hxxp://damanľ39[.]com

Resubmissions

07-07-2024 17:28

240707-v2b86swbln 1

07-07-2024 16:46

240707-t968vavgpl 10

Analysis

max time kernel
1786s
max time network
1733s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
07-07-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://damanľ39.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe
Token: SeDebugPrivilege	1204	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1204 firefox.exe
1204 firefox.exe
1204 firefox.exe
1204 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1204 firefox.exe
1204 firefox.exe
1204 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1204 firefox.exe

pid	process
1204	firefox.exe
1204	firefox.exe
1204	firefox.exe
1204	firefox.exe

pid	process
1204	firefox.exe
1204	firefox.exe
1204	firefox.exe

pid	process
1204	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 1204	1900	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 1936	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 4432	1204	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://damanľ39.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://damanľ39.com
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.0.1471381190\327987087" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96a407b6-dc75-4264-95e5-66ca7757a242} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 1812 11c7000db58 gpu
3⤵
PID:1936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.1.186747699\1421577765" -parentBuildID 20230214051806 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4ba28bc-2512-4002-b3e3-c64a74e835e7} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 2348 11c6328a558 socket
3⤵
PID:4432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.2.1125609253\180717581" -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 23028 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {935542bd-8d97-4561-ac6a-d3c9651d305b} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 3236 11c72b35158 tab
3⤵
PID:4652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.3.151387470\1058261694" -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de31d8a9-94b0-4eee-a815-0f738451ba83} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 3940 11c63284d58 tab
3⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.4.622319525\744185876" -childID 3 -isForBrowser -prefsHandle 4964 -prefMapHandle 4952 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed62918-4b05-4864-a700-e2b13c4bf535} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 4712 11c77cc8858 tab
3⤵
PID:2676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.5.1571973270\1137492158" -childID 4 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ff4d76-e588-447a-876e-d3124e27bf3e} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 5148 11c77cc7f58 tab
3⤵
PID:1496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1204.6.711170374\1621232130" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {750bc51c-1667-4bff-99b1-03a77fc31992} 1204 "\\.\pipe\gecko-crash-server-pipe.1204" 5436 11c77cc7358 tab
3⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
775b60b00cbbe42453f1c3d1e1700b38

SHA1
101c0a7b2b0db775dce5683489a740d52af8e7c8

SHA256
61a12b9ea4fd885dcf6ff6556df930605cf825375bae810a789b63d49b0d4ca9

SHA512
45b769ec06e9cf991111f13fda6b43b59dfa224843834068cf644a17557db402794e3fd778b6594117d4ec5c97dbe6b332db695b4944381f7face1fbf35b92ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
15KB

MD5
ed043e29c00a859ddbbdfc4ae1552469

SHA1
0f64778ba831305d3041c4338cba5a859550d6d7

SHA256
ecb4302b7abcb6236b190ab0f99fcff847adf60afc24d72956103a3e24aa1f6c

SHA512
a9aad02b1cb85a6ad46e889c86d249e498b7f22e8be3931b39c1065f45be8fa67b13af46284cf664bda6f781d51fb9bef986856c2762cde71f2e15084139b95d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
d0e4ab4feb4803ad4c721cb4266dcc2b

SHA1
ac3713740079a211cf73817bc4ad29ccf23d84ed

SHA256
e637315d78c135cb0283af58a8002d20423743364738a8a4acb64bb519f620fe

SHA512
a105d70dab9f19883bd3e1aed414bad0f819f72b2ab848850da4002e37558fde2e02f0d18f89095355b16c6e0dad8046ff8f8f3eeac172691f6d3b120ea08a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\bookmarkbackups\bookmarks-2024-07-07_11_mEYmGMJQ5YUTTLBxN5-pLQ==.jsonlz4

