hxxps://itsgtgookc63eed0259d7af[.]decounet-io[.]ru/Mviczina@microsoft[.]com

General

Target

https://itsgtgookc63eed0259d7af.decounet-io.ru/[email protected]

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 376 firefox.exe
Token: SeDebugPrivilege 376 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

376 firefox.exe
376 firefox.exe
376 firefox.exe
376 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

376 firefox.exe
376 firefox.exe
376 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	376	firefox.exe
Token: SeDebugPrivilege	376	firefox.exe

pid	process
376	firefox.exe
376	firefox.exe
376	firefox.exe
376	firefox.exe

pid	process
376	firefox.exe
376	firefox.exe
376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 1624 wrote to memory of 376	1624	firefox.exe	firefox.exe
PID 376 wrote to memory of 340	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 340	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 340	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 316	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 1196	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 1196	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 1196	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 1196	376	firefox.exe	firefox.exe
PID 376 wrote to memory of 1196	376	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://itsgtgookc63eed0259d7af.decounet-io.ru/[email protected]
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://itsgtgookc63eed0259d7af.decounet-io.ru/[email protected]
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.0.556780773\1045338974" -parentBuildID 20221007134813 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {455ffcb2-9ba4-47e9-8540-4edc6c2d1cc3} 376 "\\.\pipe\gecko-crash-server-pipe.376" 1252 13d17858 gpu
3⤵
PID:340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.1.139127673\209824477" -parentBuildID 20221007134813 -prefsHandle 1444 -prefMapHandle 1440 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6972b0b6-6e9e-44c5-a395-95b8478c5bc7} 376 "\\.\pipe\gecko-crash-server-pipe.376" 1456 422c258 socket
3⤵
PID:316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.2.374881725\1923323556" -childID 1 -isForBrowser -prefsHandle 1856 -prefMapHandle 2008 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ccb2c1-0ec9-4450-b67a-78407e92a5d4} 376 "\\.\pipe\gecko-crash-server-pipe.376" 1984 19fed358 tab
3⤵
PID:1196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.3.613845665\896415061" -childID 2 -isForBrowser -prefsHandle 2836 -prefMapHandle 2832 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e1ca012-56ae-45fa-ac36-21ffbce80ed0} 376 "\\.\pipe\gecko-crash-server-pipe.376" 2848 e62658 tab
3⤵
PID:940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.4.1698360052\536927674" -childID 3 -isForBrowser -prefsHandle 3368 -prefMapHandle 3372 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f1e895-e6c0-4d34-a939-1f496ac19828} 376 "\\.\pipe\gecko-crash-server-pipe.376" 3400 1b7a4b58 tab
3⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.5.683537697\361631066" -childID 4 -isForBrowser -prefsHandle 3416 -prefMapHandle 3124 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76498a95-f673-43ab-8666-9eb49149fa28} 376 "\\.\pipe\gecko-crash-server-pipe.376" 3428 1de90358 tab
3⤵
PID:2172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.6.997815492\1907328211" -childID 5 -isForBrowser -prefsHandle 3596 -prefMapHandle 3384 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31674979-3e07-42ee-b09b-9fe6bea2d44a} 376 "\\.\pipe\gecko-crash-server-pipe.376" 3416 1de90658 tab
3⤵
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="376.7.1967803324\1900278299" -childID 6 -isForBrowser -prefsHandle 2520 -prefMapHandle 620 -prefsLen 26905 -prefMapSize 232675 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a04f22f-992e-423d-bfd8-d6ed55931a66} 376 "\\.\pipe\gecko-crash-server-pipe.376" 1040 e62058 tab
3⤵
PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzjlrayv.default-release\activity-stream.discovery_stream.json.tmp
Filesize
147KB

MD5
f989140298e361a12dfc1ce5784a5207

SHA1
0cfc4657be1bddb6565c88705848271bd1552db5

SHA256
10cb85898f10b3373ca6c9826fd021060ffd929ae110b59b92dc19ccc4adac07

SHA512
0e119f117a2509a585948988733045d092bcf41738cf0d4f8100ae6bf81fc20b0839e852c8215e1fdf4a1da34151619ccc61881037b0b27a38b7e7c1d4f3c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
7KB

MD5
61f7ee59bf40d9e2535be339a95dcb7f

SHA1
d30459e09ee189696b221f55ebb7f0733050d7d3

SHA256
95ccbe8c247c3eef3b410373906f288f94df8322b05f574f26cb00a68b3d5593

SHA512
8d216f91424a4ab2e60e45911fc6a4c8f8d21681f716e32bd059bc9b8d1fd25364a35babbd441fc219bd44a1ab9d4ed62a2547ba7b83cbc3f2142db390a5057d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\prefs.js
Filesize
6KB

MD5
26b09660b11450d3ead4bc6a2a4d0077

SHA1
d69e65efae83a24184703949b308de45d0217880

SHA256
633729ab3e06b4e256b80cf5d77d5d51fff9e509e35bfa2d3fa44eabd76b7ef2

SHA512
fbca4293de0bc263568762c6f19ad31fd57c0538060f8a4370a472e3fc6a9544468267ebd7c1e74b1ff18e98e33f633e1198220c7c6a5d88f07fda16dd15e377

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
9271a6e66cbcc80c57b04607d8c568f1

SHA1
5f7e97ba20b29d36e1f55efbd2068ab702d4779b

SHA256
5c5b70d6de8df88d5f40cff2b2a4d064d02fbfe3b5b7a4545766914533951318

SHA512
41839339b669e106d922e616b1f8b0ebf29eabcd1e5bc48caa38d696a69d6eec832544ec57db50beecbae74eb3ff66be767b304579574fd33cae82fe0a286d15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
935B

MD5
56a46bbc48fb1ff0f12cf503db2b87a3

SHA1
1ff71d2512f99ed945b507152496cdc2773618a7

SHA256
4f8a92b375029a74de3af49ea663f90ef9b18a8b574f105ea8f8344f53c74c72

SHA512
a3952574c20672e12d9a330cee1dbecccf558132eafa6b556400baf736ab514dbe1b240ecf4dd3d90768b2afb4f87021f48324d2c4be82f172f3a72c1a7a14ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzjlrayv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
e9c24ab05c7c49ec99d47b02eb2f8b23

SHA1
ae45e04cfff8af51496377ab4b39e347a6743de6

SHA256
873581a6a03daa2417718fb3c51e5ac59bc4e62896cc51ee0af47a47f370c30e

SHA512
5d7266c2ed1780eb3703a2ad80a37a75a0a997fa0f9660b566d58139c772efd03a2008556734724a7cdd2eb344435a5136aaa55027eb8fbcff44a830cf6f091a

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing