hxxp://cf-ray[:] 7ba7b66d69ea997a-FRA

Resubmissions

19/04/2023, 20:31

230419-zaxg9afb6x 7

19/04/2023, 20:17

230419-y2sgyadc26 1

19/04/2023, 19:58

230419-yp65kadb39 1

Analysis

max time kernel
150s
max time network
128s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2023, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cf-ray: 7ba7b66d69ea997a-FRA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 1872 wrote to memory of 2024	1872	firefox.exe	66
PID 2024 wrote to memory of 2668	2024	firefox.exe	67
PID 2024 wrote to memory of 2668	2024	firefox.exe	67
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 5000	2024	firefox.exe	68
PID 2024 wrote to memory of 3588	2024	firefox.exe	69
PID 2024 wrote to memory of 3588	2024	firefox.exe	69
PID 2024 wrote to memory of 3588	2024	firefox.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "http://cf-ray: 7ba7b66d69ea997a-FRA"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "http://cf-ray: 7ba7b66d69ea997a-FRA"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.0.1709334625\1675184881" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1644 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09ad3b97-210c-4235-8e5f-a7dd408435fd} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1732 2231a719858 gpu
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.1.2044238579\1244841507" -parentBuildID 20221007134813 -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fb947ee-5c52-4a67-aea7-a72c6552c9b5} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2088 2231a50a558 socket
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.2.2112348470\402016192" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2660 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe050c42-c16d-49a5-9099-4179468a7c0e} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2592 2231e3f3f58 tab
    3⤵
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.3.750002838\2130494148" -childID 2 -isForBrowser -prefsHandle 2228 -prefMapHandle 1548 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0bc80cf-862c-4a56-b63a-47c399f53fdc} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1284 2230ee71058 tab
    3⤵
    PID:3736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.4.1038971105\1039139863" -childID 3 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99237a9d-2bff-4f93-b82c-e5ee8e90ae68} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 3840 2231e3f3658 tab
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.5.372915522\1620087231" -childID 4 -isForBrowser -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {788ce7ad-9e99-4ad1-9393-f1c96d2e4859} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4804 2230ee2f358 tab
    3⤵
    PID:4112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.7.1603824998\849743113" -childID 6 -isForBrowser -prefsHandle 4848 -prefMapHandle 4836 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29b0b356-9576-4019-8264-c661073120e2} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4952 22321198b58 tab
    3⤵
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.6.1891585294\1987054916" -childID 5 -isForBrowser -prefsHandle 4800 -prefMapHandle 4796 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a4c866-5573-49f8-bee2-ee0a24c76d57} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4824 22320bc3b58 tab
    3⤵
    PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
162KB

MD5
f8dd847c346089adeba915ef32252f64

SHA1
fcacbd636fff5ea2d99807c9f54ef0b87f051d1e

SHA256
576503faf7a343b247fd1c6c74312324c3bc75b032f54ec29838a4a5ab0768b0

SHA512
0a2a5dab3d878c4bcac1551e8e2858186234b447b3e6d266b917d6e1fcc26418985c8b76853b7f7741123bb71fbd05813d9dcd244aca014326686ad6b635fb94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js

Filesize
6KB

MD5
c205c8a6591363331cd60c7286ad4ac1

SHA1
7d4c89374e88116484984f5d0b5df0d59aa63ecf

SHA256
81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

SHA512
fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2d028fdf18a4cc08afc3fb91fb3da1f0

SHA1
bfb2f2c7e8e4c492d5b08ff7b51855b85a086a08

SHA256
461853f35cbfd789ce1d4f366767fa63212e9f4af4f068dbece14c624af2010d

SHA512
70ed717b62cde0db43e9d41f3c17743e62901120d41b6040a88a1bdbbb568e155affdc321e551fdd22fdc99cad31cc9d074b248f1249c9397764df4195539ff4

Download Submit