hxxp://cf-ray[:] 7ba7b66d69ea997a-FRA

Resubmissions

19/04/2023, 20:31

230419-zaxg9afb6x 7

19/04/2023, 20:17

230419-y2sgyadc26 1

19/04/2023, 19:58

230419-yp65kadb39 1

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/04/2023, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cf-ray: 7ba7b66d69ea997a-FRA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	firefox.exe
Token: SeDebugPrivilege	1216	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1216	firefox.exe
1216	firefox.exe
1216	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1076 wrote to memory of 1216	1076	firefox.exe	28
PID 1216 wrote to memory of 1320	1216	firefox.exe	29
PID 1216 wrote to memory of 1320	1216	firefox.exe	29
PID 1216 wrote to memory of 1320	1216	firefox.exe	29
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1160	1216	firefox.exe	30
PID 1216 wrote to memory of 1460	1216	firefox.exe	31
PID 1216 wrote to memory of 1460	1216	firefox.exe	31
PID 1216 wrote to memory of 1460	1216	firefox.exe	31
PID 1216 wrote to memory of 1460	1216	firefox.exe	31
PID 1216 wrote to memory of 1460	1216	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "http://cf-ray: 7ba7b66d69ea997a-FRA"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "http://cf-ray: 7ba7b66d69ea997a-FRA"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.0.611762303\1921867057" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3772d61f-656b-42af-8b4b-742202b1a4c0} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 1276 13b17258 gpu
    3⤵
    PID:1320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.1.1543795126\1176868211" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {301a0ed3-2b0a-43d5-9f2d-750daebd4e3e} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 1480 e71358 socket
    3⤵
    PID:1160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.2.768667778\595792956" -childID 1 -isForBrowser -prefsHandle 2076 -prefMapHandle 1724 -prefsLen 21119 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58b1e6bb-9747-40be-b09f-18da64eefde4} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2060 12997158 tab
    3⤵
    PID:1460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.3.1523945650\2124678123" -childID 2 -isForBrowser -prefsHandle 824 -prefMapHandle 1624 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd2853ce-535b-4052-825e-52a004661f98} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2436 e72e58 tab
    3⤵
    PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.4.1007926543\1820976535" -childID 3 -isForBrowser -prefsHandle 2804 -prefMapHandle 2796 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {654bc679-1f72-4ceb-bf95-ee59520fd295} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 2824 e62858 tab
    3⤵
    PID:1884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.5.312166325\2038756728" -childID 4 -isForBrowser -prefsHandle 1072 -prefMapHandle 2916 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b16e9817-8d31-4f60-9393-6edd958c9666} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 3636 1d852958 tab
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.6.624771956\1348124884" -childID 5 -isForBrowser -prefsHandle 3628 -prefMapHandle 3596 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07536f29-90ca-4713-bfe2-ded536dc92f2} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 3708 1dd93e58 tab
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1216.7.1947264058\1896813715" -childID 6 -isForBrowser -prefsHandle 3696 -prefMapHandle 3632 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {507f7ed5-550d-45a5-83b5-07e8e75e2960} 1216 "\\.\pipe\gecko-crash-server-pipe.1216" 3792 1dd94458 tab
    3⤵
    PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
162KB

MD5
1f503f7a467fd287af8580b23ae65adf

SHA1
f203a9d15dfbd0f4dcccdac7967ef905ae865c48

SHA256
aa67f79476a69d74cda85c9b21b1caad02e989a5176df5378bdedd61219ff5b1

SHA512
007c1af3ad65ab121b807355e135dfec99de43aa3d4835fa5a29c62a3b08a365da8c7a73b4644208584bebe5fbe381bb4a09346fb5ae2b0286a97ca06d745c9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.js

Filesize
6KB

MD5
024c6fe18df82522164511c697474338

SHA1
152f2037990159375f4846bec398c223ac5e6ba0

SHA256
2bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2

SHA512
071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e184033c268d6b9e3e4373f853ec0ce3

SHA1
394a8022f8426886340848acca3c164c8279d88d

SHA256
241dda3a8b647976fc8ee1b9a46e85f9a071fc64f0d653159b952951dd00e697

SHA512
2552982536939a1454f3a59f97448ae501c9d22e3c042827a25c3a79edf526b9f2ee515bde0010b74d6d81dd851eb62878dd30d5a8aaf85b6cc52dd9a0423eb0

Download Submit