Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://linode.com

windows10-2004-x64

1

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    01-08-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://linode.com

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://linode.com"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://linode.com
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0dc95ec-1a3e-4d65-88b1-c69c9f737db3} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" gpu
        3⤵
          PID:1836
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34740c2a-370a-4a78-803d-83f2aa69bedf} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" socket
          3⤵
            PID:216
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2704 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3376 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41a296f2-c988-452a-8c9c-476c688e756a} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
            3⤵
              PID:1708
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c262b3b-1dc8-4e38-bb7a-2167be07a50b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
              3⤵
                PID:4328
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4516 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4504 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {858a1104-9a5d-41fc-8c07-1bc2cc3e27b3} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" utility
                3⤵
                • Checks processor information in registry
                PID:1268
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a21a13bf-fb9f-47d5-b1c8-5a2fd19368cb} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                3⤵
                  PID:3020
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9b06de8-a0d9-4ea4-808c-7e9868734e9c} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                  3⤵
                    PID:1572
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c643f72d-f64d-4a2a-a95b-75ea5c165da5} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                    3⤵
                      PID:2956
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 3384 -prefMapHandle 3352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19e47689-d377-4e28-8356-308413e15c6d} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                      3⤵
                        PID:764
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6452 -childID 7 -isForBrowser -prefsHandle 6472 -prefMapHandle 6420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaab86b7-8ba7-4952-9389-fe244e0b16a9} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                        3⤵
                          PID:4712
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6600 -childID 8 -isForBrowser -prefsHandle 6608 -prefMapHandle 6612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f42de740-b116-4d04-8459-7038717750aa} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                          3⤵
                            PID:2184
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6800 -childID 9 -isForBrowser -prefsHandle 6808 -prefMapHandle 6812 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76b1806d-4bf2-4b15-a311-d30f3ef12c15} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
                            3⤵
                              PID:3336

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nsycwc62.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          19KB

                          MD5

                          01f83ed803e4689ed79f349834f0a382

                          SHA1

                          0e8861d42dc57b9826b3fe2b82782284246bd134

                          SHA256

                          7e3e15ad95b592d320c58e18c45fa675f8cfc9b2011df2536ae5ef5fb565be29

                          SHA512

                          90d9cd24c5472571710a32a975c2e67ff81bc419bcc6bd5790d477e64071cb4bc4efb9c99f6217c41244830fe3606a72dee6b292bab8d36464d7d0d437e43022

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\AlternateServices.bin
                          Filesize

                          7KB

                          MD5

                          1e16d76e66439ed1235e1b497258f3f8

                          SHA1

                          02f1a94d46a50393e3816428b2bd9338a8b25279

                          SHA256

                          66547857b4bd8facd45cf36bbd41ef8f8860a714bce3d6e26c809c8262ea9f01

                          SHA512

                          080e6c9171dbb695494f36e641fe84218393651173231e9818e9b6dde3632d500fdb0ae5899d83a5f149c321d8191c8edeccac15b9862573018392df3f7e018c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          5KB

                          MD5

                          c2f4b2b95fb0aae602fd2e57376b11eb

                          SHA1

                          e14352e92ed4ab0e68e2478ccdb47fee064cc556

                          SHA256

                          52fd225facf98b21a4390d9bbd7511e94513acd77ed5522b01c6370012b1a937

                          SHA512

                          f3ccdb36c685dca248a4fe177565540da6ddddab4d3714e445c8e87a77e3db5d2ec3a64a42f2d2e715b5af9613f9f2bd84e5e57b76f97848f1ffc15661771bdf

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          5KB

                          MD5

                          40227d8798911e50f55bb5976c566c76

                          SHA1

                          25f9c2f79b70eed126765bf529fcdaa019c0ec59

                          SHA256

                          042f348607a7262c402ba92b2eeec7722c70d459ee8bdc75e143718ba335436b

                          SHA512

                          4924ec3f553046302311d4eee3be0f2a2b7f09c563b4e64f13dd39e002abbe24a5ee2efaa0790a73832e02dece4af85d508625fd928df5fd945b54005f86800f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\pending_pings\433d0341-235c-48ac-9277-6700b442c2af
                          Filesize

                          671B

                          MD5

                          2972c218e04a6f3ec3b53e58f682e8a8

                          SHA1

                          186f0c14a31a45db4b6a78cfa41d9e64fd6aca2b

                          SHA256

                          9cac99f895388787026cbcf45b03ad18c1f5d64cbec7e2535f2203362d8ba962

                          SHA512

                          06b4387f5e6e51837858bdd09d5566c9676bf8c69b612d5c1fb6802a40dd02a8e8dfa10469e2ee86e81bdf78a7f8b2ab8033f1d7c46181f29d02fa26d83e990e

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\pending_pings\45d9450a-1c66-4049-9030-4c0782c18b26
                          Filesize

                          982B

                          MD5

                          493becfa18fbb0c8b14ddeffc6c70797

                          SHA1

                          f6b2e79456f9bead272c26728a36b0202a6d3003

                          SHA256

                          0789650523d3dfa1c0d242d2af122ea4cc26b1d0a581aab8f132500bbba03439

                          SHA512

                          af69bd03db377a7be273cccc4f4f5fab885203cfbf499af144de7acee57e63e7201834207a772a55ad4a8b5a5d08be34609c0049a075cf2abc21ed6ede2927ac

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\pending_pings\88a78082-50dc-4d7a-9ee7-ff3fd3c30036
                          Filesize

                          26KB

                          MD5

                          265b40d5dc8b2e2201504a2719226216

                          SHA1

                          649c38790dde0a43eae183b4977c896a3a2233f9

                          SHA256

                          71fdd80dd1e1f526631e2b481c9b63d3aea6b93da4ba0bdb0abb8d8318e74dcf

                          SHA512

                          61d2c326bdd617c872c22d8372e81f9cd69b3d8740cd81758807936103490bd6a1f603f8a4ac17d9451325d661faee5eb9126198aa69bb96bc29915ea36e3c74

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\prefs.js
                          Filesize

                          10KB

                          MD5

                          eb4533ac42f26aa97dfa3acdb810e692

                          SHA1

                          987372f2a6e7cc19f70d876c0800a8a0033fe577

                          SHA256

                          49ec53cbdbd706e999ab0f1cc7fcbf49f6ccf78353ee5d035e4fe7839aee48ef

                          SHA512

                          5d1a9055b34f2b68f7bbc24bbefdddf515f6de2e5a18081fc94f881893dc931e44788e7b75e0265c6a5007a4b9c12242d42fc6767c8eb5865503936a5b81e2ac

                          Download Submit