Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://ciotracking....

windows10-1703-x64

1

Analysis

  • max time kernel
    2s
  • max time network
    11s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-06-2024 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ciotracking.bysavi.com/e/c/eyJlbWFpbF9pZCI6ImRnVGg3d2dEQU9haUJlV2lCUUdRU3ZuM1BsWUlNeUF4M0lhR0FCND0iLCJocmVmIjoiaHR0cHM6Ly93d3cuZXZlbnRicml0ZS5jb20vZS9zYXZpLXN0dWRlbnQtbG9hbi13b3Jrc2hvcC1wb2xpY3ktdXBkYXRlcy1sb2FuLWZvcmdpdmVuZXNzLXRpY2tldHMtOTIxNjk0MzQxNTg3P2FmZj1jdXN0b21lcmlvIiwiaW50ZXJuYWwiOiJlMWVmMDgwMjg1Y2UwMWU2YTIwNSIsImxpbmtfaWQiOjE4Mzh9/66d95af85a3da635ff663a2af98ae57bfcab612734164bbee1f8f5576eff092c

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://ciotracking.bysavi.com/e/c/eyJlbWFpbF9pZCI6ImRnVGg3d2dEQU9haUJlV2lCUUdRU3ZuM1BsWUlNeUF4M0lhR0FCND0iLCJocmVmIjoiaHR0cHM6Ly93d3cuZXZlbnRicml0ZS5jb20vZS9zYXZpLXN0dWRlbnQtbG9hbi13b3Jrc2hvcC1wb2xpY3ktdXBkYXRlcy1sb2FuLWZvcmdpdmVuZXNzLXRpY2tldHMtOTIxNjk0MzQxNTg3P2FmZj1jdXN0b21lcmlvIiwiaW50ZXJuYWwiOiJlMWVmMDgwMjg1Y2UwMWU2YTIwNSIsImxpbmtfaWQiOjE4Mzh9/66d95af85a3da635ff663a2af98ae57bfcab612734164bbee1f8f5576eff092c"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://ciotracking.bysavi.com/e/c/eyJlbWFpbF9pZCI6ImRnVGg3d2dEQU9haUJlV2lCUUdRU3ZuM1BsWUlNeUF4M0lhR0FCND0iLCJocmVmIjoiaHR0cHM6Ly93d3cuZXZlbnRicml0ZS5jb20vZS9zYXZpLXN0dWRlbnQtbG9hbi13b3Jrc2hvcC1wb2xpY3ktdXBkYXRlcy1sb2FuLWZvcmdpdmVuZXNzLXRpY2tldHMtOTIxNjk0MzQxNTg3P2FmZj1jdXN0b21lcmlvIiwiaW50ZXJuYWwiOiJlMWVmMDgwMjg1Y2UwMWU2YTIwNSIsImxpbmtfaWQiOjE4Mzh9/66d95af85a3da635ff663a2af98ae57bfcab612734164bbee1f8f5576eff092c
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.0.1278023433\1116401492" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c1de67f-7526-4cd0-99ef-b8f6b9340a07} 32 "\\.\pipe\gecko-crash-server-pipe.32" 1776 21c7c9f7758 gpu
        3⤵
          PID:5052
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.1.1295414185\307288198" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ae17d88-15ae-4614-84ee-12df756f4175} 32 "\\.\pipe\gecko-crash-server-pipe.32" 2152 21c7c8f8558 socket
          3⤵
            PID:2944
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.2.1632123634\234851071" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2880 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebbf7e62-de6e-4957-adfd-88922c0608fc} 32 "\\.\pipe\gecko-crash-server-pipe.32" 2896 21c7c95b858 tab
            3⤵
              PID:4180
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.3.256963004\1775252340" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78285e48-ffa3-4558-91bc-35fe4fd22d6b} 32 "\\.\pipe\gecko-crash-server-pipe.32" 3592 21c03838458 tab
              3⤵
                PID:5000
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.4.2125967766\76909714" -childID 3 -isForBrowser -prefsHandle 4684 -prefMapHandle 4700 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b55c6cb-8b4d-4979-b6c0-61a45eb35421} 32 "\\.\pipe\gecko-crash-server-pipe.32" 4704 21c043c9758 tab
                3⤵
                  PID:2716
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.5.638750237\4840694" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2d842d-32bb-4121-8c7e-eb7b28c129f2} 32 "\\.\pipe\gecko-crash-server-pipe.32" 4924 21c04bfae58 tab
                  3⤵
                    PID:2744
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.6.697073572\1942936421" -childID 5 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde873bf-9406-42b1-8208-9d1d9e650277} 32 "\\.\pipe\gecko-crash-server-pipe.32" 5116 21c04bfdb58 tab
                    3⤵
                      PID:2736
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="32.7.1968170388\788788325" -childID 6 -isForBrowser -prefsHandle 3060 -prefMapHandle 2908 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52e0b05e-cc7e-4fa5-8322-f4b1b217dace} 32 "\\.\pipe\gecko-crash-server-pipe.32" 2892 21c02436a58 tab
                      3⤵
                        PID:3424

