Analysis Overview
Threat Level: No (potentially) malicious behavior was detected
The file http://google.com was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-27 16:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 16:40
Reported
2024-06-27 16:41
Platform
win10v2004-20240508-en
Max time kernel
84s
Max time network
88s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.0.1177258949\33175765" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0bdde90-c925-403e-8fae-882912a1e46c} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 1884 2543ac0ae58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.1.1988024262\1371857089" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0762f1a9-d382-4d0d-a171-739608e7b4ae} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2476 25426a86c58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.2.1448718046\74419615" -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 1344 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ee438d-3162-4b02-8aab-669bc3fdf7b6} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 2788 2543dc3a658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.3.766383184\67965108" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9005d833-6699-4c0e-82eb-4daf3f272d63} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3640 2543f540958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.4.724808492\1647595929" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8756b249-b59c-45ac-a30d-04815510f8cc} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5040 254411bd358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.5.674609028\788149146" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8567e6-bf03-41bd-a3d5-c522350b9f43} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5172 254411bd658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.6.614083858\662334433" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0185adc1-d96e-4299-be9a-9292f5b4367f} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 5448 25441a63f58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.7.2080899901\178083834" -childID 6 -isForBrowser -prefsHandle 3784 -prefMapHandle 3808 -prefsLen 27957 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d899ef44-2f3a-4ee0-8d45-509eff594047} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 4912 2543d698c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5028.8.1997154322\710870501" -childID 7 -isForBrowser -prefsHandle 2860 -prefMapHandle 2796 -prefsLen 28172 -prefMapSize 235121 -jsInitHandle 1148 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24426e8a-c7f1-45b7-b1b4-8599b2070715} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" 3304 2543ac0c658 tab
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:50475 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 127.0.0.1:50481 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
| MD5 | d7b41af96fecb56a15717fcafea78118 |
| SHA1 | 771b305de327bd2a18a4a61420b0ebe110ff3e6d |
| SHA256 | bf081693c1633b980a02a45a7ffcc175e866890a9b7924af3f3595798e4cb5cf |
| SHA512 | 2042b4f1a1e53e6112da6030d9843ced2da500c5026732b9a100d69235d0eeb40e8895ea8f46f1ad95826a6c0f6b3421b59c81fcc0c33eae500ac93a00693884 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
| MD5 | 62dac6954c9e38cb21bd6472a18e539a |
| SHA1 | c16b452a748f0e7ec2d7a8000b934bea1847e0e2 |
| SHA256 | 4c35737a4083779b7b10635ad6549a02c5322831d35bb7f1530f6d62c8dd194b |
| SHA512 | 6682216f679ff05ea3c81fb1b095a4dd443a5e784ef7bc475d9db377678c7eb45f09acdee75db6f9ff247592139e92379f20f5d579d7160b4c94346dedd14687 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 06c651f6f9937aa76d7c5e62095b01f3 |
| SHA1 | a9ceb534e37b4fac38813b909fdd32a2b197adc4 |
| SHA256 | 3425908058a1653307f9fab571c7b4765e3aa8925657e5347bf60ac31114b4a5 |
| SHA512 | 9b229060f19a956946243549e6c4897a9f895f4d514208c4828d5d8d0d79d2aa07fef5a90649fb912fb2b22b8a6e80fdd5470dcd1eb25399492a471214c50eeb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 7ceef9a3c7142f23fe38755539f93653 |
| SHA1 | 57a4fcf3fb72285f5ad26b7d1084cb4f0a291b76 |
| SHA256 | 7ad486435457a7df0c90724b0663ddeabcc0616f4375cd5a07b23dd1af257ed4 |
| SHA512 | d2d0dc172b021fe3b7f007d56c4b048a341742b12dbfe928ad3a804fa3b2e731b6878e1d0ab2c498a16e65a13f65fd87d1fadd970928bc302c5e1841cf14e8de |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
| MD5 | 68e3b29fbaf6961212fde2ba8018cdd9 |
| SHA1 | ac0419bd06b18fef000ff57f6330841a32e2ce74 |
| SHA256 | db4127b937f714e4a0bbea823b74123bd7a39f3de2a4b66c508fcdc690f06a2d |
| SHA512 | aff308eaf9a113c8e598ecc88ba87799018d9b0f8a978f61dfb8342a4187f72a697526b53f7577dff968386e104cef879d2e3e526fe643a0d668e6c88df2e122 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3f84a840bf56cbb280d5e71335b362ac |
| SHA1 | a098adad7d7bf2aca1f946f9f959db7a2c459202 |
| SHA256 | 9acff82eb61d23df522444b1385eed359664c5919030f9c92b3ed4bbb467f0ad |
| SHA512 | 4d14da234691b974218cd8888a2bbaa869a475219acf8826f04c2b296f893aecebe2120dd083e2b56c74b6daf0a825e831027db85305ec0bc31b500af35392e7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6dccadc992361618ed8dbff1672fbf9f |
| SHA1 | 349e7ca36ee97d4912bf221b9c9a4bdd86e829e5 |
| SHA256 | f485c2a15d831fc08cac4829665bc6ef0ce741f65b6f2a164da914b9d7a39083 |
| SHA512 | a1622c9dccf00916aae3d3ae3193fa009570c1fde418fc6446da3cd5010026510afbfe1bb7d252930171ba9228b78572bfbc72a3a98c71c7f9bc6be3e93d742f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 06fae1166c99eced64df7451832518fa |
| SHA1 | 8e58272ee8116c1c06fd7e1ac56cf2cc7b0c693b |
| SHA256 | 10066df0f16e8129de3a43eb5ef04d6ead2214a7e48aae7c5ecb25743d22a0c9 |
| SHA512 | 5a2fad9cfb5862b83b75ca86b3294169ce8a6b714af03b1c59a36a833a29a4a47192b27e6e37bdb834bcdd7b67cd19c783880f133452ad17b691dfcd1c0600a1 |