Analysis
-
max time kernel
57s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 08:05
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0
Resource
win10v2004-20240508-en
General
-
Target
https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 324 firefox.exe Token: SeDebugPrivilege 324 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 324 firefox.exe 324 firefox.exe 324 firefox.exe 324 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 324 firefox.exe 324 firefox.exe 324 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 324 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 3372 wrote to memory of 324 3372 firefox.exe 83 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4912 324 firefox.exe 84 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 PID 324 wrote to memory of 4052 324 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0"1⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.0.1914864759\1006275150" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0220d73b-1e27-4ecf-85a8-734c006904ca} 324 "\\.\pipe\gecko-crash-server-pipe.324" 1852 298a440d158 gpu3⤵PID:4912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.1.591277555\826752526" -parentBuildID 20230214051806 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3e59775-ca90-4f8d-ae0f-67c408b5c125} 324 "\\.\pipe\gecko-crash-server-pipe.324" 2492 29897587758 socket3⤵PID:4052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.2.1426108459\2028010976" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 1248 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c6add5b-bc96-4383-b6e8-d77e0e096647} 324 "\\.\pipe\gecko-crash-server-pipe.324" 2992 298a6940458 tab3⤵PID:5044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.3.1673001483\1260795153" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 2872 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {192688a9-81c6-481d-92e5-2753baaa3d0d} 324 "\\.\pipe\gecko-crash-server-pipe.324" 3672 298a8ce7258 tab3⤵PID:4576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.4.1401844295\1901275736" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {032ff774-daa0-4dcd-99da-6750877bb433} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5244 298ab147758 tab3⤵PID:2184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.5.1887031584\163364583" -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5396 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {627e28a1-ca89-4553-aa89-a02425e1261e} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5204 298ab146b58 tab3⤵PID:3664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.6.2127332236\877392566" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc86ab6f-5ba4-4f7a-9206-e4bbf7ee1357} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5568 298ab148658 tab3⤵PID:5008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.7.1089859912\861112490" -parentBuildID 20230214051806 -prefsHandle 3552 -prefMapHandle 5792 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec09c87c-aa52-450f-bf8a-53683e23f7c1} 324 "\\.\pipe\gecko-crash-server-pipe.324" 4052 298ac54b058 rdd3⤵PID:1028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.8.292885657\877287330" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 4820 -prefMapHandle 4828 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bacb0d6-fc94-45d0-9a1c-247c214cffa1} 324 "\\.\pipe\gecko-crash-server-pipe.324" 4848 298ac54aa58 utility3⤵PID:872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD5b937c1533ee05f842bad04887350a9c5
SHA14c77bfa6a29f45ce6792e1e54f6de9dc681f63ae
SHA256588f17ed236d8d9ce0b17e09284577b569279ed6ead5682863b3a7c1706d61c2
SHA512f44046aa2bf83fb94ff34ecd616d974d8e60f22cee1c5b70b55c8b9f415ca0d9b6bc96724514fd3601caddf1a9fb88c48d4bace1506a56f509129f6686573da7
-
Filesize
6KB
MD57c1b7e780bf8c57888b3c63b30e3f7ff
SHA17989e6d1e989698845675f8d7fd84305cf313b4b
SHA2565b89dea129f886aa66e2faed808fb25e35e3fbdecb8a8800476e1d7e6e99968e
SHA512aa4b07b31a0b605e82387101d65799ae796d9dd993529ca70b56bcc8be071828584e17f73d28ab247463e63b30d9b16fb993064f4888665b2e6a8680d48a1a86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5459bc83147a394800bcb91b8d2c9e780
SHA14cb2887310741c3a75c35fe44a660258460b0766
SHA2566459fb0405ada8271e4ea9ed1ba2aa634fbee67da7cdd9b55ae75e8fa34ffe6b
SHA5123fa37bcbb01263d7dcde23b836710577f74afa878f38dbc4024505efbb753c13b480e607227fbb75df0697502f5ee26a4a93a2e6b79437465da3cd75cf86e856
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD522b22d7e0da3ba14b5ae4aa5838979fe
SHA1451eb981b3b63e4d97c837ba7f982003edbc059c
SHA25602f4bfa1bfcd83d13b5b18b8f1fb526b03059151a7adbd7e0a73efd94289fdac
SHA5123a097e02cb6fad52a25bac87a824e81b85524153452f9967777e9e95635a850b72a4bc640b193e7fba404c6181cc0c566375b3eca6cd27b5bd490535e44c80a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d03b0aaf19a4349efb0df9587c2ea781
SHA10abd1d1775f233b4b520e7eb1ff7c842b4ba0e6c
SHA2568eae6a577d4985c2689588b6d2ff36cc16659ffb6484721113aa58e5e44e7dad
SHA51295a378f7818490da4430d25a5a36aa16b6bb46e94cf02bccec23c9ae8156111ed4f3fcb3dba5aab8fde93eadb10e9865c76a447dd2ce8d1e3f75fa5aac53f833