hxxps://plum-weary-pronghorn[.]cyclic[.]app/

General

Target

https://plum-weary-pronghorn.cyclic.app/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: 33	1388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1388	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4680 firefox.exe
4680 firefox.exe
4680 firefox.exe
4680 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4680 firefox.exe
4680 firefox.exe
4680 firefox.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

firefox.exeosk.exeDllHost.exe

pid	process
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4680	firefox.exe
3712	DllHost.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4488	osk.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4488	osk.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4488	osk.exe
4488	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4188 wrote to memory of 4680	4188	firefox.exe	firefox.exe
PID 4680 wrote to memory of 4932	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 4932	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3636	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 4808	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 4808	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 4808	4680	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://plum-weary-pronghorn.cyclic.app/
1⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://plum-weary-pronghorn.cyclic.app/
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.0.1468818493\1786054850" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1644 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3721d647-6129-441c-a5a7-fbe4c410f458} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 1748 183acdf5b58 gpu
3⤵
PID:4932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.1.562911819\283917175" -parentBuildID 20221007134813 -prefsHandle 2188 -prefMapHandle 2184 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46040299-5f49-483d-8d7e-a5b5076979f4} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2200 183acd14b58 socket
3⤵
PID:3636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.2.2106207249\803903915" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2864 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c52343-4310-4983-935c-23ba3be84b46} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2828 183b100ae58 tab
3⤵
PID:4808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.3.526300352\1681532292" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9418b58c-a7da-4c52-974b-14b56b19837f} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3544 1839a662858 tab
3⤵
PID:3484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.4.1299335974\1568449884" -childID 3 -isForBrowser -prefsHandle 4636 -prefMapHandle 4632 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ab6dfb-26f9-49c0-973c-f4016c6646f3} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4648 183b3408e58 tab
3⤵
PID:580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.5.1030892281\1331939457" -childID 4 -isForBrowser -prefsHandle 4576 -prefMapHandle 4652 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f03fa8a-50fe-4fe3-9b89-cb694146716f} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4776 183b3409458 tab
3⤵
PID:1808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.6.700596748\1652385020" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 5060 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6118994f-fe38-49da-bc18-b73e85aa75d9} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4980 183b340b558 tab
3⤵
PID:4220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.7.1756083519\571589365" -childID 6 -isForBrowser -prefsHandle 4652 -prefMapHandle 4872 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c845de73-91c8-4367-ba1b-de809e1fe5fc} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4844 183b0e6e558 tab
3⤵
PID:2704

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize
141KB

MD5
808cb9f8bce7a18b7e083ad4c35e9ef2

SHA1
32133758fbf9b47d3caad8ff50964d96a6242c8d

SHA256
d95b50de43f0c989ffc8429bc965c7c202565c95b6ddea49e21cf3d82a5dbc08

SHA512
e40896c66680ff2ea97c8cf14efd41a5bd6e85c9551e4e2d51da38fc10774ace51841a24847d24daf2a616b40a9efdf62ac0e0d1db358e33b4705513afb27d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
Filesize
6KB

MD5
f843fc3b858888d342076c7199266348

SHA1
97dea7b7d8486f03cc085ef488fda80fe53515a0

SHA256
19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

SHA512
9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
42f9a91f0bc1504ded127e7e81deb9c1

SHA1
92534b5ec1a23be3938801459d67df6663ea9ea5

SHA256
2791879185eb05ebdb4dfbb84a99d1abf5c0638f06e563bf03c1fb80200612fc

SHA512
5c3020b3c45cdd3b43aece8ffe8d644ad20bf5f8b9404ab23d7389c17f82c990d720b2268c5efcf7b993c50a4efeb8ca1835819800da13d695cd2bc66fe90d63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
2fa4d4afe5ad9f2273319c822bb1f4c2

SHA1
36bb52cd4ad400d06fbd64e60b1507fbe6761aef

SHA256
e82bdfc18eee7219a33d2857e2b4ef73fd880954cfd527e636a4232e64e629ac

SHA512
1871f1fe3137069fd8371d689d5c1f94a9a3fca9389096fab99592114fbd5a0b0afe26395f4b72c338a1170d19a521bb4ca941176696374c168ebe617fd4c5cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
13f4ea7224417985aabae4a2f59fc2ba

SHA1
2d20752d98ce84d37a69d349d2c008e302748b59

SHA256
929688d666a67a627252819b523a1a80c92a092a94b155728b8ae603ec370c4f

SHA512
0cf9e68368fff17491537a97f62cd1dc0ac9d1d7330cb2ad3f3e252ad973097fd53e416c70e9c0abb7a5cf97ac92e58f364fa96c47c95c071df71aca94dd8501

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads