cebd5cb8df4230

SHA256
58f0e73dc504dc9fa74fccbad81f2d3034940b5d4cc32f387ba5fd462b783600

SHA512
31b70ec35abe30955ed8dde83bb53471e534911fd1f4b14bb6d91546356619c27196db4ca2d4b2afe010d73986a00117641859755daf9d10635077f8f50de10a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore.jsonlz4
Filesize
1KB

MD5
b4f8ed0c1281625c4895ac8a5465c5bd

SHA1
2c6ca9edc2c116dfa4381ecc44c5b15a07afb1d9

SHA256
24672aa7de128dc52fe9839bafafede400a38502e50b4aa253f7847fbf039c0b

SHA512
debdf94e2f1e44c9a76180dc55d1101858d2f7d2f74a5e5b0df9f9963f34517fe6bd512db4b45bcb96a339e35b51fd645fee05f4f7861dcd2b6a670b158af38d

Download Submit