Analysis

  • max time kernel
    18s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 10:03

General

  • Target

    https://action.azurecomm.net/api/a/c?r=AIAADBE7YYVFSSWTTPABW2XTMLP6W46REBKJRVJZBM6DX6TTBPD5YJ3AJOZRK3RJ6CELNV6LYOUUU67RB6OEWCFS23KKLJSQ5ORPNYGQEBPJCENSZW4BQAKVM4X4RIC7FPQBV4UZIQBQLYOHRQPK3TKBAUH64TY&d=AIAACLPEEK3I6K37IOOVD7SHNHOK6AJIP6MJTJ6I7TXCFTTYLFBBBPGM4QGFKR7BLIYLFARDG3UQSAXXCRLL7HBP7FAMG7EEUBQHILFDGOE2XSZWL3PFPL7PBUTBPICU6FVUMK4ICOUQKY5D6Y3EJ6S5TQBWOMIXXXKHTPGK2NJRS6P2AESGKXFXXBSZFOAP4ODHJCB43XJ3MZRQVMI3EWBJPW3CDKTDJZZYZZYGZRTKUQZIHHBTPI5ZQPAMUNJZT3JZC&i=AIAACTFGLA2N6CSBMONTGV5ERQRJZLQE564WDRDSBL4D4X5HPZYLANBLMLEQQCKZKWM2YKGQ67QYSQRVIDMCUWKMLABRBT5FEF2XT236IZNUJX2ZSBO7FGWRI5GHW2OWYOAFZSFHDIPV3HWBLQ7FJI6DTC7MWGYL5PJTPKQNHWHT5BXKGSJ5RBRMJTCSSCMFYQ7DNW6QUPMCPLFZGWFBWNWAU4ERS66MMDUVKT6QASKPVHN5LGKZT53Z7RGUJL33JUB2I6F3IIIUYQDHQUBQY2NTKHOGC3Y

Score
5/10

Malware Config

Signatures

  • Detected potential entity reuse from brand microsoft.
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://action.azurecomm.net/api/a/c?r=AIAADBE7YYVFSSWTTPABW2XTMLP6W46REBKJRVJZBM6DX6TTBPD5YJ3AJOZRK3RJ6CELNV6LYOUUU67RB6OEWCFS23KKLJSQ5ORPNYGQEBPJCENSZW4BQAKVM4X4RIC7FPQBV4UZIQBQLYOHRQPK3TKBAUH64TY&d=AIAACLPEEK3I6K37IOOVD7SHNHOK6AJIP6MJTJ6I7TXCFTTYLFBBBPGM4QGFKR7BLIYLFARDG3UQSAXXCRLL7HBP7FAMG7EEUBQHILFDGOE2XSZWL3PFPL7PBUTBPICU6FVUMK4ICOUQKY5D6Y3EJ6S5TQBWOMIXXXKHTPGK2NJRS6P2AESGKXFXXBSZFOAP4ODHJCB43XJ3MZRQVMI3EWBJPW3CDKTDJZZYZZYGZRTKUQZIHHBTPI5ZQPAMUNJZT3JZC&i=AIAACTFGLA2N6CSBMONTGV5ERQRJZLQE564WDRDSBL4D4X5HPZYLANBLMLEQQCKZKWM2YKGQ67QYSQRVIDMCUWKMLABRBT5FEF2XT236IZNUJX2ZSBO7FGWRI5GHW2OWYOAFZSFHDIPV3HWBLQ7FJI6DTC7MWGYL5PJTPKQNHWHT5BXKGSJ5RBRMJTCSSCMFYQ7DNW6QUPMCPLFZGWFBWNWAU4ERS66MMDUVKT6QASKPVHN5LGKZT53Z7RGUJL33JUB2I6F3IIIUYQDHQUBQY2NTKHOGC3Y"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://action.azurecomm.net/api/a/c?r=AIAADBE7YYVFSSWTTPABW2XTMLP6W46REBKJRVJZBM6DX6TTBPD5YJ3AJOZRK3RJ6CELNV6LYOUUU67RB6OEWCFS23KKLJSQ5ORPNYGQEBPJCENSZW4BQAKVM4X4RIC7FPQBV4UZIQBQLYOHRQPK3TKBAUH64TY&d=AIAACLPEEK3I6K37IOOVD7SHNHOK6AJIP6MJTJ6I7TXCFTTYLFBBBPGM4QGFKR7BLIYLFARDG3UQSAXXCRLL7HBP7FAMG7EEUBQHILFDGOE2XSZWL3PFPL7PBUTBPICU6FVUMK4ICOUQKY5D6Y3EJ6S5TQBWOMIXXXKHTPGK2NJRS6P2AESGKXFXXBSZFOAP4ODHJCB43XJ3MZRQVMI3EWBJPW3CDKTDJZZYZZYGZRTKUQZIHHBTPI5ZQPAMUNJZT3JZC&i=AIAACTFGLA2N6CSBMONTGV5ERQRJZLQE564WDRDSBL4D4X5HPZYLANBLMLEQQCKZKWM2YKGQ67QYSQRVIDMCUWKMLABRBT5FEF2XT236IZNUJX2ZSBO7FGWRI5GHW2OWYOAFZSFHDIPV3HWBLQ7FJI6DTC7MWGYL5PJTPKQNHWHT5BXKGSJ5RBRMJTCSSCMFYQ7DNW6QUPMCPLFZGWFBWNWAU4ERS66MMDUVKT6QASKPVHN5LGKZT53Z7RGUJL33JUB2I6F3IIIUYQDHQUBQY2NTKHOGC3Y
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {905e9357-9da9-4560-b867-b56aada49176} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" gpu
        3⤵
          PID:4236
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2efe9223-51ec-4740-b51d-3885f53bc6f3} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" socket
          3⤵
            PID:3604
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3184 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03168ffa-6099-4b7b-94c8-6dae73662180} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
            3⤵
              PID:4452
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3552 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a2a7bad-b327-4e42-ad5b-23e66423e939} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
              3⤵
                PID:2876
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4232 -prefMapHandle 4228 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05802143-7801-42d9-a318-8eb4ad9d5e44} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" utility
                3⤵
                • Checks processor information in registry
                PID:3332
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad93179-bc11-4174-9d42-7b43888fdce3} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
                3⤵
                  PID:2196
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5556 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {961b2194-5dde-4333-a4ea-10293ce05a75} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
                  3⤵
                    PID:1816
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4102053e-7b5c-40ab-99b6-84ec17143ced} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
                    3⤵
                      PID:3304
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 6108 -prefMapHandle 5760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79c79258-0c39-4081-91de-b8b7c93c49c4} 1028 "\\.\pipe\gecko-crash-server-pipe.1028" tab
                      3⤵
                        PID:2304

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k6zex9vv.default-release\activity-stream.discovery_stream.json

                    Filesize

                    19KB

                    MD5

                    8c46a2c8c0545e14579921b4c51cb921

                    SHA1

                    6ff2f6f27116cf654357c28951f8c92375ae1181

                    SHA256

                    3b37b071eee2d5005f2718f64dfc6b7bd98ef72debfcb9099ba6f40ede8ba46a

                    SHA512

                    4f8db7cacc21a8c906ee8ecd076272331c7a0a2c84931c80cd8ac8daffdbf7e83fd82046ad650ecaa56bb6256a43abf89c70a295756657b0c93fae2fec6e5938

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    6859aab18b5cbe01b130828dce1b07a3

                    SHA1

                    631dc1e11c73e39018839ca7aa778fe087312951

                    SHA256

                    3acc20b4259015e4d2ecaa797ae4ca5c7cc83acb0149deb3842a99309b52e72c

                    SHA512

                    bdfe1df822352d7470567aad45d055e0228d38524291d04e88248d3f46e0d963164a5f5dca7fd862a58f4fafa4982cc4249e72a61d51bff13a18657721cd12dd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    d39e87f0acdea9806da31425a4ecd168

