Analysis
-
max time kernel
37s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-06-2024 07:47
General
-
Target
https://rewards.app.link/3p?$3p=e_et&$ios_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$android_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$desktop_url=http://www.wonderwallperu.com/wp/?q=dXNlci51c2VyQHJhbmRvbWVtYWlsLmNvbQ0K
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://rewards.app.link/3p?$3p=e_et&$ios_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$android_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$desktop_url=http://www.wonderwallperu.com/wp/?q=dXNlci51c2VyQHJhbmRvbWVtYWlsLmNvbQ0K"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://rewards.app.link/3p?$3p=e_et&$ios_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$android_url=https%3A%2F%2Fwww.woolworthsrewards.com.au%2Fwoolworths-offer%2Ftotal-store.html&$desktop_url=http://www.wonderwallperu.com/wp/?q=dXNlci51c2VyQHJhbmRvbWVtYWlsLmNvbQ0K2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.0.336109868\1284794853" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df208648-a936-4dee-b22f-024af94437fe} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 1860 2adff0f6c58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.1.137368881\824074532" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a52872b9-5920-404b-9e8c-fdacbeae4ba4} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 2492 2ad89f46a58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.2.909443571\1124743216" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7784118c-334b-47c5-a21c-b25222973d95} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 2992 2adfcd7fa58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.3.1961718837\327370830" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcc0ff75-6962-46ad-9d2f-ff14a3e7927e} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 3556 2ad8e83cd58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.4.321901592\24982901" -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59b2653c-c261-4e8c-bf43-3b047318d4b8} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 5172 2ad8fa60258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.5.1879141292\1680119686" -childID 4 -isForBrowser -prefsHandle 3148 -prefMapHandle 5428 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c56156f-4910-4c9d-9069-5aca823a5556} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 5448 2ad8ca62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.6.369634511\1576431425" -childID 5 -isForBrowser -prefsHandle 3040 -prefMapHandle 5160 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {601492d1-6f3f-4526-93ca-7e28a0b19f31} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 3028 2ad8d044c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1804.7.720170332\1978643291" -childID 6 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cdd761d-a8f9-4866-bafb-fec3149aa63e} 1804 "\\.\pipe\gecko-crash-server-pipe.1804" 5684 2ad9081e458 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5ece3d59b12c938c7f3912aad8946b7a4
SHA1210e0e23ebec19db40cab708cb35e671277d2746
SHA2566b99efb790eb1ca5fd1bd3efff329936b9388a80b738b9f2bc16d2c94782475f
SHA5120888b0a311c2e9d2825050de6e7f2f0cbae476ffeb48683b12519eea9e41e15f7bbaa7c2d7fd8c7a5f10227b8173b190b8bef61d78b7596396888defe72b8a8c
-
Filesize
7KB
MD50e449b3474470edbf9828f037b4518fd
SHA1302a66f51fc67af344af67b14fab40bfdad45544
SHA256c827b9dd520d2692219ac20da7ff5354bdb6a98646ebf3ebf572e1c6e96e4803
SHA5128ee4a5a101aa6b84057f1f42be8177b1be4c4570f5c8f7fa800cd3da0aed725123a17e4d719c482279b11a89cef8ebaec94308ae261beda83e73808be0a84623
-
Filesize
6KB
MD5c59a3679be7bb23efda8c077ef060a93
SHA165daf846f26f7102739ffe60e3e684bb4c5a056c
SHA256d4e22fb8e72635cca35ea624376010cdf77f596faa6722ca9f29d2efd4c318ff
SHA51243a5f00961a843b5facb8164125ce8ea5eeabffbfe4d984194376ff646e4733c5ff4789fbc071be855db719d3065670c52515fbf7a57ba52bc4e004a4555d212
-
Filesize
6KB
MD50dff6bcd1d9fb050ab41755ca0699157
SHA12a0bc02fa929d664772b0711b844d1c796af348d
SHA256c0f05243bc4a38d80164a47d947f813d10843bf8888e41b77127fbcc1be6b890
SHA512a897c5f9b15c0a2c72116c653a96356719741aef484a651f4251e3fe897699cab17ef59b0933f2e9a1905868ecb3ca9871e4dadd10fe726ad891a472b7e68a8e
-
Filesize
2KB
MD5f2a586b47b7edbb2c9ed8ab0c3547bab
SHA15d2d6e4c61d3275e19e7659a9a0bd68c708ad124
SHA25673a9cb1781bdd3b695ec1e454a3bcdcef627ec7ef01627437f40793826806caf
SHA512fba73ac2c3ba51487c5b9553d62a1ad9d287d9e30d8ef084faecf7ea42e645363c487d4bbdfeb8a04cd96aa347f37814b3be76af1909860dceb29786567bdb5a