Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
27-04-2024 22:35
General
-
Target
https://www.cosmicbetrayers.com/
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.cosmicbetrayers.com/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.cosmicbetrayers.com/2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a0ea62-8095-40eb-9f85-a1f46b29336b} 468 "\\.\pipe\gecko-crash-server-pipe.468" gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd9d683-d51b-416d-a094-c3d21068f60d} 468 "\\.\pipe\gecko-crash-server-pipe.468" socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2728 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e90f11-7ee2-4949-9b69-c8b77089ccd7} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37400601-6854-4d01-b6a4-71d07be5e3b6} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1516 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 2828 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {402a400c-ede2-4f3a-8fe5-34f998689842} 468 "\\.\pipe\gecko-crash-server-pipe.468" utility3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5116 -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5088 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a5debb9-5836-4c3f-9fab-b0310967c325} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5276 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5b8eab8-877f-4bf4-82c4-d0eff9dbec34} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 5 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b5246f-b9de-488c-ae46-5a3f70bd6101} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 6 -isForBrowser -prefsHandle 5848 -prefMapHandle 5268 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {947c67ff-7178-48cc-a148-ce1bae8ecc33} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 7 -isForBrowser -prefsHandle 4952 -prefMapHandle 6116 -prefsLen 27069 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ecfe962-0d6e-41a1-97b2-470e7e2732a6} 468 "\\.\pipe\gecko-crash-server-pipe.468" tab3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\PING.EXEping -t google.pt2⤵
- Runs ping.exe
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x47c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertOpen.ogg"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\PopStop.pptm" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\md1ejlmw.default-release\activity-stream.discovery_stream.json.tmpFilesize
21KB
MD590166443537371e8c3cf73d0d55d4779
SHA1fd8c8ae59b48a932eb3c6781588cae9c6104793c
SHA25669cc4b2c07f8366e7aec62d904300d3ffdf81a41d1d55740df4daa9d3af7fed2
SHA512baf9f1e87ce8d7d4c9560fb9d291ed4c643a9c8b42bc7ab7a087fba7067700f5201c049446ca856f2ed89c686dac2feaf05ae775e9201cb8ba5461d49675ffc9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmpFilesize
29KB
MD53c2cc8006aa1a22eab9b29d6960674ab
SHA1b4ee2569ca93e7c675a679c6e7fdaca8a3c1bfad
SHA256f73ac9cf185b4e94acedfd7b8d46e0ca2506f712db4c9f667c6a61b666ee1b66
SHA5122639217c2e3f3534c4af3b23c6be07791486a39ff2d3aa6fdb00104af3012278b6820d96a50ab8bc014294bc9a1eb85dc41dd199b25dff987fa0eff3cae55170
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmpFilesize
14KB
MD5dff5aa1353e7a03fc73d5fab06c06c24
SHA11a5c560154c4715fab220b1f2de2b08b68b40b41
SHA256c04cbaa42755bcc148a976c9bc0297cd37b745bd51ab8bb036694ff515fe5e3f
SHA512bad8fb22dc864a9d692ab212ab33d7cae3313291933dae80a2aaa571c505dee63e13bb57c2f4c8d00f75a6f3f0565dab4a09ef367187a109a4b224ee25778cff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD5d81eb49258073985feaf0ceca80f5a25
SHA188fd75dbf62b2ed110f33bbeab179201332cd383
SHA2563d67825cf07aeef69a28f133d6c3c03efc0e613bd329983106b4869407cddfe2
SHA512c7660afe97037a7671f795bb3895490eed212ffe41ba248a96839ce100ebe5eb022a43612ccd0a64e09c283a18a456752890a286c8d779a31b8d803f727d8278
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\bbef52ab-744c-40d3-bc19-ad34645619b1Filesize
756B
MD5abca1f9b9226c258639facfa69402640
SHA1d33581af7829bb4b7f7de6b91dd077cc9e662d95
SHA256f3bed57f69021ee73020451f39577752c6f716ea498ee8694d8f3a189cca5f1b
SHA512f8b0654ee37e00a79d24e52d4d25e686bb4adc8c8714a72ae0c74cfaa29b9c8b0d4747385a4b542a424e20d960100952006eb4cfde20b6e6a349f262daa36a0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\dc732fae-cc3c-420d-b245-a7fcb0379140Filesize
27KB
MD523c20bf97beb4816a868c553df23e31b
SHA11fe87ed5b19300a657306dacfc6429c6a86b60df
SHA256b7a6e623c265baf36e8c4d4fd41430f8c638833aee561fa993e6b07848a67b82
SHA5123b99db61b32a5796f05720a30b2980beb25d0b4ec866bea36dab57f82117b6267cb901a6103de6c923da2c33f28b3e2b3f5bf055246121325c094b4bdbb66dfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\e723fbb5-1e98-43c2-b2ff-3c1a77a3ff26Filesize
671B
MD5e0c3bc90ee6ce54c053ad528309af730
SHA14d907a536bd312b48903ce6e563625a6eb64ec40
SHA25627a65ae5080fd4afcb730c7309e6232ca7b9dd9c2e63765fe0f7c088b5fb2945
