800477b551280f56cd0b970084e7017da229039fd6be2d89a56e113acafb9746

General

Target

Credit Note CN233339.pdf.html
Size

13KB
MD5

fbda57b6382cf2219cb469a19b229932
SHA1

44af629cf7b7ceb9a2be3040951d70c6a94b81c6
SHA256

800477b551280f56cd0b970084e7017da229039fd6be2d89a56e113acafb9746
SHA512

c41d30fcd9f1862d6a17ebfd4b050bbd0e0e421291dbe493bf1b744311d1f781c9a9d05499862e0927bd6e79196221eb8cc18a779a78f46a60aed659318dd5a5
SSDEEP

384:PgahOZukLObBnPGdYxNAPoIIklxYqoprLlH6Qzcgi4UEbVNobJ6Tx:PgaUZukLOtnPEYxNAAIzlxYNprLlHgg9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1368 firefox.exe
Token: SeDebugPrivilege 1368 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1368 firefox.exe
1368 firefox.exe
1368 firefox.exe
1368 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1368 firefox.exe
1368 firefox.exe
1368 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1368	firefox.exe
Token: SeDebugPrivilege	1368	firefox.exe

pid	process
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe

pid	process
1368	firefox.exe
1368	firefox.exe
1368	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1536 wrote to memory of 1368	1536	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1400	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1400	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1400	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 576	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1700	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1700	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1700	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1700	1368	firefox.exe	firefox.exe
PID 1368 wrote to memory of 1700	1368	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\Credit Note CN233339.pdf.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\Credit Note CN233339.pdf.html"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.0.390008783\103674748" -parentBuildID 20221007134813 -prefsHandle 1160 -prefMapHandle 1152 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6d3140-15c5-4b8b-81d8-7f2122ebb6f0} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1248 14119058 gpu
3⤵
PID:1400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.1.1727119630\1918241498" -parentBuildID 20221007134813 -prefsHandle 1440 -prefMapHandle 1436 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31d19fcc-d9ca-4b49-8d82-81bc54e55c91} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1452 e72858 socket
3⤵
PID:576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.2.848775851\366399596" -childID 1 -isForBrowser -prefsHandle 1992 -prefMapHandle 1988 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2e897b-8edd-4ab3-b5f3-6bb0fe005709} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2148 1a5e0a58 tab
3⤵
PID:1700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.3.1604458054\586041555" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9503347-9213-4948-8841-84c5abc70a5c} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2824 e62558 tab
3⤵
PID:1108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.4.279987998\2110539890" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3652 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c284fbf-d654-4208-9f06-bd94617cecfb} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3708 1bda4958 tab
3⤵
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.5.248711067\1976957535" -childID 4 -isForBrowser -prefsHandle 3604 -prefMapHandle 3672 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d0278fb-d702-40f1-9a6c-f6dbecd5279a} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3732 1d853c58 tab
3⤵
PID:2324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.6.1005935051\836201433" -childID 5 -isForBrowser -prefsHandle 3704 -prefMapHandle 3664 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9f94f2-76db-4b00-a4c2-68ee31e6f0ff} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3796 1d854e58 tab
3⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzjlrayv.default-release\activity-stream.discovery_stream.json.tmp
Filesize
147KB

MD5
f989140298e361a12dfc1ce5784a5207

SHA1
0cfc4657be1bddb6565c88705848271bd1552db5

SHA256
10cb85898f10b3373ca6c9826fd021060ffd929ae110b59b92dc19ccc4adac07

SHA512
0e119f117a2509a585948988733045d092bcf41738cf0d4f8100ae6bf81fc20b0839e852c8215e1fdf4a1da34151619ccc61881037b0b27a38b7e7c1d4f3c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\prefs.js
Filesize
6KB

MD5
26b09660b11450d3ead4bc6a2a4d0077

SHA1
d69e65efae83a24184703949b308de45d0217880

SHA256
633729ab3e06b4e256b80cf5d77d5d51fff9e509e35bfa2d3fa44eabd76b7ef2

SHA512
fbca4293de0bc263568762c6f19ad31fd57c0538060f8a4370a472e3fc6a9544468267ebd7c1e74b1ff18e98e33f633e1198220c7c6a5d88f07fda16dd15e377

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
249e9915813936f69c5861ff2a9304d2

SHA1
ce11933e393be8efdc170925309bcf1c38cce5e2

SHA256
63db0635614c0ba2b79b460ed4930776887208a223f6f11afc07b0c006f30497

SHA512
9e091897134cff1fdd5e13a381facb11426587c1b23ef8cf5f5276f3f460c7a0b7a725ab7efcf60f76f29d095bbd01be1eaaab0134061d64c26534bcf513ba87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
e9c24ab05c7c49ec99d47b02eb2f8b23

SHA1
ae45e04cfff8af51496377ab4b39e347a6743de6

SHA256
873581a6a03daa2417718fb3c51e5ac59bc4e62896cc51ee0af47a47f370c30e

SHA512
5d7266c2ed1780eb3703a2ad80a37a75a0a997fa0f9660b566d58139c772efd03a2008556734724a7cdd2eb344435a5136aaa55027eb8fbcff44a830cf6f091a

Download Submit

Analysis

Sharing