Analysis

  • max time kernel
    228s
  • max time network
    228s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-06-2024 22:00

General

  • Target

    https://mrbfederali.cam

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mrbfederali.cam"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mrbfederali.cam
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.0.1476288859\347279502" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 21996 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99bb0112-1a99-4a5c-9da0-c11d555dd6d9} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1824 2654cc06258 gpu
        3⤵
          PID:1748
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.1.820140581\463391557" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22847 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af165aa5-0a35-4524-a217-d7afa7067dbc} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2372 26538b89c58 socket
          3⤵
            PID:1560
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.2.2093587241\1889819754" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2884 -prefsLen 22885 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debd4acf-df0d-4f9b-b1f0-e216308cb3c8} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2952 2654fc3a858 tab
            3⤵
              PID:4612
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.3.1440380697\613036482" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {210fc0b6-e0c7-4e88-8e14-3e32916b1f51} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3640 265523d4e58 tab
              3⤵
                PID:1532
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.4.1113461588\216744271" -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5204 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dbe6c40-53f5-458d-a4cd-f9e8761af612} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5208 26554126f58 tab
                3⤵
                  PID:3052
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.5.898202232\246445690" -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c1365e8-ed15-486d-97af-2dc449f3c88b} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5464 26554127b58 tab
                  3⤵
                    PID:4708
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.6.1127174667\549989507" -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 27536 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fc5c83-f920-4299-a115-79292dc544e0} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5664 26554126358 tab
                    3⤵
                      PID:964
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.7.1898275382\634269590" -childID 6 -isForBrowser -prefsHandle 3572 -prefMapHandle 3596 -prefsLen 27774 -prefMapSize 235091 -jsInitHandle 1356 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c526624-ba80-43f8-a35e-183e7f9c839c} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 5808 265552d4258 tab
                      3⤵
                        PID:2456

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    26KB

                    MD5

                    ff8f9a14d036e70e52341d84bc2138d6

                    SHA1

                    79b612703eb6366c25d6e6606d572d6a5d891aad

                    SHA256

                    4a376b89dd7e8c0294c2c19f1af46af45899c90bbd2532350bcfcb6eaa3fc92a

                    SHA512

                    5f80d310c831804b2655589fb51d185c0589e34df479362cd55ea8a525d855accc91175cef2d1061b3bbea5ca617964b18cb6c93d24643dcf0a90ea9acc07547

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    26KB

                    MD5

                    0cc1916fb4c28bd2af4877291a53b8ce

                    SHA1

                    d632e8806b44e7dd6e022fa7a0c6e06a71e101b1

                    SHA256

                    e8d866399e3a98d1ff3bd233392a0095c1d285fbd5684efc8813ddc3ef7f4505

                    SHA512

                    29f6bf012c701e1685c6b9fb6e19ef8f12f28c0222b9dd69ae639d96f6853c61fdb903e043624616ee56739aa8e67dadee1eaeb0037222898863181dd6873f7d

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\cache2\doomed\12319

                    Filesize

                    9KB

                    MD5

                    c7de5414931888c9f9242cc147d90135

                    SHA1

                    6fd41a2bc64b2c040a6f1d084c95d702dcf55399

                    SHA256

                    7edeba040a64583663911ba32529a97cf728b5ee74f3276fcc3b8bc667f4b27c

                    SHA512

                    7a9e371b56b9dc471bad316763e0890b0d65962392bb0493de6911ab979d44853bb39090a6bc701fcbb76b754e10b3588ed40f6dc107db52d2bb7f7b78152070

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\cache2\entries\7A0176E5A722CBB731BAF588A5A88B130F0F231D

