Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://groups.googl...

windows10-2004-x64

1

https://groups.googl...

windows11-21h2-x64

1

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2024, 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://groups.google.com/a/pressmf.global/d/msgid/politica/IMegEHaBJPZFQVBKbBTNE4Z5KE-8gdfHWGHrQpMFXRQ%40matrix.spfbl.net?utm_medium=email&utm_source=footer

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://groups.google.com/a/pressmf.global/d/msgid/politica/IMegEHaBJPZFQVBKbBTNE4Z5KE-8gdfHWGHrQpMFXRQ%40matrix.spfbl.net?utm_medium=email&utm_source=footer"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://groups.google.com/a/pressmf.global/d/msgid/politica/IMegEHaBJPZFQVBKbBTNE4Z5KE-8gdfHWGHrQpMFXRQ%40matrix.spfbl.net?utm_medium=email&utm_source=footer
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.0.9049730\417360890" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4bde55a-611c-4d0f-b4a4-c1fe6fc5d42a} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 1856 17298b0ca58 gpu
        3⤵
          PID:4528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.1.825615143\1913562783" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b736f05f-2226-4960-be98-57297e4f6afc} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 2388 1728be8c558 socket
          3⤵
            PID:4128
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.2.1754016610\829979839" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f27af9f-4bc5-4f49-b277-308ceb542b8d} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 2964 1729bb28358 tab
            3⤵
              PID:3756
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.3.1319079064\1812485223" -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c34a65e-d2df-4992-8030-dbcbdbc883c7} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 3980 1729eb5f858 tab
              3⤵
                PID:3820
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.4.1601927332\1192783826" -childID 3 -isForBrowser -prefsHandle 4972 -prefMapHandle 4984 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4010d9af-9070-4076-8447-0a09dd3104c1} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 4988 1729fc44b58 tab
                3⤵
                  PID:1368
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.5.2114588789\87801772" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45f4878-d428-40b2-b505-b5bc7fde2e6f} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 5168 1729fc47558 tab
                  3⤵
                    PID:1860
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3400.6.646713663\1492288670" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8ecc93-8c57-4bd4-8e99-af09086d86bb} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" 5396 1729fc44258 tab
                    3⤵
                      PID:3140

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  26KB

                  MD5

                  ec7f12f05f8c1344cdb344c32e48cfa4

                  SHA1

                  da37a1da62feb108410401b3de644f8f40fd75aa

                  SHA256

                  9e23c348b605e8e9ca46906bf9df5103bb165f2240f70c4a9230a98ff6cd1530

                  SHA512

                  1e3474a97570c3001e3c3751378a50121d31b2f2d1d48b305ba6ca22c1271f915ea56b2e64a99bf3fcf4d1ffe2321cf44d5fd867a1accf75be7edf8b81ef721d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  39e1e3915b009da6ef0937fa0c036763

                  SHA1

                  88cd8a9df1d90ca89e17a5030e04c119459b2ec6

                  SHA256

                  8707cb3113ce91bc60fa9b6e33f8a43f95f6e0f2f45068bf520552f591886ba6

                  SHA512

                  57cb02008de862aee50991b1d06ffd248a2fdbcbbe5c35ea8e5764899851e34bf4b497b27e7a6f4b058fb84ace2a7835bf9bb6bb9605d77c3847bf4e459fd32a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1014B

                  MD5

                  3f619d12d32dc63d446baec48a50ac1f

                  SHA1

                  06a4990fefb4108f50f639ff25fe00d6605c0dfc

                  SHA256

                  c710ebdcc50f625867e579c834a94d7f92d15f8180f7172033ee551d27071342

                  SHA512

                  7e5f53c09c64528b7e6b1a9226d2a76d3b3495f6df0a1142d956b26477cf55b8792f7b81f37d90c31784bc72de05dd4106157e325230300cd2e7291e704bbe3d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  cb736c8bea7773d93d0a673f8ca9393b

                  SHA1

                  a25577837e7a65f64e3f4838beaa2130e94a344f

                  SHA256

                  7eef56fdf5631095195e8413eef8098cbc402db50675a050c4f97dd60bdb6b43

                  SHA512

                  96dabf84d58808a0a0cabb7b14c5a8ea0625653d19949768bb1de4aa8117c403e9fb086605641fa3ae1335f052894f54d5a91222f97117e34741bd5bf8ad70e3

                  Download Submit