690e898fd01b69ac3eea36ac0bde48295eeb37b85a76ab96368b02dd7ee51615

General

Target

tmp.exe
Size

3.3MB
MD5

0f188231c29fba40e8b3e76792464cff
SHA1

e231f8e1060915dcb83fcf383ce0c80dbb94b2ea
SHA256

690e898fd01b69ac3eea36ac0bde48295eeb37b85a76ab96368b02dd7ee51615
SHA512

2d430c8bc5d5473bcc41e22bff252f1c09e632a4baaa5da4ac011ba13bf102ccc7a80541293a965a6ff80ca47b3d4271fd1e35c878a2b4ff0123af172f16f803
SSDEEP

98304:sqNAQ6FGtvX6KN5hBAud6kDjGpUefle0GzDKKD:sqN5u06KN5hZnse0GzJ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4616 firefox.exe
Token: SeDebugPrivilege 4616 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4616 firefox.exe
4616 firefox.exe
4616 firefox.exe
4616 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4616 firefox.exe
4616 firefox.exe
4616 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4616 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4616	firefox.exe
Token: SeDebugPrivilege	4616	firefox.exe

pid	process
4616	firefox.exe
4616	firefox.exe
4616	firefox.exe
4616	firefox.exe

pid	process
4616	firefox.exe
4616	firefox.exe
4616	firefox.exe

pid	process
4616	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 3640 wrote to memory of 4616	3640	firefox.exe	firefox.exe
PID 4616 wrote to memory of 2484	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 2484	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 1260	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 4360	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 4360	4616	firefox.exe	firefox.exe
PID 4616 wrote to memory of 4360	4616	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.0.1511190569\1275106742" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e94b3f-c0d6-452c-8a62-c21aa603c8e0} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 1964 145bfbd6258 gpu
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.1.631565770\1275120141" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24f2be96-226d-4648-948d-fcaf5bf68ebf} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 2364 145b3172e58 socket
    3⤵
    - Checks processor information in registry
    PID:1260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.2.2127021939\1701329311" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3016 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d82056a-dba9-48d6-86d2-2e403c510f8f} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 3228 145c3ada958 tab
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.3.820747799\978775819" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3504f5-e9cc-4e32-94c0-c71aefed0592} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 3604 145b3162858 tab
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.4.2112843055\1482988754" -childID 3 -isForBrowser -prefsHandle 4296 -prefMapHandle 4284 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6c85a5e-3fec-4da3-af3c-5eca2a1e3e51} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 4312 145c5135258 tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.5.1296423572\1111030991" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4932 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1309960c-3475-4dfe-b1d6-380973c18d9d} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 5000 145c5133158 tab
    3⤵
    PID:1360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.7.129865525\1043165106" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3add439e-bb82-481a-84e9-c00a1c962095} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 5404 145c6098e58 tab
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.6.144256601\1598856962" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e41228d-cef4-4c37-87cf-53caf958cfaf} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 5008 145c609a958 tab
    3⤵
    PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs-1.js

Filesize
6KB

MD5
44b8988da7f5675617b31d8444aab1f0

SHA1
c6f3080b989c103bed87fd3157000b0d134fa0a1

SHA256
08bc0e3ebc38a4d8aa8199335f59bae73f79023592c805d0e70ccf1303cd5c01

SHA512
6a6414ad559f5a909fc2719add03c8f5a87521eba08cd1d619b95282cbeebb70f903d0be962d8c407ca6f008ad672f6e5c09a2ba7f2727ca495e424fbf422dcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\prefs.js

Filesize
6KB

MD5
721aed9950e98d40c6cf0567c9644baa

SHA1
22d0aaca7f1af473ce3d8fff4fae1cd127077126

SHA256
87b1091b33dda0e975aaa5cfe81388282eac3fd3b71041237d832850a04c134f

SHA512
7c4c44a325605eb4f9ca0846759065be9d23b3fc682c7259c87c7cda6556f13fb47ce99316e3a232aca753741a9a1a9bd04ddc8a1db90bd3b19b8e37284fe55b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\sessionstore.jsonlz4

Filesize
887B

MD5
0b8323b3df175e0dc00a1505353f0511

SHA1
7901d0a6b67a548ade9cdfcb44476188390c0032

SHA256
19c1691f1da3d53738d87ce16970223197e75efcc5f6315df2af1a7732c751e7

SHA512
84866979b60c41be5aa358dccdd1973de2add9fcca54ce6dae6e8f24452388fac0d472436c5fc0adafd5c2f2c7f41c2bcd3c89f19cc31c2c7192d41cb5414083

Download Submit
memory/3592-0-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download

Resubmissions

Analysis

Sharing