| URL: | 54.154.201.6 |
| Full analysis: | https://app.any.run/tasks/98a07296-b3dc-47c6-83f1-a06746b85890 |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2024, 14:44:15 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | D4F8353FE86F974D717F90EBFEFE371D |
| SHA1: | E00033B01E5A250C68A6489974AF2D94DA23CED0 |
| SHA256: | 19EC15AE36B4822630F2BC54EC0BB84736C6DD1CC90D203362AA8858E3063AEC |
| SSDEEP: | 3:EgBT:EcT |
MALICIOUS
Request for a sinkholed resource
- firefox.exe (PID: 4248)
SUSPICIOUS
Reads security settings of Internet Explorer
- Notepad.exe (PID: 7568)
Reads the Internet Settings
- OpenWith.exe (PID: 252)
- OpenWith.exe (PID: 7228)
- Notepad.exe (PID: 7568)
INFO
Executable content was dropped or overwritten
- firefox.exe (PID: 4248)
Application launched itself
- firefox.exe (PID: 4248)
- firefox.exe (PID: 1156)
Manual execution by a user
- Notepad.exe (PID: 7568)
- OpenWith.exe (PID: 7164)
- OpenWith.exe (PID: 252)
- OpenWith.exe (PID: 7228)
- rundll32.exe (PID: 8004)
Checks supported languages
- Notepad.exe (PID: 7568)
Reads the computer name
- Notepad.exe (PID: 7568)
Reads security settings of Internet Explorer
- OpenWith.exe (PID: 7228)
- OpenWith.exe (PID: 252)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 252)
- OpenWith.exe (PID: 7228)
- OpenWith.exe (PID: 7164)
The sample compiled with english language support
- firefox.exe (PID: 4248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
134
Monitored processes
16
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 252 | "C:\Windows\System32\OpenWith.exe" C:\Users\admin\Desktop\widevinecdm.dll.sig | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1148 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5004 -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 28383 -prefMapSize 243239 -jsInitHandle 1564 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a8af69-b341-4c9f-97c6-af4f9ce02f51} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfcbbe3310 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 1156 | "C:\Program Files\Mozilla Firefox\firefox.exe" "54.154.201.6" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
| 1384 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3148 -prefsLen 23852 -prefMapSize 243239 -jsInitHandle 1564 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c320346-a0f3-44f5-b868-2e58a35cf88d} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfc77c6150 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 3696 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2592 -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2596 -prefsLen 31272 -prefMapSize 243239 -jsInitHandle 1564 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {142cf598-89ca-4fca-8f6b-12fd87aaa0c5} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfc92dca10 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 4016 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 28383 -prefMapSize 243239 -jsInitHandle 1564 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854f6304-0bb0-46b7-aba1-955ba34796d8} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfcbbe3150 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 4248 | "C:\Program Files\Mozilla Firefox\firefox.exe" 54.154.201.6 | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 4928 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 35304 -prefMapSize 243239 -jsInitHandle 1564 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22c4e0bb-b881-403e-a7d2-16b6fbfef273} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfcbbe34d0 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 5324 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 31272 -prefMapSize 243239 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b026582-97d2-465f-b33a-d01e1b0ffae8} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfc994c710 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
| 5836 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1888 -parentBuildID 20240213221259 -prefsHandle 1828 -prefMapHandle 1808 -prefsLen 25692 -prefMapSize 243239 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d83fe1a9-c7e0-47e9-b33e-34247dccbb3f} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1bfc18d5b10 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
Total events
19 715
Read events
19 692
Write events
22
Delete events
1
Modification events
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: FC65FDDA01000000 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Progress |
Value: 0 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Progress |
Value: 1 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB |
| Operation: | delete value | Name: | installer.taskbarpin.win10.enabled |
Value: | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 1 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Theme |
Value: 1 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 0 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
| (PID) Process: | (4248) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SetDefaultBrowserUserChoice |
Value: 1 | |||
Executable files
4
Suspicious files
330
Text files
57
Unknown types
102
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | — | |
MD5:— | SHA256:— | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\datareporting\glean\tmp\d4023e3f-9e4d-4a68-9b71-260d1afaf5ad | text | |
MD5:6EB0C378722D45D6F08F45D9CA82FD00 | SHA256:5002945AEC6141C444C4B2EADBDBA8176A34DE19C6FC5DB7F30B77548F3E64DD | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\prefs-1.js | text | |
MD5:6F2DA59DEF0A90EA77303CA71F24526F | SHA256:9F4E908418110B551A8ED95B579341743301BE100953AA768F3934DFD558B28F | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage.sqlite-journal | binary | |
MD5:951D329CB3F78EF37E75D882E27C5132 | SHA256:A9E366C7582B474E13D4E63D26838ED611FF7E648726E875467408D67214F78E | |||
| 4248 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | sqlite | |
MD5:2B7E042A7B3D9FBA84D4E8ACB6FFE7F5 | SHA256:19D0945EB976A1DD721168D4E8433647BCFADFD4F25CE20873973A7CAE210D27 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
248
TCP/UDP connections
99
DNS requests
114
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 23.213.164.137:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | — | — | — |
— | — | GET | 101 | 34.107.243.93:443 | https://push.services.mozilla.com/ | unknown | — | — | — |
4248 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
4248 | firefox.exe | GET | 200 | 54.154.201.6:80 | http://54.154.201.6/ | unknown | — | — | malicious |
4248 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | — | — | whitelisted |
— | — | GET | 200 | 34.117.188.166:443 | https://contile.services.mozilla.com/v1/tiles | unknown | binary | 6.11 Kb | whitelisted |
— | — | GET | 200 | 23.213.164.137:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | binary | 55 b | whitelisted |
— | — | GET | 200 | 34.149.100.209:443 | https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=fingerprinting-protection-overrides&bucket=main&_expected=0 | unknown | binary | 261 b | whitelisted |
— | — | GET | 200 | 34.149.100.209:443 | https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=hijack-blocklists&bucket=main&_expected=0 | unknown | binary | 243 b | whitelisted |
— | — | GET | 200 | 34.149.100.209:443 | https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=partitioning-exempt-urls&bucket=main&_expected=0 | unknown | binary | 250 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3732 | firefox.exe | 34.149.100.209:443 | firefox.settings.services.mozilla.com | GOOGLE | US | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 34.120.208.123:443 | incoming.telemetry.mozilla.org | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
1296 | svchost.exe | 104.124.11.185:80 | — | Akamai International B.V. | DE | unknown |
5668 | rundll32.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5552 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4668 | OfficeC2RClient.exe | 52.109.89.18:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
6848 | OfficeC2RClient.exe | 52.109.89.18:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
3444 | svchost.exe | 23.213.164.137:443 | fs.microsoft.com | AKAMAI-AS | DE | whitelisted |
4248 | firefox.exe | 34.149.100.209:443 | firefox.settings.services.mozilla.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
firefox.settings.services.mozilla.com |
| whitelisted |
incoming.telemetry.mozilla.org |
| whitelisted |
prod.remote-settings.prod.webservices.mozgcp.net |
| whitelisted |
telemetry-incoming.r53-2.services.mozilla.com |
| whitelisted |
google.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
contile.services.mozilla.com |
| whitelisted |
example.org |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4248 | firefox.exe | A Network Trojan was detected | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz |
4248 | firefox.exe | A Network Trojan was detected | ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst |
1296 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |