662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36

General

Target

koid.exe
Size

1.7MB
MD5

937bd53a5f505b8e9b00416590ad8d92
SHA1

5abece11f9d282ec009bf441f132676344f1ede2
SHA256

662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36
SHA512

2027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5
SSDEEP

49152:MXi87ZaoNcK9mVrSPYO1M+BrgdhwmzJnU:yvycBr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1244 firefox.exe
Token: SeDebugPrivilege 1244 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1244 firefox.exe
1244 firefox.exe
1244 firefox.exe
1244 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1244 firefox.exe
1244 firefox.exe
1244 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1244 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1244	firefox.exe
Token: SeDebugPrivilege	1244	firefox.exe

pid	process
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe

pid	process
1244	firefox.exe
1244	firefox.exe
1244	firefox.exe

pid	process
1244	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 748 wrote to memory of 1244	748	firefox.exe	firefox.exe
PID 1244 wrote to memory of 2164	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 2164	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4604	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4224	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4224	1244	firefox.exe	firefox.exe
PID 1244 wrote to memory of 4224	1244	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\koid.exe
"C:\Users\Admin\AppData\Local\Temp\koid.exe"
1⤵
PID:4444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.0.193690137\1474713485" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d027e4dd-9836-4adf-ab84-9255f24cd8a6} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1920 1d17f9a6758 gpu
3⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.1.1731967088\1809561887" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c06dfa-6ed0-434b-afed-a89a1fd63995} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2300 1d174b72b58 socket
3⤵
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.2.1604992935\1199352167" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3188 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edfc3361-edef-44cb-9554-60a5b18bc9fa} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3052 1d17f18d858 tab
3⤵
PID:4224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.3.1282633132\67501292" -childID 2 -isForBrowser -prefsHandle 2332 -prefMapHandle 2344 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c92db21c-6be7-42f7-9033-7f911485498f} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3056 1d1042aba58 tab
3⤵
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.4.1221154527\1750430783" -childID 3 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28bf08e8-635a-4c25-80e2-9149bb58fa3e} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 4144 1d106995f58 tab
3⤵
PID:4928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.6.1271674112\560983563" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7880a89-d79a-4d27-854f-a309491b027c} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 5184 1d108121c58 tab
3⤵
PID:3780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.7.566578378\1675112850" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8ecbf45-8887-4091-95ba-3cad5f60c235} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 5376 1d108195e58 tab
3⤵
PID:3456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.5.1051825444\1828789110" -childID 4 -isForBrowser -prefsHandle 5028 -prefMapHandle 4692 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8fb2da-8085-48f5-8620-1b9b54dff0fb} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 5040 1d1080b5d58 tab
3⤵
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json

Filesize
138KB

MD5
76ac4cf375536143fe44b786a58c2b78

SHA1
dbf4da0185ce42e560a98edb662080b0a05a3dd2

SHA256
fb473a0bc90c81007cf493e9774b5a8f87b03ad53865b1992b3d1053e0a184df

SHA512
a247d6088a5854428951c0d72a73ba482f21b15923b2917acd0274414d1dbadfddbab950ce9c697e5eac2ebc5547b00a736a89ad3b95c635efb3c1606e500c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
b16bde0b15bfd0a65bcb899d775372a3

SHA1
1c92a9fa97f744862b2a53cded797d7b54eba2a0

SHA256
a38219f81a192836d76f4d1aa9b953d48cea36fa64c89f182c72c078f97a550d

SHA512
33a8380962f5138716ac181df76b2e9ff21b7ad8bdc3ebc1162e73b26550a4cbaf540a713a6cbe93d5e7981148d87becef1ff2a18d8dde1c4e025caa3edb8602

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
8d2eba7be755c7ef90a2da272db8f4ae

SHA1
040df3a947821f7572f888424727e654bbac4346

SHA256
5978e74bd96ac81fe9bab0fb413e84650c9b91f2bea4f0913b8a97b31ded1d7c

SHA512
09fe1966ff8b189fa34908e6a54f5df1eed8b86aa5322d7deb696f6c774472a47d48cae18e7dadaf723009a6e61fd44b4b3325706884692f6ad7c6bda3a1474d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js

Filesize
6KB

MD5
07b2371ee6b8106b804898e81d4feb02

SHA1
830e3e7709abb1cbfd974ed39dab277c9df373fa

SHA256
b994fbb8a413a95d6f3bc4574361edc6e1d3837b2d0d836eb53925fb36fa11db

SHA512
e7402176f5fca48fb58e5e87474f46f0a79637de755e311bae2b05fa6f80cf5af27a5ba5575e7503e595334afb6a8291f950a41334874f22c9b46dccc1949517

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js

Filesize
6KB

MD5
207077fed406e49d74fa19116d2712aa

SHA1
3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

SHA256
b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

SHA512
0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
30bec3def6933599c143a25171479665

SHA1
68e6c2a405fd5dbe26b74e65f483567adf3573b6

SHA256
476c94e876ff4c48738ddea804c39452419e46fbcd640b5300b5fd6de0da4ab2

SHA512
f408e81609aa08c9f13e00a1086918d636ece0cc5b1007e24fc1c66500f784e9aef000cf266d2613218f328671e1ada0d453c77d61396f36f4449306c6c82662

Download Submit

Analysis

Sharing