Filesize
999B

MD5
9753adb7da5d43473aa068121b74a597

SHA1
cc20f2144d2a873e45ea393a81ccd6bee3f4cda8

SHA256
18259d81e23205ba8ecf422e8b3218d983a6725aaeb857d0fe0e3c58a4b2b199

SHA512
fc81448284ca7021096911924cdc36a6ca901e0368845f4fcbd676e8c3d5e696d75ad1cd0fc68757ad725e086006d02a3d9e0e45d2c640c689190b0fe6f28ba2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js

Filesize
8KB

MD5
06ecef5776046ce90054ead42c4c3ff1

SHA1
f1be04aeb18336e1426e79293ab36ab95a182b98

SHA256
e7cae4cf62bb9816a89141a4c15900851b0974402a03dc7229804f6c1ee664e3

SHA512
102b4e6a654972f848019901300ff5a64c86457ef906751751e063fa7c601496dfb5cd8d7f125c3d0c1b2cc8d7dcde79e3b2de21b57561ef2ae6d2d4a022ac13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js

Filesize
8KB

MD5
5a76155f5459b50c6432523809289d7a

SHA1
24fffff9b41eea09dd674de67251b5c8674bc216

SHA256
54e5fb5d883e66afa3a61261b164e0095257b48c1f832cbc82d3118f3cb29261

SHA512
241527e45e83b5e8e671ef781c10806519edf2b5139da29034fde48331f403eb5a81ad0928eae07931bfbb5cadd95aac5ceae091355b90c8a26225ee75facc6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js

Filesize
6KB

MD5
fd819bc223adbc6fb2f1640b0a30fc4e

SHA1
9ec9d95330278477eb98072af565c3b6af975dfe

SHA256
27be03440a5649577265edaf3628b3816b1580a794bcbf6737131aaad5d61a07

SHA512
1aefe673cec5a15f1bef6c1c8d6a88b793557d7e9f14ec22780ef9231a7f52b616a7df60748b4f6b4f1b4eb18c3f48576ec46e0b8718bba6d5f3983a2063f2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js

Filesize
7KB

MD5
c57be9c28699ce4e99774bd6edb57b2e

SHA1
08395c28d8da171ceae471c6a0e3a7525a1ce486

SHA256
01d9b88bfd5818aa98a8111b8bdfa75de555d1ee60b10fecea1dee06cfc10013

SHA512
687bcac83d623593f11d324a3a6fd8ca9759d74cf815d7fe148e349e8c15bd1b0acefcde4369e89130f3e2e7a9d56865e54af4426f4cbad790b8349625a82a59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1018B

MD5
89ac575f62547dba63b50cdfc0eac21d

SHA1
8cc78df4f16752cfab004344ee03a82c1ea589ef

SHA256
fdfb677f21a9c01691c347a880f6b603bae1295cd7edec3995a62ea46ad5c428

SHA512
556a753272a901cff5a7670c97c044d4b5d9d13014766bac3eb1790e892b0ae4f19fbaf38e4def96e5fb303f5530823981eec0b4dba2253d15a17adf99102973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
70035cd8c4e6e6b1b6fda8b73a1e1999

SHA1
185a9fceaaca35b645c545810c4ef87379891ee9

SHA256
965bc5a4e727f39a8f8e322fd888111fa2e0f259b95a154292b905c5ed115f63

SHA512
c6e4c58ed02b80d31ee3fad26a74079425e21988c9596b21e3843eb2ffb23b78d66c8d4e0df71d666fbc65fca4a612562d3fd50649fa7970d79a53243b32ad00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\targeting.snapshot.json

Filesize
4KB

MD5
74f759a086f98cc7d4f35dec67fd7bcd

SHA1
62c00e6d27a7929bca8bd08eddc67ff1180994c0

SHA256
94a6ef908dd0e3e2ff470d7ffff1b4b2f3f051372aa0680d30a6c1c5dace6c51

SHA512
80053715bc368607120e4ba6565ac189e923df0b0193bbc7a9e24bb980d4f7665cf7f7a63891a59e226b480b9e1712311e9b6cc07453c3f7c32d8bdba0649f8e

Download Submit