SHA512d7286812d0e300d3232f57c226b0e7c7151550626dfcc61cbb438a7a369c6d12a6e1680cc91154e5384d2800916c666f407d25b5cc1544ff52508970a229b1bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\datareporting\glean\pending_pings\fd21a470-a40a-498a-9058-c7ef51fd6ecfFilesize
982B
MD51ae04098f7ce4fdb6dc6ba613bb736d7
SHA198cfc264a678c5814c751cc605f5b5a609a3218c
SHA256292ea9f721944289599c9616ae3a0d4b9833f31bf63861ab17e0a082208d7ac3
SHA512ecde15cc477b8a081a5a246f9f5e38f85ea565f9c68602a148342618572f3b066dc0452cbb6a5921974f633ed54a136956637e1a2545d647c2fd3747cc184f7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs-1.jsFilesize
8KB
MD54f0fde1c86f8e955a1d38e0c4b3e6dcc
SHA17b959b275bf278680ef66e2520118e7946d73023
SHA256e0c852cde543cfb9667e65e6c4c6e5d77aae00f695a6628732f9260b76e47b2c
SHA512315d96f3303fc657128698a8d2921cc4e4161c7a11a6f4345dfd12e662f5d1f32c08b39b3e907f615aa21b215339735865462def6139576e9eae6c4cf183bf0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.jsFilesize
8KB
MD5a01ecf1ce1f1c1cfdfaa2e2988ad40be
SHA141bfb0e692c99c672f7ef350433472375ed75509
SHA2566d102fd3a12527a837d5cd1be32c38438387a883637587cdde905f42bd2a351c
SHA512417157761d0618e3581ffc7d3db1ef4d0b99a0027f7d6429984a8c8cb7bebf6c9ebb6d454fa0d7c5e068c918ea04eafcea018c11e0659749e4058bcba6533708
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.jsFilesize
8KB
MD5577c39dcb1c42600b0c2ebec0bac7a5e
SHA1a65b85e22b33f13e750864679370031d0fbfc2a8
SHA25669ad0d839d1322e5e6717863687663c4d17d403ae28cd4929e274e50239313ea
SHA5120e71d95432432e85fd4e726b299b2af70fd330a3d91c96165dac9ffb80412b081eaabbe64ada26eb9268e0d3a68bf107c6037f7c4d25e105dee63ebf65279d23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionCheckpoints.jsonFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4Filesize
1KB
MD5c448957e0dff06ab9a48b560bea99f2a
SHA157669c94740c0d1918a2369bc253228ce7fdd7ba
SHA256552b821699216795a2b9141b153770c0fcd7da34577668ec47946b9de0d01933
SHA512826b3b79eafb1762492c83b0ba1354dcd87fe2873482b6e226b2516ac4db27bda01c3d1ac6e740f0a65019613cef433c292faf734791a3f0134b6c1e03118b45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\sessionstore-backups\recovery.baklz4Filesize
1KB
MD5ec3ee3299619f7ca3d7b0b3819ba864d
SHA14e2889b46efcc3e46c23e1d2d0193cc8fb9f34ad
SHA256eebec1b453ac1e21e4d56f876b7ef14042f689a2d5e81c6fc8f326530473cbbc
SHA512ebac3df0f1cd70572942bc74299d5552a76fa8ad44246e8b15cf06e324bb279d1f6df273c10bada0c171f8cc58ab37e89fbe9c8ead0ed092aad55d617c3a7667
-
memory/2348-555-0x00007FFDBFC60000-0x00007FFDBFC70000-memory.dmpFilesize
64KB
-
memory/2348-552-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/2348-550-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/2348-551-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/2348-553-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/2348-554-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/2348-556-0x00007FFDBFC60000-0x00007FFDBFC70000-memory.dmpFilesize
64KB
-
memory/4684-348-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-359-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-361-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-363-0x00007FFDBFC60000-0x00007FFDBFC70000-memory.dmpFilesize
64KB
-
memory/4684-358-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-357-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-353-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-364-0x00007FFDBFC60000-0x00007FFDBFC70000-memory.dmpFilesize
64KB
-
memory/4684-360-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-429-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-445-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-447-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-446-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-444-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-448-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-362-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-356-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-354-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-355-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-345-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-347-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-346-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-349-0x00007FFDC2130000-0x00007FFDC2140000-memory.dmpFilesize
64KB
-
memory/4684-352-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-351-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/4684-350-0x00007FFE020B0000-0x00007FFE022A5000-memory.dmpFilesize
2.0MB
-
memory/6992-549-0x00007FFDE2740000-0x00007FFDE37F0000-memory.dmpFilesize
16.7MB
-
memory/6992-548-0x00007FFDE3A00000-0x00007FFDE3CB6000-memory.dmpFilesize
2.7MB
-
memory/6992-546-0x00007FF79CE20000-0x00007FF79CF18000-memory.dmpFilesize
992KB
-
memory/6992-547-0x00007FFDF3BF0000-0x00007FFDF3C24000-memory.dmpFilesize
208KB