                    SHA1

                    f12aceee8b64c7c4ef70a744f25e89d918b1adff

                    SHA256

                    61a22fe6aa698f3d61ce2a1c9baec995c3d240cb05eaf5a52fe99f5234b2dc8c

                    SHA512

                    1b0ce032b43271d9254e820309a59386f5913a8922e192235783aa3e1f06fd79367752003e46e2ffc49fdafbf2fe8e69507e72dab140e88a0d47219f11949b64

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\18ca9050-014a-44ea-ac6e-f865cd6a5366

                    Filesize

                    982B

                    MD5

                    46b69a51628af3f356f50a7bfc4c6223

                    SHA1

                    e67804fd686c0274817eb3cc110f5a78be5eabcf

                    SHA256

                    ea9d4762423d5e577413d471db54de1fdd3cc8d2cfb2f6bbbe650950d1106b8c

                    SHA512

                    b8e56aa2813298e2c952eff80ca0ea9610bb1fd24d88ad1f9512e2686504629309eaf99715fe272a68b9cff0e892ac5dc670ecbca902b278c5309709e74ff921

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\25911cb7-c318-42c1-8c86-18af3ef9c26b

                    Filesize

                    671B

                    MD5

                    76b9d4b6cc35926c3c0d72b69dcb6b0e

                    SHA1

                    10dcd416be62e0ba36832e58d12270095ea91bc3

                    SHA256

                    24faaa608b6f846c67e756ad9e4ee16acacbb3c9c0abff74fd6778233c685f39

                    SHA512

                    611213416329a4646c6160db0ec63ef836d0002e7e40d2fbaae345272ae97a031414e0366c3b460c531ac1bf6ac175c5765387c7b31517c389fd30d1dcf2b189

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\datareporting\glean\pending_pings\a4a320ee-f12a-41a1-bcbe-07bf2bc47bf6

                    Filesize

                    25KB

                    MD5

                    e63d2056d6a73b18fd6f38cf649c9ba9

                    SHA1

                    1b89914867fe964246726b30e52c173cbf4734bb

                    SHA256

                    f318523afbfe0b6c8af93140b64ff5503b1bead1673ad4fe3702317b36101d6f

                    SHA512

                    f53d88373992eaae5e45096e37dd5825b1e81a829fcc8678a47c470c7ef99b4875989d7f7f4774f9461dddef42ae3b5e551cdc1dff6ff0c49766166d87d58ffb

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs-1.js

                    Filesize

                    8KB

                    MD5

                    31a46cb92a9f306b2713dd94f36726d9

                    SHA1

                    a9ff0d9b5acc41faa9e9d935075657c37aac69ad

                    SHA256

                    f9916fafc31024955c4fd7f12625dc68ae7e854d48f583dc85f2b0c1ef30282d

                    SHA512

                    3da05b48d587dd6c32168c84251ed79592343081eb14448d103537eabac28ee21d02e56cb06a7f521b8610d06ff71278096293573c5471252c80290ef454dd92

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    c4f19977efa49fb399f155903181ceb6

                    SHA1

                    76b46b733712e730859f02423f6b2a7bebfa804b

                    SHA256

                    15d14367987dd95ba299a097315ab0a9398e0e3f5fc1e3c4001a46ce0d0590c2

                    SHA512

                    06b4625f8ce0cd133ed552383d00b21cb7c5ecbd37b9a8d250dce16a40c02346e2c43e09ad339708b4ca1723d4360d1bd97078c580aee412f3ab9d5a731cdad4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    8f18dde95513a5ef354a3131ef6970c0

                    SHA1

                    5956bea2b561a784e7b10dff0adf2b15d2b45339

                    SHA256

                    2b942c7ed2b16b1cc84f507b387ac94d168ebfebd0dfee01fed0826598ee974b

                    SHA512

                    6cf0b20877b88699b4fcbf3af46b00659ae061208ad955d465261c12906e07ea5f84913ae6c3a3011e00b6cd87ca31c86a8c43795d305fdacdaf566114cdc727