Analysis

  • max time kernel
    57s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 08:05

General

  • Target

    https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mjerenje.hep.hr/otkupljivaci/activate/[email protected]/01LTG0uV7j%7b7iDc8OrD0%7b0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.0.1914864759\1006275150" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0220d73b-1e27-4ecf-85a8-734c006904ca} 324 "\\.\pipe\gecko-crash-server-pipe.324" 1852 298a440d158 gpu
        3⤵
          PID:4912
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.1.591277555\826752526" -parentBuildID 20230214051806 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3e59775-ca90-4f8d-ae0f-67c408b5c125} 324 "\\.\pipe\gecko-crash-server-pipe.324" 2492 29897587758 socket
          3⤵
            PID:4052
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.2.1426108459\2028010976" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 1248 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c6add5b-bc96-4383-b6e8-d77e0e096647} 324 "\\.\pipe\gecko-crash-server-pipe.324" 2992 298a6940458 tab
            3⤵
              PID:5044
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.3.1673001483\1260795153" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 2872 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {192688a9-81c6-481d-92e5-2753baaa3d0d} 324 "\\.\pipe\gecko-crash-server-pipe.324" 3672 298a8ce7258 tab
              3⤵
                PID:4576
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.4.1401844295\1901275736" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {032ff774-daa0-4dcd-99da-6750877bb433} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5244 298ab147758 tab
                3⤵
                  PID:2184
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.5.1887031584\163364583" -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5396 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {627e28a1-ca89-4553-aa89-a02425e1261e} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5204 298ab146b58 tab
                  3⤵
                    PID:3664
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.6.2127332236\877392566" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc86ab6f-5ba4-4f7a-9206-e4bbf7ee1357} 324 "\\.\pipe\gecko-crash-server-pipe.324" 5568 298ab148658 tab
                    3⤵
                      PID:5008
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.7.1089859912\861112490" -parentBuildID 20230214051806 -prefsHandle 3552 -prefMapHandle 5792 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec09c87c-aa52-450f-bf8a-53683e23f7c1} 324 "\\.\pipe\gecko-crash-server-pipe.324" 4052 298ac54b058 rdd
                      3⤵
                        PID:1028
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="324.8.292885657\877287330" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 4820 -prefMapHandle 4828 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bacb0d6-fc94-45d0-9a1c-247c214cffa1} 324 "\\.\pipe\gecko-crash-server-pipe.324" 4848 298ac54aa58 utility
                        3⤵
                          PID:872

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

                      Filesize

                      24KB

                      MD5

                      b937c1533ee05f842bad04887350a9c5

                      SHA1

                      4c77bfa6a29f45ce6792e1e54f6de9dc681f63ae

                      SHA256

                      588f17ed236d8d9ce0b17e09284577b569279ed6ead5682863b3a7c1706d61c2

                      SHA512

                      f44046aa2bf83fb94ff34ecd616d974d8e60f22cee1c5b70b55c8b9f415ca0d9b6bc96724514fd3601caddf1a9fb88c48d4bace1506a56f509129f6686573da7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

                      Filesize

                      6KB

                      MD5

                      7c1b7e780bf8c57888b3c63b30e3f7ff

                      SHA1

                      7989e6d1e989698845675f8d7fd84305cf313b4b

                      SHA256

                      5b89dea129f886aa66e2faed808fb25e35e3fbdecb8a8800476e1d7e6e99968e

                      SHA512

                      aa4b07b31a0b605e82387101d65799ae796d9dd993529ca70b56bcc8be071828584e17f73d28ab247463e63b30d9b16fb993064f4888665b2e6a8680d48a1a86

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      1KB

                      MD5

                      459bc83147a394800bcb91b8d2c9e780

                      SHA1

                      4cb2887310741c3a75c35fe44a660258460b0766

                      SHA256

                      6459fb0405ada8271e4ea9ed1ba2aa634fbee67da7cdd9b55ae75e8fa34ffe6b

                      SHA512

                      3fa37bcbb01263d7dcde23b836710577f74afa878f38dbc4024505efbb753c13b480e607227fbb75df0697502f5ee26a4a93a2e6b79437465da3cd75cf86e856

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      4KB

                      MD5

                      22b22d7e0da3ba14b5ae4aa5838979fe

                      SHA1

                      451eb981b3b63e4d97c837ba7f982003edbc059c

                      SHA256

                      02f4bfa1bfcd83d13b5b18b8f1fb526b03059151a7adbd7e0a73efd94289fdac

                      SHA512

                      3a097e02cb6fad52a25bac87a824e81b85524153452f9967777e9e95635a850b72a4bc640b193e7fba404c6181cc0c566375b3eca6cd27b5bd490535e44c80a6

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      4KB

                      MD5

                      d03b0aaf19a4349efb0df9587c2ea781

                      SHA1

                      0abd1d1775f233b4b520e7eb1ff7c842b4ba0e6c

                      SHA256

                      8eae6a577d4985c2689588b6d2ff36cc16659ffb6484721113aa58e5e44e7dad

                      SHA512

                      95a378f7818490da4430d25a5a36aa16b6bb46e94cf02bccec23c9ae8156111ed4f3fcb3dba5aab8fde93eadb10e9865c76a447dd2ce8d1e3f75fa5aac53f833