                    Filesize

                    60KB

                    MD5

                    b30c9deb8c6f28b764e4331c6ba35572

                    SHA1

                    9fc94f5c4c54ce12e3031be23454ed90f7a5f181

                    SHA256

                    cc232cd6faf1983175fcbf8aed1ff66d89574d70d67f637612ed9bbea6d80138

                    SHA512

                    eb38cd936de163e613a713d1f8da107d7dc2043a5ca1b0e517fa459967d4cf22afe455f9fb5500523d891c83048a5e04ca03c7dee03f991d473aa13ecc02e4d7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    c6452dffafcdbc989f4e1d7b717a4a35

                    SHA1

                    148ff71949600e495c4671e0bdb1961dffba3a55

                    SHA256

                    905a929b7f736b15edb10dbecbf23c5d70856fa84c72d6bba8f9fff398ac7945

                    SHA512

                    ff14a493c02a4c5fb585840b6fb94d27ac8a80ff33dfc52de153844e67c1b66b70c5ff4c794bc46f97af05527f9c9e2c2c595de25a325a49c37628bc0ce81436

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    08ec84f799bf7e12537dcc02563babe7

                    SHA1

                    5312d1a9a47a98844a97a5a14e14adbee5d96a47

                    SHA256

                    f452a06be87ae8828b5a177a9e67d03eb6634af7720b4f652fd77541e49269b4

                    SHA512

                    22055217e93d0459a242f15fbd1819260744e0f53c4db1c92bb006c5595a1e2fb13ee983aeb3f4ec1bc11220c666074cca9bb10b2a3ea309a21eba39b1a6eddd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    3KB

                    MD5

                    28937fa0e78c520da5b8cfc613be6853

                    SHA1

                    1be78c2f1516fcee2b71228fabf1feb908b071b4

                    SHA256

                    7c5653877222fe5b029c327dede51532266f6eba6002db21c4a949ac349a4741

                    SHA512

                    e3b397b0934a23fb2d535a8dc63cac4f59db951f8ecc56521da47de0e3c1a40c7dc14d0063bd2cc13ffb9afac6ff416fb869d3972d3c8d486c4755fbbcb22e17

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    b984185451240fb91626a547649937cc

                    SHA1

                    a94c5e8316e368ca18349c2ad3442c6d02bd0581

                    SHA256

                    a46f8fab610b008e3ae3a7aa4776686ba6594eed807c9e1c001180678720971a

                    SHA512

                    9c7e47866372e9feb0b884701658189c4f605bd713113825f8e238c2c049abee2c872658f7156e8be6320f32ec065cdc3317510c76d83f4992294cb1ae232642

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    98f377700e1ede3af98a9c8b51737e1d

                    SHA1

                    bcd2688b4a6b1a4622b7a8f2ecc650f72b8bd2ac

                    SHA256

                    1008f43677011eb071c06f9269d4b27fbd5b37adb3cc0672992768ca25952b2a

                    SHA512

                    bed98e3c8d9d75e94f1d24bb25d498fd28285471fbd3eac39c6616af6a53c6452e876eed7654a99fa8b0434b748ca3010be387c0e264a0b9ebfee84195a3d101

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    4f27e9ec27e055b010c8cb7ec4380536

                    SHA1

                    8023360d3cc0946681913a5c093ea6157744ca1b

                    SHA256

                    51e76f84c1a6d94772d6fed5add2aabbf0ff3dacba53e3dbb2a98ebc8a32bf08

                    SHA512

                    1745ab16a31bfa919f795f6d745a431328500be3212161a9443bdd17eaf3952658e51354bfb162ac9ba8790468c872ab683e5ca8ca49a2f8409e48efaa0e2a5e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    2a5b23140fbfe8ff450776bb8863371c

                    SHA1

                    ff7474ad91856d45b7a41721f83c1b4b2b474d04

                    SHA256

                    aec41699696420bf92666ce102ec9cdc29736fd6eb70fe9c927ce59a49144d30

                    SHA512

                    5650f578ccbe437a5e1a7eb4374a6fef725f96e7c5830b1fa3df52eb902a99af9b3986b8f2d04a12413c07ad070ffcbff59262a26afecf42b96a18b8589acdfa