Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://ondemand.eor...

windows10-1703-x64

1

Analysis

  • max time kernel
    19s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-06-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ondemand.eoriginal.com/ssweb/login.eo?t=2v51XcFvVzlJMpCEDyOo

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://ondemand.eoriginal.com/ssweb/login.eo?t=2v51XcFvVzlJMpCEDyOo"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://ondemand.eoriginal.com/ssweb/login.eo?t=2v51XcFvVzlJMpCEDyOo
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.0.1392818612\1078235079" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bb8590e-5c24-4399-bf08-29821ab08719} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 1796 1dfc8debe58 gpu
        3⤵
          PID:32
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.1.2052956096\2125637945" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04170482-4e9c-4abb-b693-1bcafaadc83a} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 2172 1dfb6772e58 socket
          3⤵
            PID:1496
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.2.1619972223\592153200" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14432fac-156c-4413-aa5e-53b19119e1ee} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 2892 1dfccdebb58 tab
            3⤵
              PID:3784
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.3.1265339840\149383378" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14dd3205-843d-4b80-a9f9-26e9814b8bad} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 3540 1dfb6766258 tab
              3⤵
                PID:3752
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.4.1570893716\166188729" -childID 3 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88641b57-47ee-4238-aa34-d451738e1387} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 4800 1dfd003e258 tab
                3⤵
                  PID:220
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.5.1466360355\1067558238" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4920 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff81299c-cfe3-4534-9e26-d8105d48b0ce} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 4820 1dfd003ee58 tab
                  3⤵
                    PID:2796
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3132.6.1900696684\355210283" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10c7771-9817-4977-9c6a-ef72432f02dc} 3132 "\\.\pipe\gecko-crash-server-pipe.3132" 5008 1dfd0040958 tab
                    3⤵
                      PID:4648

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  e5e8c52b04a0352e9014dae5e61200b2

                  SHA1

                  7360c23020d10e12b28ea272950c0920cf8e7223

                  SHA256

                  9bd87036ed60d8bed60ee5178ba81aeb80241a6bc7a570f24353d8820bd15eb8

                  SHA512

                  be6dc38137ba251c1498c21517a46eab6d2792256a77f78dcc2bcf035a9d051a7804e3f157ddb17bdc8239b0084dab95bf58d7184ac574ac65c0369708fcf3cf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\0297b7c9-2fb5-4911-bf5f-46e23f8a52db
                  Filesize

                  746B

                  MD5

                  5e7fb92381854d68526e878b9d1324fb

                  SHA1

                  265cb15f388adc6b2186a9ce13ecd99afbeeed77

                  SHA256

                  d71b41f263a14943b4af1d01f253a46c4636cef52d9045f54a8c0cbda14052f0

                  SHA512

                  b4106f227846a4848c0068ea8144c0af6c5be2efe41a3d5148e848234f5ba7cc1e042a28006e03329ec078a897b51bed60fa307205c48d2c986979f196445ed6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\1e980e56-ab53-4a54-902c-881f6464f9df
                  Filesize

                  9KB

                  MD5

                  48694670d0980691eef947e1d0665d84

                  SHA1

                  caa46293389a5e6e69b75543f1e2108fbd22b919

                  SHA256

                  0f6a4c9955e74e34a64bc6fa3b0ae94e1236123850b1ca0233f7c9a77fd4dc56

                  SHA512

                  eb8d513704b2d4a7a4224b275ef115ee25421c0f2f173da9d62f1781e612deb7d31a41921fa2f92ed77b7af0c1ed1cf769f4c5f4d803dea3ade34cbc69b0c138

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  ae877f1ce84e40f6ce6361e8a495102a

                  SHA1

                  18598e327e6913ca28ac42ceb769a349471a1b45

                  SHA256

                  0c9b6f79c0988c43aa464d1f2f64aa1f84c6cb9f9a47b1c103bd152687702c6f

                  SHA512

                  cc7b922338c8f5c76070ffcbc48c248147e3f9fb526b21883b3dc90b0f19486ea24ac45243f400d9089ce90f11156167d5f35c55691c9a4f6250e07b100e3010

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  3KB

                  MD5

                  6b24d7d10f7be39f3715415318b1c585

                  SHA1

                  d94bb4ab07c249cd9f73ba3521456409360b1c0e

                  SHA256

                  b03ca0187bb7dbdb9819f058b9a80c6d20283304abde293de90e8bedddde81b4

                  SHA512

                  93a54dafa16ba45d26aa3605872cd4a45f9d0972be8b1a46f89a0372674b18484497c9053935430f8f21edab6f605ac643baa0718746ec82fd4b32d503f23b18

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  3fce64c3cf23f070dbe67b544cebc92b

                  SHA1

                  84d5104a0aedcb8c73e2ce79598ae97d8190fb8e

                  SHA256

                  21679f659e81fa16d78fb675003b34c8cba5d361da34399b1938ab1a86e4590f

                  SHA512

                  8f99e44cbc39b256ae6087d962cdc1a31dc674ea3542eb48e55dbcd2ff8c3602ea8940373d8429036e86b2340e3d1cb267dee7bd97890c861601f212f6dde2b3

                  Download Submit