Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
28-01-2025 07:12
General
-
Target
https://b9fee5ea.1321efb24214f25665cdb06f.workers.dev/[email protected]
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Detected potential entity reuse from brand MICROSOFT. 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://b9fee5ea.1321efb24214f25665cdb06f.workers.dev/[email protected]"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://b9fee5ea.1321efb24214f25665cdb06f.workers.dev/[email protected]2⤵
- Detected potential entity reuse from brand MICROSOFT.
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {214206a2-0356-4686-9901-c88f84d3fc83} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 27849 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70c940c0-70a5-41d7-8aad-e7d3bfee15e3} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 2836 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c0a84e7-dbbb-49c2-8bb6-63f39d624762} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2920 -prefsLen 32339 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e994795-d0f0-4e58-a47b-a9636bb79677} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 32339 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2185f7-5392-454b-a446-2aff1e9349e9} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e06f1aa-57ed-478f-a610-99d957c63c67} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dfb54eb-c44b-416e-b2f3-1586f9e0137b} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5836 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67838d19-aac2-4ff6-ac31-b1702fb4a9d6} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e545f92-e7a4-4c2a-a1cd-c057af855ec9} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3376 -childID 7 -isForBrowser -prefsHandle 3400 -prefMapHandle 2724 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc3d1fa-a773-4761-9ca3-4e7c0406c43b} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 8 -isForBrowser -prefsHandle 6164 -prefMapHandle 6312 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffac228e-57de-4475-94e8-56d5adcff412} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 9 -isForBrowser -prefsHandle 4024 -prefMapHandle 6284 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaa991f6-8832-4d09-b827-6c0cdbf02214} 2592 "\\.\pipe\gecko-crash-server-pipe.2592" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5c78cde5989257a1b7a00cf9370ab32b3
SHA1d2975d32c0c615e1e29744986f29fb291fe5b51a
SHA2560e466a832fa1291c7a1e70b5b9c3f96cd16c78882178e16c88131873f2cdab9c
SHA51289d7be9058b004e5f53d55b9ce9e019922e8446de2836b79915ecec3cfc4c90833f48cd8c9545e60ad4f0220ec9d4a1e91ce82738739156217112de3db07eb8c
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
7KB
MD5c182f7fd69fb3f5703ae22e89fe62db5
SHA1fcfceede4c528d526b36440af72744c1a0740778
SHA256dffac16350952f433552383db0f44ed15cba357955f9b0c23a2b81d6355c11e3
SHA512f0b987f4454bd478e7f9c41a7a4dac49b5dfde59c9b94e8615dffd62183bb3ecab9fffa799c9e6da5c238ebb9708be4f297e5070aef675860374543048aaea93
-
Filesize
8KB
MD5d172022107d635426d910714d9232fd7
SHA1842ae965ac1a7674d3bf6a76ce07d5b7230d5fcf
SHA25601b2d52a198d0bedb3acd53af100595fcaeefc3897671c67d8f3505ecda81700
SHA5127d4a20322b917d6e3955f8a86646f300aef35ba944ed129e3a13dacee7ac97cfbe31a77d0d5afdfaefdc941adaec7e40e495a7d134990e370c220e000951ab88
-
Filesize
13KB
MD5e38d0cba4ca7814783d551462d055202
SHA1672372fec1b0025fe3346f9619336139f0e81c56
SHA25660e74b84c6a021ee262acb86096bb6d8b2683dd40fd63fe4f24be90ab73ce98b
SHA512e35b561d667924733cc7b0372dd37450310d3d82d22bc7a685be2fdfd0501400311c44b62652be77ad7042023bc07bab789feb6842942f92c49a68a717bacee8
-
Filesize
5KB
MD5aae86f59d19c24055aaf8ce5cf0a25e8
SHA175551a0928f2f5f7a134ca9965f6af250f5d60ac
SHA25653098c7d985396aa64565d00e610911fe22e6c864dae2b89107b696181326df9
SHA51278e3a6384d967ead7d0f29cf4e0612cdd82d0451905ab141118facdbecd7ca4fc05625cfe653448f4646adba2f7b886f407b20aeb59bd9b8cf1e271651187bd5
-
Filesize
6KB
MD5ded2bc891fe00fa795ac6285df96efa5
SHA131bbf9ce1c4754e98dcbd6ad09189a0c1b5fc774
SHA2562ea9efd346def323cc8db217df19f4cc1bdb3f4b5db55bff055ff24182fd20f4
SHA5124b5f03b356c88781d1ed162fcc234d8e2c1c75492a4e7bb8e4e411c2fff3ef2ca5d1f0fd1e9708e81fc81a4683aa1c0e045d9cefeb3bc097f78de42c0a57e856
-
Filesize
14KB
MD5be4cc1c376c269808c896aa025952266
SHA144b6b6d21462f4e2b06165ca5a3cc48b41b869b3
SHA256a9a7f888307d8115e62e2074438fb6bd319e857a184bf22d9983c3905c1a1d7a
SHA512b9354fac4f369f06fbeb5bcf1ee87f374b4597b79fa2d0a7be8a64877097d07c681e8e9349945156020e44bc08b9f2013612ff6efd6a30dcca812f880efbafec
-
Filesize
982B
MD500a021d280a7c5956835c836eafb2dc5
SHA1b0c372f6c942573694fbdac498c9dfe222968758
SHA256994d8a44a6d1bbf413ea1a937ec88e969c41b70c6a5b2519b3f0a7fabc00b0c6
SHA512ae18710ec3ab6f2fff31727e567e848f65ba9d7ff6042a965984aa812811bd9afd799221206dbb2de15ab2b6c65561e70d05a630084a2b51e0e00eb8b9289331
-
Filesize
671B
MD5ec8f839ca214622833f8706382423e15
SHA1cceb445a9d43df427bfbb2fd3a273359f55dbb2d
SHA256a7470acfa1a173585704ba0b3cd38bf639df781043ec02afe1a7b19d59e18f84
SHA51200bf8fad5df9b498f9bd0417e8bf530262b28a23e1ebf7eb86c08a2dbda8d57b77727b975b93bd8c5749178669a16b5491a3cc1251b1786be16a399dc096028d
-
Filesize
24KB
MD590e59e4d1f581ca8254cfae07bbc7edc
SHA15b7a8770551d35ff369897c0e430cdba788d0645
SHA256f826e3cadb583ac71a1981324f7d1a210080a8c7623883e44f52501658d58e34
SHA5121377be47d9b2a4ad3552a2cd8c777ff654b39015c536adebee9a92516e934ef47d8dd09c94b0b4a5db377173eceeba360743cb006d3a4bf08fc0470b86914709
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD57237a1fc90adefd09e28c6fabe103528
SHA12e573b3864f4bb1de935dce9655ff83dd0bef455
SHA25694177932153440c95a678a6eb505d52aca10281b200cc6d1031299cb1c95f3d2
SHA512d00859522afbc20a9ce42d0ac2974fdf80b6778993e7f55ef2f2aa4286dafc86a39f8331ec2366763d6e87f475eb2fb0f2d4183da14770f787d18404e2fd0678
-
Filesize
10KB
MD595ddf9b108c36c9c05e44d46507e4647
SHA1a8c7d71f028e477357fd2ce4b333f06c70adcb1f
SHA2562bbc19c31eeef6bf85ac810c65b883f088dad3b2d839ce3e6e4e8902fa2d6d33
SHA5129f6b19c8a2a8d17dbbf6efd43cb6afdcf36ff9a26b50e6fe423f1082575dbe03246b88c2f46419cf04b2c2a20cb8fcbc0bc2703b9bfecd10416134b8fe24d92d
-
Filesize
9KB
MD5092e1199c82305567392c43d61a63f68
SHA1372b5ac0a47d0e5bad5a81d9af9783abb66eb925
SHA25642a10e0f98cc6ed5a26e3feb449600db59406956ef2d967358c34784065bd598
SHA5125dfa7a4a4205c374a4e1152075952881f67b3145330f305da18b0e0289be90086a76facbd45c824787e1359fab9e1813c2fd4bb6550c493d435f106f05706c2c
-
Filesize
1KB
MD5342a02f1db5a417ad51d5799e528ebd4
SHA170253d867a8b594154e8dd2e3e5c71f8c3da300c
SHA256574ec340b297be6f54dd09450032470a241372bf26ff887ed4fc00d025f80dec
SHA512156db89181086aadb3b2ceeb65d7f3f2e380501b0b8e9f6e95f8a96c99caf385992546ea53389ec0576578c378400fa61530d13d788b13b736144e01f068dc81
-
Filesize
632KB
MD5bcf70b6f839b72db3d92e1199a3556bc
SHA143178aef6f3b11684d2fc0f10fa62757d4ac6b20
SHA25661c08d7a64cedb15f12aaad5d400e2e562673c1f7b43b93f4890a11daf021295
SHA512e64e3eb59a0cd127487c56cb4a16d33d64eedccf8aa9300c27fb1dfb105782691db922c15ebc794365ffb769cd2d5d6b997137c18ae7277f70d0fbc8ad2b97bd