hxxps://gclnk[.]com/ZRm2bbC85M

General

Target

https://gclnk.com/ZRm2bbC85M

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2576 firefox.exe
Token: SeDebugPrivilege 2576 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2576 firefox.exe
2576 firefox.exe
2576 firefox.exe
2576 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2576 firefox.exe
2576 firefox.exe
2576 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2576 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2576	firefox.exe
Token: SeDebugPrivilege	2576	firefox.exe

pid	process
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe

pid	process
2576	firefox.exe
2576	firefox.exe
2576	firefox.exe

pid	process
2576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 4632 wrote to memory of 2576	4632	firefox.exe	firefox.exe
PID 2576 wrote to memory of 4736	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 4736	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2804	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 4492	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 4492	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 4492	2576	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gclnk.com/ZRm2bbC85M"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gclnk.com/ZRm2bbC85M
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.0.16643509\742939274" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10bcc98f-5884-4743-94f8-83f9b9ab9c00} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 1992 26e52ff5158 gpu
3⤵
PID:4736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.1.915368694\286743725" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eb4fa6c-c9cd-4f47-ad03-41115b88d82e} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 2416 26e52a40e58 socket
3⤵
PID:2804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.2.2082985939\989163155" -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad37b3ad-d212-44e2-83d2-0d11f2b347e9} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3196 26e570bc758 tab
3⤵
PID:4492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.3.314020816\1180210732" -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9055ce23-4b61-4d4a-a181-5b66b173adba} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 3936 26e5813b558 tab
3⤵
PID:5012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.4.217974389\83296195" -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc2e76e6-e9a5-4810-8d1e-cd6aa9c88b54} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 4952 26e594ec858 tab
3⤵
PID:816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.5.1864026679\1966756509" -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 3208 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54de425-0e18-4387-9b3c-2a46cc9b0ee0} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 5168 26e54751258 tab
3⤵
PID:2200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.6.2040514124\2088868190" -childID 5 -isForBrowser -prefsHandle 3020 -prefMapHandle 2980 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {779041c3-4212-4205-8406-89dabd3187ed} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 5304 26e54754e58 tab
3⤵
PID:3976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2576.7.1440851968\80172027" -childID 6 -isForBrowser -prefsHandle 5368 -prefMapHandle 5312 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e9c3ef4-8680-45fa-9dff-a20f35afc22b} 2576 "\\.\pipe\gecko-crash-server-pipe.2576" 5380 26e54752158 tab
3⤵
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uzw33i5d.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
4b3e918165199cc63022c491fcea6275

SHA1
12329365d3fff4ab12c95efb5e69f6fe1b25eea3

SHA256
4adc433a49692cfbed81776c3d83e18ff2fffd41bc6a8261435db9488ec3354a

SHA512
d889b202d4a7153a232fb5b5ea5dd4dbed8d5c447a132c92714d6f86f04ba5a9f88cda1feb4bfcd1541758fca9fab122afff1ba54f85da4553265f8a70740b62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js
Filesize
6KB

MD5
5f413a47330e8132fa4b17cfe70ee7a7

SHA1
91ed77e09c2e178c248718d4e32c199b37960204

SHA256
8a9b8a830fcc8ece4a30ff2818aa6649cc0463445757ded5354b28d991b05a57

SHA512
5d7085924d9123ab90ee973f3a4670380bc82f4efc2b4a6314cf3fe3308bf756ad9cc051e4c83a9dd79c1e21bf8b66ad2a351661c9d5b7acf8cc884e56600599

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\prefs-1.js
Filesize
7KB

MD5
0284427e280e627e4392ec7805b1a9ad

SHA1
1a06369872803d0db362a6ad4640eac7c203c7f7

SHA256
e13a86044050080018284172fd74ba046cc7c60b2068ed9ece25d7bc4b2cf369

SHA512
870fcd9d800b478b043db5f16991f956f0bc746b23b3659266113ca5c5a4a7fc360e39474fe41932e3b24c44d303c51f85b250086748fbcaf243da9fb7914396

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uzw33i5d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
3e8258cfb62dab704f0918c43cf59b29

SHA1
daf29fb785876f079e25dc27ff76ea9d2b8f60ed

SHA256
a74aca4c9a817eef354231ae72d9ab8e8959c553f3926b54d3075c2f7764dce5

SHA512
613b43bafff8214cd9c1d4b2ab0e92b6a52828bb7dc61d7d2ab49a213623345afc917e850d1a4e016aea09f422874d06cb5a35fd51cb6d5cad97f5221c339c5f

Download Submit

Analysis

Sharing