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21895
                    Filesize

                    17KB

                    MD5

                    697a4795d90708f4bdf1d2f4b0be3b01

                    SHA1

                    826990abbdead95c5a5bb940a2ad57e8481ea6b2

                    SHA256

                    6bd2419bf31cbbdfd2fd98227664993a8d44389d4e3b8f47f949e8d727a5e9be

                    SHA512

                    f64f0c2cff6aa844d131e63a4ea63bb87f74ef8155b9164eb8435d5cf7a1868befd697626010d27fc2c824cb76b873de974887c81dc311902bfbc989b0e2b592

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\24585
                    Filesize

                    11KB

                    MD5

                    4a47151d827432dcb8da1f194779f06c

                    SHA1

                    58a4522bc0be3aee579fa38d8e6351922ab6e75b

                    SHA256

                    0a82627cb239b8adbb3ca990d486ecefe2a83b2443bfe1cb8a7760ad736a6a22

                    SHA512

                    376ca06ae2fe1a6cd67d8170336153ea0e7125f8d34a29dabfdb2dab89cee6bbee7a7a313adcb75906a58e1b5f5afbae69741ec6b197d1d11e6d12fb882b0b23

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\3691
                    Filesize

                    9KB

                    MD5

                    d46e933bc2d7b2cc90c71f86a6ffb0a4

                    SHA1

                    c3716e56ed9b1d8ded912825e05faa9a9cfb6894

                    SHA256

                    67aa42ba850a71d1554b50735e941d3dd99bdcecb17aa92e66b4b44883a2e042

                    SHA512

                    c5a2744877ceee7d7db117f365fa93a562ebb1b9a960137e5dc772c34d185f3010a25af6c33fc82bacfac5ecb31f7c3bbf211b42e801eeaf5542f11b8866c293

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    76302a12079af9609da6bf2e5043c9f7

                    SHA1

                    9647f1242fcd9e48fc200cf3fd4f98a1c96c9aa2

                    SHA256

                    ff8eb03c4baf6e60d63d20b6bb478b9cee2cbc0af8f62d6a9b4cba2cd11e6ac7

                    SHA512

                    bdf0decf3c4e02575cc4c933adb9cbb0db339860eccc739a4cb38009ee33711de00dcafc6fb77c8474ecce00e3e7c59ebfa58f86bf72ee2ff34cd07e00a73495

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0f914d25-7459-4f64-8c1f-1eb84470b350
                    Filesize

                    746B

                    MD5

                    90c976219c9019899d57d7009b106934

                    SHA1

                    d3a01343d9a40980996e34786375dd75ffb71c84

                    SHA256

                    ce401aa778b05e799c151a817a2f989bee3ec66e0e9fb07a73d07dc8681a669e

                    SHA512

                    fd76ff63619cc78389c4cb4560173c07e26ec6e28562da54fb3a35bf5a436440ac621a321441f3ca7e0f5544f9b63c826cb4fec31e593ab470790c709bf57844

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\9a0130e9-ee62-450b-bb45-f4797f87b134
                    Filesize

                    10KB

                    MD5

                    e6d2ede86249f27716e833f84d70e823

                    SHA1

                    93bae19d2ced485ff90f1f1638ead1943f768431

                    SHA256

                    9eb41701f4a8735b7e3db382df69d6d8d69154080aa1493c9134cebb3968bf9a

                    SHA512

                    e1e9a249932ce066caee7db5632f380269f6ba48da68e107bc4bc628bd01eaafa2d3a25c17d5c28072849e609e95ddd9f4bf62bfe25af463570b7722fb9a86f8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    eb51daf4a0f93d97b463e67d01a34e3c

                    SHA1

                    6e9c88f8bcc52e4af6ea805c5f72f5a902055c7b

                    SHA256

                    0bb67431310b4ed6521d3b344ab156d8c0f6088eaf0c4a84d43bd1478a12ba01

                    SHA512

                    bb32707498c435da3f5c3e2b66751846b3e629b1fdd5118f1f969c02fcc6d298f38317b6d287b7be0e92f80aa1595d58f9ecff7a4a1e385af29213fb0d5da46f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    acb98d3d4e718735b97cfa91dc502aeb

                    SHA1

                    169e52e36b0118c591b2c7c4566f7d24bb48a1fe

                    SHA256

                    d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5

                    SHA512

                    a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227

                    Download Submit