Analysis
-
max time kernel
228s -
max time network
228s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-06-2024 22:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mrbfederali.cam
Resource
win11-20240611-en
General
-
Target
https://mrbfederali.cam
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1368 firefox.exe Token: SeDebugPrivilege 1368 firefox.exe Token: SeDebugPrivilege 1368 firefox.exe Token: SeDebugPrivilege 1368 firefox.exe Token: SeDebugPrivilege 1368 firefox.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe 1368 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1368 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 4200 wrote to memory of 1368 4200 firefox.exe 75 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1748 1368 firefox.exe 76 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 PID 1368 wrote to memory of 1560 1368 firefox.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mrbfederali.cam"1⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mrbfederali.cam2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.0.1476288859\347279502" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 21996 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99bb0112-1a99-4a5c-9da0-c11d555dd6d9} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1824 2654cc06258 gpu3⤵PID:1748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.1.820140581\463391557" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22847 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af165aa5-0a35-4524-a217-d7afa7067dbc} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2372 26538b89c58 socket3⤵PID:1560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.2.2093587241\1889819754" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2884 -prefsLen 22885 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debd4acf-df0d-4f9b-b1f0-e216308cb3c8} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2952 2654fc3a858 tab3⤵PID:4612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.3.1440380697\613036482" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {210fc0b6-e0c7-4e88-8e14-3e32916b1f51} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3640 265523d4e58 tab3⤵PID:1532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.4.1113461588\216744271" -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5204 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dbe6c40-53f5-458d-a4cd-f9e8761af612} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5208 26554126f58 tab3⤵PID:3052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.5.898202232\246445690" -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c1365e8-ed15-486d-97af-2dc449f3c88b} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5464 26554127b58 tab3⤵PID:4708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.6.1127174667\549989507" -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fc5c83-f920-4299-a115-79292dc544e0} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5664 26554126358 tab3⤵PID:964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.7.1898275382\634269590" -childID 6 -isForBrowser -prefsHandle 3572 -prefMapHandle 3596 -prefsLen 27774 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c526624-ba80-43f8-a35e-183e7f9c839c} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5808 265552d4258 tab3⤵PID:2456
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5ff8f9a14d036e70e52341d84bc2138d6
SHA179b612703eb6366c25d6e6606d572d6a5d891aad
SHA2564a376b89dd7e8c0294c2c19f1af46af45899c90bbd2532350bcfcb6eaa3fc92a
SHA5125f80d310c831804b2655589fb51d185c0589e34df479362cd55ea8a525d855accc91175cef2d1061b3bbea5ca617964b18cb6c93d24643dcf0a90ea9acc07547
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD50cc1916fb4c28bd2af4877291a53b8ce
SHA1d632e8806b44e7dd6e022fa7a0c6e06a71e101b1
SHA256e8d866399e3a98d1ff3bd233392a0095c1d285fbd5684efc8813ddc3ef7f4505
SHA51229f6bf012c701e1685c6b9fb6e19ef8f12f28c0222b9dd69ae639d96f6853c61fdb903e043624616ee56739aa8e67dadee1eaeb0037222898863181dd6873f7d
-
Filesize
9KB
MD5c7de5414931888c9f9242cc147d90135
SHA16fd41a2bc64b2c040a6f1d084c95d702dcf55399
SHA2567edeba040a64583663911ba32529a97cf728b5ee74f3276fcc3b8bc667f4b27c
SHA5127a9e371b56b9dc471bad316763e0890b0d65962392bb0493de6911ab979d44853bb39090a6bc701fcbb76b754e10b3588ed40f6dc107db52d2bb7f7b78152070
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\cache2\entries\7A0176E5A722CBB731BAF588A5A88B130F0F231D
Filesize60KB
MD5b30c9deb8c6f28b764e4331c6ba35572
SHA19fc94f5c4c54ce12e3031be23454ed90f7a5f181
SHA256cc232cd6faf1983175fcbf8aed1ff66d89574d70d67f637612ed9bbea6d80138
SHA512eb38cd936de163e613a713d1f8da107d7dc2043a5ca1b0e517fa459967d4cf22afe455f9fb5500523d891c83048a5e04ca03c7dee03f991d473aa13ecc02e4d7
-
Filesize
6KB
MD5c6452dffafcdbc989f4e1d7b717a4a35
SHA1148ff71949600e495c4671e0bdb1961dffba3a55
SHA256905a929b7f736b15edb10dbecbf23c5d70856fa84c72d6bba8f9fff398ac7945
SHA512ff14a493c02a4c5fb585840b6fb94d27ac8a80ff33dfc52de153844e67c1b66b70c5ff4c794bc46f97af05527f9c9e2c2c595de25a325a49c37628bc0ce81436
-
Filesize
7KB
MD508ec84f799bf7e12537dcc02563babe7
SHA15312d1a9a47a98844a97a5a14e14adbee5d96a47
SHA256f452a06be87ae8828b5a177a9e67d03eb6634af7720b4f652fd77541e49269b4
SHA51222055217e93d0459a242f15fbd1819260744e0f53c4db1c92bb006c5595a1e2fb13ee983aeb3f4ec1bc11220c666074cca9bb10b2a3ea309a21eba39b1a6eddd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD528937fa0e78c520da5b8cfc613be6853
SHA11be78c2f1516fcee2b71228fabf1feb908b071b4
SHA2567c5653877222fe5b029c327dede51532266f6eba6002db21c4a949ac349a4741
SHA512e3b397b0934a23fb2d535a8dc63cac4f59db951f8ecc56521da47de0e3c1a40c7dc14d0063bd2cc13ffb9afac6ff416fb869d3972d3c8d486c4755fbbcb22e17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5b984185451240fb91626a547649937cc
SHA1a94c5e8316e368ca18349c2ad3442c6d02bd0581
SHA256a46f8fab610b008e3ae3a7aa4776686ba6594eed807c9e1c001180678720971a
SHA5129c7e47866372e9feb0b884701658189c4f605bd713113825f8e238c2c049abee2c872658f7156e8be6320f32ec065cdc3317510c76d83f4992294cb1ae232642
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD598f377700e1ede3af98a9c8b51737e1d
SHA1bcd2688b4a6b1a4622b7a8f2ecc650f72b8bd2ac
SHA2561008f43677011eb071c06f9269d4b27fbd5b37adb3cc0672992768ca25952b2a
SHA512bed98e3c8d9d75e94f1d24bb25d498fd28285471fbd3eac39c6616af6a53c6452e876eed7654a99fa8b0434b748ca3010be387c0e264a0b9ebfee84195a3d101
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD54f27e9ec27e055b010c8cb7ec4380536
SHA18023360d3cc0946681913a5c093ea6157744ca1b
SHA25651e76f84c1a6d94772d6fed5add2aabbf0ff3dacba53e3dbb2a98ebc8a32bf08
SHA5121745ab16a31bfa919f795f6d745a431328500be3212161a9443bdd17eaf3952658e51354bfb162ac9ba8790468c872ab683e5ca8ca49a2f8409e48efaa0e2a5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD52a5b23140fbfe8ff450776bb8863371c
SHA1ff7474ad91856d45b7a41721f83c1b4b2b474d04
SHA256aec41699696420bf92666ce102ec9cdc29736fd6eb70fe9c927ce59a49144d30
SHA5125650f578ccbe437a5e1a7eb4374a6fef725f96e7c5830b1fa3df52eb902a99af9b3986b8f2d04a12413c07ad070ffcbff59262a26afecf42b96a18b8589acdfa