Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows11-21h2-x64

Analysis

  • max time kernel
    34s
  • max time network
    38s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/07/2024, 15:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1256230068754055219/1259157809417682975/ONYXLOADER.exe?ex=668aa997&is=66895817&hm=788d998ab0dee7e01ab092f414608158d81fe0bb7e2d1338485e3d9318d174fd&

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1256230068754055219/1259157809417682975/ONYXLOADER.exe?ex=668aa997&is=66895817&hm=788d998ab0dee7e01ab092f414608158d81fe0bb7e2d1338485e3d9318d174fd&"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1256230068754055219/1259157809417682975/ONYXLOADER.exe?ex=668aa997&is=66895817&hm=788d998ab0dee7e01ab092f414608158d81fe0bb7e2d1338485e3d9318d174fd&
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.0.1459642357\424207392" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfc30c94-58fe-4fa7-8ac5-32f2d712cccb} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 1828 27c0fd08858 gpu
        3⤵
          PID:5164
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.1.839266874\751335074" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2352 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d19fa2c0-2a27-4468-a949-eb4d89e40f29} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 2372 27c03091358 socket
          3⤵
          • Checks processor information in registry
          PID:2728
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.2.261976867\113791534" -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d408ab0d-b98d-4043-ad6a-82ada75e55c5} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 2888 27c12c3c558 tab
          3⤵
            PID:1648
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.3.2040034878\1342409871" -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f285a9c2-83a6-4295-8d09-3962eea50ad0} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 3972 27c15aa0358 tab
            3⤵
              PID:5344
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.4.572197237\1149819183" -childID 3 -isForBrowser -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9be421-6837-4e22-b713-490523c0341d} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 4936 27c16bad858 tab
              3⤵
                PID:1036
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.5.1585597117\782312087" -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5300 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cf65deb-4351-4741-a1a6-c7f06719a9fb} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 5340 27c169f7a58 tab
                3⤵
                  PID:4200
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.6.1386465241\1040114826" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a086f9f-e528-42c4-8172-6318dbab5444} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 5480 27c169f9b58 tab
                  3⤵
                    PID:3616
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4792.7.1284381513\1045748128" -childID 6 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0617086a-9429-4a71-a62f-0174324abf06} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" 5672 27c169f8c58 tab
                    3⤵
                      PID:3416
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x4 /state0:0xa3a10855 /state1:0x41c64e6d
                  1⤵
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:916

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  28KB

                  MD5

                  4e274a77f1bd43efddd7812c767bf104

                  SHA1

                  c7623c8359994589212baec741219fe1f3655663

                  SHA256

                  030fcb6de4a5da598357d018e022eba3fa42e347091782d89f1ba59ae851aea6

                  SHA512

                  30c2d6a4686da5e07050457a41bd687065ffb3c3c13abc4a781aa6bf6eb5b1d36f00be84426d8259ad404fef6bfa063a58045c678d4decd23e6652ebb3a46820

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  29KB

                  MD5

                  66cea433bbe21da51a05b3ad700ec5d2

                  SHA1

                  90230c208fa3ba7ecc4ecd08e04d8ec42e818a92

                  SHA256

                  b71ecc583df82509b443241b92e90684f4d593b50508aae8c708c0ccdbcd2399

                  SHA512

                  03745b090c936aa0327c091ba9471b82ff87d2126570a533c47a5299c7889a13ea7bed4dfe77e3daa269131a5b4021dc62bd69df62d084f483f41a28fbb0956f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  b3f014997c7d25c3cd099f725fdb658a

                  SHA1

                  9950c99da5a3196263708601813982702db23ae0

                  SHA256

                  610b35707ce223e4af275a3d2b2b88d449c1e7252b8f6c5310a715dd089f3256

                  SHA512

                  64fd00cda0d408c92753b50437285f926c0d39fd2255615a61f2cfb393bf1d8e9a988da1c90876a172076e9a77e1ae330db0949a6f68f15954a96efc8c7ece71

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  67e4e2921d4fae0377988dcabef45ad1

                  SHA1

                  fc85500c6acb381cf27bc23da3ea420f38631ac6

                  SHA256

                  3dffa2d91690c5a93778982cb5a9c6544df3eaf9d51d2377fab0708a419dc3cb

                  SHA512

                  603541edb158d00886f07edcfadfda191201d9b783a17685ee731389e6000099d5fa2b7c112b0b7d45eae8e129eb641dc21b2f12040537aed3daa0f24c49f199

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionCheckpoints.json
                  Filesize

                  228B

                  MD5

                  a0821bc1a142e3b5bca852e1090c9f2c

                  SHA1

                  e51beb8731e990129d965ddb60530d198c73825f

                  SHA256

                  db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

                  SHA512

                  997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  589df2376df3758e8b6c51bed47a1b16

                  SHA1

                  50a4ef8303bc3ba4ee20e81ea1a17533b547af7c

                  SHA256

                  4b1df772e3751fd7f0cb759254785bc56050155b8a19c5b28e669eafd27a69b0

                  SHA512

                  a4766ec3f64abf577dde3495c7b09c0556a8c82d441caaf0d33de53bf82d52d4c1f11d4d53a49a9e3218a0067b81e9cd5d3065947b452793d4a4e193c6119cd1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  6944654ba1bd012adfc8f7ebdb6aa71d

                  SHA1

                  0dc21ff869f661b0f5eec1c8ce85de8104bcac94

                  SHA256

                  8fe7f0129229f01879d9fd6645c6d6be3a7a47ab0b3686a9b0d187483d74dafb

                  SHA512

                  cc66eed1f223ebde381ffc73604ebd50c71d02c05c3459896d4a336b375264b2e0f5795e7943efbc84bbffd55a4a7dabb84a6b12243958a4ab55d65eb1f22a86

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore.jsonlz4
                  Filesize

                  765B

                  MD5

                  1b709e3a0fdbce2aa7ce8924d1cafc83

                  SHA1

                  dfa08d707446fdd66afa2b17170ec2b8c6a3d3af

                  SHA256

                  39fb691aefde28f4800d3446126870a15b3266f6c98cc4d3d4c608ebaef7c959

                  SHA512

                  296c8db8854a72076edbc98e44c40738c1474fdf6d4caa9ad2daa78dcaab08a9d713d014e5ca0f78d9f0c49cf25916670efb3f6541c334077380c715bf0977a2

                  Download Submit