Resubmissions
24-04-2024 22:56
240424-2wssasbc24 824-04-2024 22:55
240424-2v7vtsbb95 824-04-2024 22:52
240424-2ttxksbb6x 824-04-2024 22:52
240424-2tcnasbb69 824-04-2024 22:50
240424-2sq5asbb58 8Analysis
-
max time kernel
33s -
max time network
36s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
24-04-2024 22:50
General
-
Target
http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=20232⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.0.297767197\319205158" -parentBuildID 20221007134813 -prefsHandle 1644 -prefMapHandle 1632 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7b070bc-695d-45c5-a927-602ba2c04d44} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 1760 1427f4cb458 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.1.655915744\732552079" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b89423e-6552-4649-b58f-068390eba1a7} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2136 14274a7de58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.2.623384478\1167798734" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2756 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67d4a038-9e9f-4fc7-abc8-2658f2d3cfad} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2828 1420b0d0758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.3.1722932291\91676720" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad17a5f-2718-467f-8f23-da866c54a416} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 3484 1420c332658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.4.1467583573\1295860671" -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 4812 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93de160d-b1dd-47dc-b9c2-26d6e9f4417f} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4828 1420d73d358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.5.1601054380\1063602327" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f02d5ff7-9e97-44d4-ba7a-fa5a192fbf80} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 4960 1420d73e258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.6.280516486\1908736820" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e39f912-79c5-46c3-a95c-8f69a6711e6c} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 5152 1420d73b858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.7.997082720\1079678092" -childID 6 -isForBrowser -prefsHandle 4264 -prefMapHandle 2836 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cbed384-98b1-484d-a01c-399db7301aa7} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2744 1420e86bf58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.8.1463971963\1526297679" -childID 7 -isForBrowser -prefsHandle 9624 -prefMapHandle 9628 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f89a9c-9002-4958-b1af-7076cf03ce63} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 9636 1420ec58558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.9.1765604523\1947157248" -childID 8 -isForBrowser -prefsHandle 9184 -prefMapHandle 4232 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {916be53e-a0da-44a1-9f4b-b3f7fe09c0e6} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 9180 1420f1fdf58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.10.78704994\250582105" -childID 9 -isForBrowser -prefsHandle 9056 -prefMapHandle 9052 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f3b496b-fc32-4f60-9cb5-8d17158544d5} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 9064 1420f229e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.11.1747719704\1271054203" -parentBuildID 20221007134813 -prefsHandle 9268 -prefMapHandle 9180 -prefsLen 26424 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1828dc3a-37cf-4077-af1a-7102d46ecd59} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 9228 1420e649458 rdd3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3820.12.1411818941\1736435110" -childID 10 -isForBrowser -prefsHandle 2648 -prefMapHandle 4652 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbfd6f72-6bbf-4060-b202-d2c4fe4c73cf} 3820 "\\.\pipe\gecko-crash-server-pipe.3820" 2676 1420e403558 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD557319344e19fc78c5cecf03b369b0948
SHA12c474eadf10d7d359cb3863ca7ce70d70c27b967
SHA2565e88649a3e737553004463f7a86bc345984528f3726447084c70481912f2f9bc
SHA512fccf8f7645de0fbb1931cac3879c2c9939b50874fd062b7d6b7b8e473bbf86eb7ea97e22cb8fe641cc48039bf9291dadb82ab787c86bce2b1ba74b1df335c67a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\b7286804-5d95-4929-9cc4-1af1dbf37afcFilesize
746B
MD5b472af0fffbe67e804ba4908649270c4
SHA1ded95a87fd19eb475e873dcc74328f774df83438
SHA256f1a630b446942cbd1321f64a98a6c3146534291ac3a43e7173dba836276f9d28
SHA5128dcdcc94dfc083d8119abbf623992415dc96ee482a5c2a4edf70ef60ab74d8739f355f803bf4f6dba6f832ccca178ece2419d1a012471e202032b1b3b4e0f202
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\c6d14f0d-69c7-4287-a694-4274385741bfFilesize
11KB
MD5459f9e340a86d5fafa478b72d1a7d783
SHA1ecfd4e48b1366a461ecd34d7144954f79e8f7f96
SHA2566effecd358cf9c87003c30cf82a3b35ebab34febbf93da4440aceb4cb8204f7a
SHA512f925b913b975184e878ccac3752229b3984889ea7d6f63485f5142fcc3cba22bd78642af2e56c70297c34badcae63b1428b695a6bb6b1362ca70148569cc5b70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.jsFilesize
6KB
MD51f30eef90a385dea9081d293f0b43836
SHA19af11a0e00d1f96464851b446f4c483ca2699507
SHA256fca1ee35769374709c1517c793024d5d2bda51fa57296472b1d301f852f49922
SHA512b87d5e9f51fa7e40b025d67e05081e147e5494e36830b4bfb73b958cfc6b3e5a1d77f8aebf4cc5a48d6d4f146dd45e20458e93377a14456952c267c7925a62ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD55d0654499418f50442e8f13adea06a68
SHA14eb7fa6d906fcc7329d79501f9806b66535a187d
SHA25654eb77200d074f617b7a9a154654a25ff776b67980e9f21a97d17b9b4a079e7c
SHA512254fa183692edc8eee338f9f4ff7fa1994e4a7e80a89cf8354c1beb8371ae8da1cb20127b3e116f6e620cbe2c338151da0fd043238ee5ecb4c10406a8fdaf4d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD577ea5fe7308fadccbc91770778897bdf
SHA1d5342f8eeeba4fbc6912e200fa042a3033a8ee4f
SHA256841244a2c7c71af07ffe481982bb9bb86e063d594e0ceb2c4f6886806161384c
SHA512a2c6abe583c968132cc1b55ee098ff1c22f96860b55ffec3449a2a59e059c00a217a8333294b75749bd66a673aeb46de4562730587a0728bad99f55810fbfa56