Analysis Overview
Threat Level: Known bad
The file https://atemzeit.fem.jp/gt/?wptouch_switch=desktop&redirect=https%3A%2F%2Futm.kadiapack.com/trans/[email protected] was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 14:44
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 14:44
Reported
2024-06-25 14:46
Platform
win11-20240611-en
Max time kernel
58s
Max time network
59s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://atemzeit.fem.jp/gt/?wptouch_switch=desktop&redirect=https%3A%2F%2Futm.kadiapack.com/trans/[email protected]"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://atemzeit.fem.jp/gt/?wptouch_switch=desktop&redirect=https%3A%2F%2Futm.kadiapack.com/trans/[email protected]
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.0.677044465\543042889" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb31d880-9b31-48a8-8a5d-6da6f910d035} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 1892 1f753d03e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.1.1722063705\354966645" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22886 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aebe29e-8466-4ad1-973c-070f1cd6db4c} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2436 1f73fb87058 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.2.212212836\603890608" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 2768 -prefsLen 22924 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d21de3b1-497c-4688-b11d-f20d4f750b34} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3296 1f756783b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.3.1026678625\138212238" -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {550a7916-c468-462b-9e82-10b71a05736c} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3912 1f73fb78e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.4.1244377033\1165819874" -childID 3 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c9b8963-5f0f-439a-a7ee-5e4ee7572bf7} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5104 1f75bbac858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.5.1826961572\1912319184" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c74cbae9-4d06-4c87-9689-c6c5cbd0527b} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5236 1f75bbace58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.6.1485085839\436572373" -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5468 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88eb4860-4196-4afc-8015-4a224967943e} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5448 1f75bbad758 tab
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49728 | tcp | |
| US | 8.8.8.8:53 | atemzeit.fem.jp | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 52.25.179.107:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| JP | 118.27.125.183:443 | atemzeit.fem.jp | tcp |
| N/A | 127.0.0.1:49734 | tcp | |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| NL | 2.18.121.79:80 | a19.dscg10.akamai.net | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| UA | 87.245.216.172:443 | r1---sn-gxuo03g-3c2l.gvt1.com | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| UA | 87.245.216.172:443 | r1---sn-gxuo03g-3c2l.gvt1.com | udp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | cd8f922602f1361d2bd3756a5ebb9863 |
| SHA1 | d73db4c0c57837393d2378bef6dc363d092fc6c7 |
| SHA256 | 5880bcbcc8b53d74123dddcc00e0c5ba9c8d17c8bab05ba23ecc3e12c410b9e3 |
| SHA512 | bbb7b062bf24520001ed984b3b756b9e2a1d10ea1c7930ca2078bb1af951c9160dec8e7ed818088030d4d488d133d870047e1a40a8d7369ceffc73fbf4647d77 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 23ebc535f5cc1e7be00a7261b9e3750d |
| SHA1 | ba0639e0ac516838d8d71428269bc7a6c2ea36f1 |
| SHA256 | c3ae9e96d9e70f0d98ddec63d60fdc303ec569e0dbed601eb3b700700d0cddd3 |
| SHA512 | 1470060c9808f23efb3f00cb8c09f2082b6dd8dc12a2c677b356c4cfb68bba69d212bbf99386aa583dc8cac78a6d0961e4c56d3e18f5a24e561e6a2cf435e737 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs-1.js
| MD5 | 53ffa481a853179193767d20b3ea16b4 |
| SHA1 | ab477dfffb5e4481cb0ef6a394eb91a6b2985137 |
| SHA256 | 99043a7209f916776f02d13203d27f970fc1a92d151d5b27777ac760e05140f0 |
| SHA512 | ee76e91dcf010ed5442885ad4da1b2f545899db59acd518488aae4198550680f14a1b1e2a8b666a2e26c66e27f4797deed67e421c4d3cac5c0784c22e688fa4d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\prefs-1.js
| MD5 | 4370652770086b54241e3d6fcada7c86 |
| SHA1 | a9e61e0b29605a0253bfb8f305029c062f78559e |
| SHA256 | fa45181f6f7b045306fba477a53684946e82cf74271247d56573f246a786da79 |
| SHA512 | 9e5936fa36049919866fe7b7337e46209f74011c9e057df41e5ecf27807199f9c454e07b967bbf0794bb5d0a05761593bfde76fb2251abdc2c1398ad5de2b004 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fy0o2joj.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 16cbb953e7f007f26425551470e97dac |
| SHA1 | 97826598cb15d9b92e66f2f1244b748613f39d07 |
| SHA256 | fd10d2292f8eee6303ee151dbf3e1b9ec2356a23babf9582fc47180bd0666332 |
| SHA512 | ac9b746e9c17cc1c0963218dd2a9832b2bc4af8b445ccb595bc18fffece93b90cb4c90e22ff71bca4004675549ca5d4efc82e38acea406b247f188b686c9e414 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fy0o2joj.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0b593dc7dbddd7020933afe0d748922d |
| SHA1 | 1980a53ae979170dc9a2df1232c1f2d992ac4ff1 |
| SHA256 | 244bbec85e1b57cb97056beee5c14b0d124f446b4519434a0518d693e6c38812 |
| SHA512 | b7f79a178b8505d47a56d654e9a3ea642f88a978d9ce1138819c788d390f7b6e50290267a54ae65aa8f7a7207c377ed73a3441e53f2a8c21fb42e6c9ae2b6acd |