hxxp://qrfy[.]com/p/HtLTEt_9yj

General

Target

http://qrfy.com/p/HtLTEt_9yj

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 820 firefox.exe
Token: SeDebugPrivilege 820 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

820 firefox.exe
820 firefox.exe
820 firefox.exe
820 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

820 firefox.exe
820 firefox.exe
820 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

820 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe

pid	process
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe

pid	process
820	firefox.exe
820	firefox.exe
820	firefox.exe

pid	process
820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 820	3544	firefox.exe	firefox.exe
PID 820 wrote to memory of 208	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 208	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3460	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3096	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3096	820	firefox.exe	firefox.exe
PID 820 wrote to memory of 3096	820	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://qrfy.com/p/HtLTEt_9yj
1⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://qrfy.com/p/HtLTEt_9yj
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.0.288800961\1807872530" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28d5cd00-fec4-4ba0-b2ee-ad5573e34b61} 820 "\\.\pipe\gecko-crash-server-pipe.820" 1924 1ba06017458 gpu
3⤵
PID:208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.1.2109102121\1394349493" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a70d113-9a87-4fad-8285-0c68d67b035e} 820 "\\.\pipe\gecko-crash-server-pipe.820" 2424 1ba04e0cb58 socket
3⤵
PID:3460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.2.1311227475\2035468633" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3356 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c81283a-21e0-4404-8e52-e5137016c974} 820 "\\.\pipe\gecko-crash-server-pipe.820" 3096 1ba09014558 tab
3⤵
PID:3096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.3.318650325\1960681556" -childID 2 -isForBrowser -prefsHandle 4160 -prefMapHandle 4156 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed6d0dbe-6825-4ac2-9f00-68d071371f60} 820 "\\.\pipe\gecko-crash-server-pipe.820" 4172 1ba78060458 tab
3⤵
PID:3380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.4.231876837\1648831339" -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 4684 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {830d8ba1-aa76-41e5-aa1c-38660581ab76} 820 "\\.\pipe\gecko-crash-server-pipe.820" 4692 1ba07c84558 tab
3⤵
PID:4236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.5.951795988\299083278" -childID 4 -isForBrowser -prefsHandle 3176 -prefMapHandle 3444 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecdde7b6-4c68-46de-a00d-55e27ee6fae5} 820 "\\.\pipe\gecko-crash-server-pipe.820" 5016 1ba0bae6358 tab
3⤵
PID:4480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.7.1085037529\1089146384" -childID 6 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea60db2b-56b6-43b0-964c-4d098d814f5f} 820 "\\.\pipe\gecko-crash-server-pipe.820" 5288 1ba0c0c1e58 tab
3⤵
PID:2664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.6.1519351646\872649263" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5092 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee413ed-0f7a-48a0-a9f4-55ef6e261597} 820 "\\.\pipe\gecko-crash-server-pipe.820" 3132 1ba0bae7e58 tab
3⤵
PID:2364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="820.8.1053058717\1407685246" -childID 7 -isForBrowser -prefsHandle 5096 -prefMapHandle 5684 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aa94e1f-0cbf-418a-b8da-ec559667daa5} 820 "\\.\pipe\gecko-crash-server-pipe.820" 5728 1ba0d5d3158 tab
3⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
144KB

MD5
6d8a0e19731fa79b1dc94f202780f3e8

SHA1
498266e652b5495f279b0fa5f17dc580079d24f0

SHA256
021cfcce73deaab0a3030896b10fe0f922bc28889ecc6375ce271c285e7fdb9f

SHA512
a830351a0c261b537b76af2615dac791e09accf1a6aa371578495343567e939aa7f16086528afc47ac143a6a988c1f8d1f5d75a24d2892c0acd8f079e2cddbef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
d750c2ba08bcbab94ff4264a264ebde7

SHA1
ab52ee15c6fec13cb1c74b6d773b7d5c33f1ab68

SHA256
9a718d7fbddac7549408d2fb52de75ab1a99c21bd4d84b61f8722611c7acf850

SHA512
de151695e23b747d8198bba4f77c86b326f96c9f2ac47bb0ae3c99fa66e02d43c80aa62493c5d6fd4759bf9e9e2c02989ba441bc34e66554cc4b77ac8a59ff6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
29b2e9361d99d797319f5be97d70b797

SHA1
5ae2fabe27110642b28565b9232b25e359dc9335

SHA256
3735b530190e2e21c436dea470600288a88c82cc6f8531cfec613a5f9cd2285f

SHA512
80ed4a4f5f7c96cb0b145dcdc0f2b81a1102f4ffbbf7bfd2cc3ebb946b2d6ece877aceed12249df2afe11b14cccd99158a54b2ad9eb4be2ee459e5a10038f090

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
372525a3c4b952fff0cad3b1d9549586

SHA1
817764b94ce1c8e7755b605c1f4c20cf109bee14

SHA256
e90d6b56932f4264a4d4e93b42b7664d07afdd9836bc596a0575c9bd6981ab27

SHA512
9fe03512d901be1ea2c37a7051fcfa7561255bf0734257315f5fe2734218cb832f60c9d705e6528d4ddd6b21a4843f99909ff40ebf77820e13166da51996b5d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a714b47d2ed63f5db7d5ab668c2b2e41

SHA1
6cb5dc5a4670a2c2b11e409928b80ba3f63fe0a7

SHA256
a73d95d9e9053e854c0e27d00bbfab9cc11e6e46e3a98479051fb4e70d174315

SHA512
e0e9c003d9ab3ee1e09296f282c8ee7dea749143d6d51c7fb91a92eb32faa3c47d7b89477c8adf9e854f6b7f704e8560226d6464bd04448fb5825a655c679db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
00afe6d7933618dd71764f603d1b2583

SHA1
c3da1f28320ab63713fb50e852a8bc5ffdfaf4c4

SHA256
e114bf522d72730914438f92a96c5bc7084d2b01c67c6cf74753f6e7dafdf9ac

SHA512
c693a7e3387966fda01f179b4e8ec5eb3f017a38645a174f57fed7ede4c2d40f3706acd4220fc1a270ea39add309246e53756f1811adf74ffef6e274ccec7468

Download Submit

Analysis

Sharing