hxxps://augvxmnkgv640fd690c21b6[.]c2documents[.]ru/#admin@web[.]de

General

Target

https://augvxmnkgv640fd690c21b6.c2documents.ru/#admin@web.de

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4124 firefox.exe
4124 firefox.exe
4124 firefox.exe
4124 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4124 firefox.exe
4124 firefox.exe
4124 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4124 firefox.exe

pid	process
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe

pid	process
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe

pid	process
4124	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4180 wrote to memory of 4124	4180	firefox.exe	firefox.exe
PID 4124 wrote to memory of 1592	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 1592	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4108	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4704	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4704	4124	firefox.exe	firefox.exe
PID 4124 wrote to memory of 4704	4124	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://augvxmnkgv640fd690c21b6.c2documents.ru/#admin@web.de
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://augvxmnkgv640fd690c21b6.c2documents.ru/#admin@web.de
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.0.675542369\940372117" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f6e3c3-b7d0-414f-97c7-689f43c654f6} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 1716 226e2419058 gpu
3⤵
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.1.1304867185\1448694188" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a814036-82f8-437d-86ab-096831daf62e} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2168 226e130f558 socket
3⤵
PID:4108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.2.29524235\1450541864" -childID 1 -isForBrowser -prefsHandle 2696 -prefMapHandle 2856 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27f52ef7-b6be-4aca-8186-36bf83e5fdc8} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2692 226e51cdb58 tab
3⤵
PID:4704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.3.1005302807\320924771" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {863a95e3-8cf7-4a24-8ce8-d5e2b8c00c0d} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 3692 226e6753358 tab
3⤵
PID:4856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.4.1910834977\1622772408" -childID 3 -isForBrowser -prefsHandle 4536 -prefMapHandle 4604 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f10a7b-6489-4d28-afe8-c5506f998478} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4600 226e7769c58 tab
3⤵
PID:600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.6.710454070\154055183" -childID 5 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4292601-ca38-42c0-83e2-37d2b0a10afc} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4896 226e79a3558 tab
3⤵
PID:5088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.5.1753618460\671127954" -childID 4 -isForBrowser -prefsHandle 4736 -prefMapHandle 4740 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee291ac-24db-4a7a-8fa1-6fb3ad1fc698} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4728 226e79a0258 tab
3⤵
PID:5084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.7.325195287\1670721254" -childID 6 -isForBrowser -prefsHandle 5088 -prefMapHandle 5128 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b165126f-1cd9-4038-b73e-ad21bb8ed3b2} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5192 226ce966658 tab
3⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp
Filesize
141KB

MD5
a0298241b8e805fa33d58a96214e048b

SHA1
553c840ac7e8cbdf8a50e6c5a2a48ece34c8695c

SHA256
270cb5f6144f919cd7a069ffcea2c91277b52d32c8b8e71ed73d9721c5c75e64

SHA512
99d1bf02933652f66333c041ba55a81d92c5af85aa618aa63c62cf1819d993c83d9449bf5aa9356668f475c43bc682aa855cac50e6b2f6ab0b77ace1a41f0654

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js
Filesize
6KB

MD5
c205c8a6591363331cd60c7286ad4ac1

SHA1
7d4c89374e88116484984f5d0b5df0d59aa63ecf

SHA256
81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

SHA512
fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
990d6cf2a947f96ee9a156a10a221a60

SHA1
2f97e12a4d78626431ae2ec6c88e2e62c93e6008

SHA256
3390ca5b9521a75293e9b7f6f1b339d465f4bce528a34c6afad7b643a7919336

SHA512
95f0a5a5183c8b74576f6b942737b394c493105e9a48b9976582d9e6600d6640034b9fbd7d465aa722a097ae948c1a6172627304c00f78b1d9681075a24b1d26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
1f9d71095f5fa4ed4e4c405dd3970847

SHA1
d6b57e4ba74510e80020516965f8dda3120838d0

SHA256
5374ed4d3009273c41392283fc1d70e542cc5808ddbe6515a7e5ee77efdc8b4b

SHA512
cf4cc9dca1d00b3448050bff964aa94b838d4920c4f9c6ad188eab2f64dc6407adb82a57d66a708887027cd309bad062fbe1c88c8943cfc462f7d19f7aabf8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
643cd63a8abcd7eab522adb4d02ae609

SHA1
942172af5063027de9d7cf192afdb4bda2d525f9

SHA256
1986ca783bab9b41c6b6318739e11fb4f3e0dbf96656597c947f7300985b2060

SHA512
9622b7aaf84f8dfe272987e0c76ced9ddf9588fd51838e32b71a81129fbc5ce77c1180439887dac3cd37c4964a0fc180f1a0026eb2eb8f31584abb38e65e14f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads