hxxps://x8ioeg[.]canksru[.]ru/Mebach@microsoft[.]com

General

Target

https://x8ioeg.canksru.ru/[email protected]

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 824 firefox.exe
Token: SeDebugPrivilege 824 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

824 firefox.exe
824 firefox.exe
824 firefox.exe
824 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

824 firefox.exe
824 firefox.exe
824 firefox.exe

description	pid	process
Token: SeDebugPrivilege	824	firefox.exe
Token: SeDebugPrivilege	824	firefox.exe

pid	process
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe

pid	process
824	firefox.exe
824	firefox.exe
824	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 1204 wrote to memory of 824	1204	firefox.exe	firefox.exe
PID 824 wrote to memory of 676	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 676	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 676	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 552	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 1532	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 1532	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 1532	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 1532	824	firefox.exe	firefox.exe
PID 824 wrote to memory of 1532	824	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://x8ioeg.canksru.ru/[email protected]
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://x8ioeg.canksru.ru/[email protected]
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.0.1661886428\1699616228" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed88110a-0908-462d-a13e-4e03030c6164} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1268 13baac58 gpu
3⤵
PID:676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.1.1248783274\1637630072" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {421735e4-6a88-4749-af86-e1691432b4c7} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1472 e72858 socket
3⤵
PID:552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.2.1865120081\362170345" -childID 1 -isForBrowser -prefsHandle 2008 -prefMapHandle 1688 -prefsLen 21899 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44425987-16dd-4125-b6e5-8c7d1cafec16} 824 "\\.\pipe\gecko-crash-server-pipe.824" 2020 19cedd58 tab
3⤵
PID:1532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.3.1791864495\1338787717" -childID 2 -isForBrowser -prefsHandle 2852 -prefMapHandle 2848 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {974f40ec-ae44-4a4d-8cff-61dff6970113} 824 "\\.\pipe\gecko-crash-server-pipe.824" 2876 e62858 tab
3⤵
PID:380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.4.1912584021\1486488308" -childID 3 -isForBrowser -prefsHandle 3356 -prefMapHandle 3372 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80eb361c-0709-4912-94fc-3f62284f7cb5} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3396 1db18658 tab
3⤵
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.5.1522438293\1923307060" -childID 4 -isForBrowser -prefsHandle 3400 -prefMapHandle 3388 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8103187-e4f8-434c-88fe-cdc84df440e5} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3436 1db16258 tab
3⤵
PID:2260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.6.680913798\762463565" -childID 5 -isForBrowser -prefsHandle 3420 -prefMapHandle 3412 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90c6113-02bb-407c-93ed-13ad76f48bb1} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3532 1db17158 tab
3⤵
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.7.1110300080\1384568771" -childID 6 -isForBrowser -prefsHandle 2304 -prefMapHandle 1832 -prefsLen 27041 -prefMapSize 232675 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c57bb71-e42e-4254-86a6-26ec2505bc2e} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3024 19deed58 tab
3⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\81ei91hh.default-release\activity-stream.discovery_stream.json.tmp
Filesize
151KB

MD5
4f412ab2d9baabb89c5165ada1dad756

SHA1
3f268b98dfcd592c76a86ce802d0f72ebe40c8f4

SHA256
4970e4c245e920b0b9e964675ed120b48636d7fcbbbba1f59a9f66bd9e193dcf

SHA512
f927a5af1a2c5b48e5d9c1f5a955d0e1139b3a0346dfef96bbf32256cdbc5b6618eb51d3b66fbb72ff6a0f16b12a5027d7b704f899613fa694299d8110a83512

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
9KB

MD5
5940f9c843e03d8d5dfc5941f8a01eed

SHA1
085c740f80c205366f1fd661f27f7a1cba183f3e

SHA256
788c0190146873b6b042ed55c678389731673e4aec74e7f5f2e7affb56d3524d

SHA512
9ef1b828bcc5f38036bb77a591667764654d73226329df7faa7030d23c20e56e108c9d3cc1ccc931ef16ed97060d680fbfb66ecf2c13adf816004f0d88fb6be4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\prefs.js
Filesize
6KB

MD5
287079c0a70882ef8bb416820d8184ad

SHA1
67f9835b12c37eee8e6d0e00dbc303d8f7d9a772

SHA256
cdce500c9efcf5aaa92013a70429d0fb43331c7f28472a7186f8079e510b91b1

SHA512
05048711b5b6c658a6f7c522d33e0260b25f7ba970bd129adba232d68c82ca018fee195022a880972204f5d4566cbb89f2d4063741b0df1aafa8e8bf7d5795b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
63b750994437ab3ff1ea61e83bdbed7f

SHA1
5bdad356adb07b606edfa20f4137ed515cec5d9e

SHA256
19e1c1599598d3270f4fa6322449024f653900d2a65689c53a0d551cadf5ef57

SHA512
7d09e2db5d87885bad73095b1f2503ca392c83b51228e040962dbb62f87be8485f5252651084cd5a94faf4ae598046517708f891e9155848006d6d74ca006fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
939B

MD5
271bdded1ecf9986d5b050e70ba3ba13

SHA1
4d61e6ea1399a5f49e4e2dfd7d1d45954c359a30

SHA256
79cfa8b5ed0cfc2f1d56cbb1c72f27a485d713350e5a4d6999599213e7b8049d

SHA512
2ee50c34bc84dc84bcc4b2f2064b0a8507e9cf29fd70745f29db93358bc13953ec5b2afbb1f5ec623da0baaa62c9d5b39b2e244db71b4d8ae9be67eec65172fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\81ei91hh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
fb732ab90ae806de2a908ea466074728

SHA1
384b71583a2741ec314d2f1a6f04a715ded9dbb0

SHA256
149d40bd736f752eb14a352c83abf35a2affe987c7f0aa4af0add7b988b49132

SHA512
b5fe272d713cd5a97bbddcb960cbe068603d67ba1a7ec48dcee80b9495e5cae0a21222df7bf9481fa42c7f5419c1008344aac4680e057d4e62c48566e3754a71

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads