Overview

overview

9

Static

static

1

URLScan

urlscan

1

https://www.doc2sign...

windows7-x64

9

Resubmissions

04-09-2024 03:56

240904-ehpr6avbkr 9

04-09-2024 03:55

240904-eg7atavbkq 4

04-09-2024 03:54

240904-ega8dawckf 1

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240903-es
  • resource tags

    arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    04-09-2024 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.doc2sign.com/?doc2sign=hsl2D2er%2b0cruymzgLq9dPmUPGwbDdsyhW1Y9zu02BC3E06l47bLgUlbQkPP%2bIBHHAcKZMFyQ4zDzznADaEo3NE2D4TmMEKXHbeGmSnLV1CYeQ1sCwQrX2pLpfV2aDCM

Score
9/10
credential_accessdiscoverystealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.doc2sign.com/?doc2sign=hsl2D2er%2b0cruymzgLq9dPmUPGwbDdsyhW1Y9zu02BC3E06l47bLgUlbQkPP%2bIBHHAcKZMFyQ4zDzznADaEo3NE2D4TmMEKXHbeGmSnLV1CYeQ1sCwQrX2pLpfV2aDCM"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.doc2sign.com/?doc2sign=hsl2D2er%2b0cruymzgLq9dPmUPGwbDdsyhW1Y9zu02BC3E06l47bLgUlbQkPP%2bIBHHAcKZMFyQ4zDzznADaEo3NE2D4TmMEKXHbeGmSnLV1CYeQ1sCwQrX2pLpfV2aDCM
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.0.283453954\1454583769" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e503729-be01-447e-a7b8-757bfba8d70c} 880 "\\.\pipe\gecko-crash-server-pipe.880" 1292 10fb9458 gpu
        3⤵
          PID:2680
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.1.376229837\1796562351" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1508 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55f4370a-0a3a-421a-94a5-8174421a30f3} 880 "\\.\pipe\gecko-crash-server-pipe.880" 1524 3fd2658 socket
          3⤵
          • Checks processor information in registry
          PID:2456
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.2.1948434991\1463980514" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab0a4911-9358-424e-83f0-c709e61b5226} 880 "\\.\pipe\gecko-crash-server-pipe.880" 2100 1a5a4b58 tab
          3⤵
            PID:608
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.3.815986375\1027685533" -childID 2 -isForBrowser -prefsHandle 2856 -prefMapHandle 2852 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9678e8bd-ef93-4101-a247-a657a83b3f89} 880 "\\.\pipe\gecko-crash-server-pipe.880" 2868 e6fb58 tab
            3⤵
              PID:1424
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.4.2033656743\641627585" -childID 3 -isForBrowser -prefsHandle 3736 -prefMapHandle 3724 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a99787-7fc7-4c07-8c55-1bcdb259f25c} 880 "\\.\pipe\gecko-crash-server-pipe.880" 3760 1f646858 tab
              3⤵
                PID:776
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.5.236607721\928270081" -childID 4 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b98fa9cd-f3e7-49b5-a227-5db1a03c81d9} 880 "\\.\pipe\gecko-crash-server-pipe.880" 3860 1f812558 tab
                3⤵
                  PID:1788
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.6.1208054152\2010613296" -childID 5 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {874d9a53-dad4-4203-8758-15ea4eb106b9} 880 "\\.\pipe\gecko-crash-server-pipe.880" 4040 1f875858 tab
                  3⤵
                    PID:1760
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                1⤵
                  PID:1988

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  36KB

                  MD5

                  3ec4a7fd1f85be909b375d4b31146282

                  SHA1

                  216a5e65abf6895dff6b30597be7a5973e502459

                  SHA256

                  57e1c686b378352d58ff0ef0951713be085bc49e0ea12e94e20f11bf0b3446fa

                  SHA512

                  5308973a1bccaafdab8d0d6d7c1f18b58635f77e874f363b7fd7d6c674f9d566586845cc06abba0d747abd1a639a478583a3d6c56408577d72f885bece326839

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  37KB

                  MD5

                  cb16f48b9145d52c2d70f99782ea3f67

                  SHA1

                  49005b7cf39e439bdd885773fb68de641138e724

                  SHA256

                  161151c8b17068a75b5e2dbeccb2ee03ca4eb0875d3eac1ae8285b634b410a5b

                  SHA512

                  589193904afe2681588c408de1a9196a1b6d2cde081b6200426ff5a69a945f9d61fd5e396e11f10099b5eb1f085d1b6870b1d9131e340d00f189d8d62e42e420

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  8d4015ea028ee9ca0aac84d6dc321a74

                  SHA1

                  045a48d486ebce52dbdedafdbf25fb1b509d7da9

                  SHA256

                  28274bca9a140104b09e75a77c12c95d6ea5cf2619dc1b00e6b3cd4909c2503b

                  SHA512

                  21c8cc1cb13a50cb7f2b24fef1a2f39900d6ab2e25a8f372031e70312a6dce18b547ca3c6ae5f32c595b650db34d3ccbf4d0f28897361521b32ec8a81edbf63b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\dd4179c0-1aa6-4d96-bf06-ce538453fd83
                  Filesize

                  733B

                  MD5

                  51e9752f6b4a69b7c6982cc2fda78594

                  SHA1

                  63e91c57b900d68819acf8aad4a4e78886317493

                  SHA256

                  dafd5332cb00697e495c3a9f57661c0a2292e538aaaf281e60acb082a643b4ea

                  SHA512

                  1faf1bc1a0743754fcc6c32fc0747455217150a82d90f2d7941265c1a5c00a19a3d32b55b95cb079f5d1bc55d34b41b0c1337aafdbdfde83f888c1b2c9d5efd5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  4f57097ebd9af3c83a52ac52bab5232a

                  SHA1

                  f07036bfb99dc9bdcf12cceb67b0c3a42d0bf1c5

                  SHA256

                  dd1f9fc3a0dec0dd28ee9003601a10cf61e6949f12417e52df0bffe8e3c236e9

                  SHA512

                  7e299f38403d09b41358c0f8ab42c74ab377a292f144cb37e8f39a4736f95805f008449f13ad06f4ff00ea2b8e4a052d10c3fca0d24512de0f8e75b9f5ffc5b5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  dd5913d7964238ffa9706b1a42951efd

                  SHA1

                  26a0d1de6ac2fa8ccca60928a5ed11c66b8f4dfa

                  SHA256

                  d50b22805cc97e041c4cca10880912c248b42d41dcada5d775925ab23bcb2a1f

                  SHA512

                  5248386ad4e9e386fd11afab3402f89a5658cb45c74538de238de4068dd51e0ec53a9e4a2f4c44571cf84bf5533fd02d8d8086a2674f56d4c3586a8a8a9dd64b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  523639a8c3d6c58a1ca41fe3fe7e3ba5

                  SHA1

                  d222c26bd673498292f0291dc296417e87ae755e

                  SHA256

                  ac451584fcb1c3cd6be9508f19767ba1e42d42d19999b439f2094dfccac23ced

                  SHA512

                  1e8e6e7332a61244cd436df207310e756083f5ea2a9bd45e62de0a18a376e3d33a3bf4f8da49bbe8689f5ef38c768dd8cc2f7eef633394087c6b81a4c1562c77

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  11KB

                  MD5

                  2121dc79cedb049c4820382dd8c162c0

                  SHA1

                  129c8106504fb10a8334b3659f1c972e24e76943

                  SHA256

                  d56665b247a3e5447e1dd7167ec326a54004bb1f6eb2ce1e24629ad309084d26

                  SHA512

                  9fb15dc6ee3cd8d307ca3be20246fbbc111c5b6264c6d7ae9c3afa977db06857de6ad0d371b6186b65d5c0a05ea527843e2f60e68cd271d38d6cfe18f4bab986

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  11KB

                  MD5

                  d097be49bc237368bdc8a6b03169a9bc

                  SHA1

                  9f6813eb1b09beb762151893ea4261443857fd85

                  SHA256

                  987c855d3163677386ac7278965be9a3e55578c00c5fb490354e7b826856fbbd

                  SHA512

                  9b388b69618a61d8b3322ae8921cebfe3aeaf711bc87919c6ec3d2688684d45438e94205dbd2594eed3e213791ce10f1868981674509468705697b447f6ec0ea

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore.jsonlz4
                  Filesize

                  10KB

                  MD5

                  4820de686a4b7aaf7d89a459e8bef235

                  SHA1

                  01c1457f9ba20534961d5734f02004346714ceba

                  SHA256

                  dccd81e12f6dc1982232ba0456beaa7c8575382441866d36607fb5b77590452c

                  SHA512

                  8c5e7744a60e811f73bce39cc9d6446b5114b88259662b7d316cad23d0b94cb4ecdbfdabdd59f87b8320653d7714c048ff5e28b262967bf6f3439dfec2598609

                  Download Submit