hxxp://www[.]xerox[.]com/

Analysis

max time kernel
0s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 19:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.xerox.com/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings	firefox.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 2496 wrote to memory of 1096	2496	firefox.exe	16
PID 1096 wrote to memory of 2796	1096	firefox.exe	18
PID 1096 wrote to memory of 2796	1096	firefox.exe	18
PID 1096 wrote to memory of 2796	1096	firefox.exe	18

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.xerox.com/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.xerox.com/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.0.461984512\2007947764" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2363440d-8cd8-4252-9c56-95e5ec6f50fe} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 1292 117d9258 gpu
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.1.1870601784\498375780" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4b65943-ba8b-4ae0-ac30-89b743864836} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 1508 d71958 socket
    3⤵
    PID:2912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.2.1776791556\715894119" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 21713 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc9af2ab-3e84-4d1e-a153-ac0ee8bbc5e2} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 2144 1a2c5358 tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.3.1462312995\640750488" -childID 2 -isForBrowser -prefsHandle 2416 -prefMapHandle 2256 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f39a7914-9373-4ca9-b593-533f9ab79aed} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 2776 d62b58 tab
    3⤵
    PID:380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.5.1198287820\158540225" -childID 4 -isForBrowser -prefsHandle 3748 -prefMapHandle 3752 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03910e9b-d3e3-4fa9-94f5-79ffe746dd3a} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 3736 1efe8958 tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.6.658518659\1830741069" -childID 5 -isForBrowser -prefsHandle 3900 -prefMapHandle 3904 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7eb2af9-71e3-41bc-98f1-0132d3ac44b1} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 3660 1efe7758 tab
    3⤵
    PID:1896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.4.1894115323\523123685" -childID 3 -isForBrowser -prefsHandle 3612 -prefMapHandle 3628 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ac42f5-4ecc-498b-94e3-a6070b4dd7f4} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 3640 1ebd9b58 tab
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.7.929457771\94607985" -childID 6 -isForBrowser -prefsHandle 2204 -prefMapHandle 2212 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94a0394b-d1bf-4b20-ae6d-cdd33b20c174} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 2184 21736f58 tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.8.708801070\1084069551" -parentBuildID 20221007134813 -prefsHandle 4316 -prefMapHandle 4144 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a25f65f-bc12-469e-87e1-1119a009351e} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 4324 d2ff58 rdd
    3⤵
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1096.9.1485974676\1523620626" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4432 -prefMapHandle 4428 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c893507c-a61e-4466-a16e-e2799faf2b96} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" 4444 1efe8658 utility
    3⤵
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\cache2\entries\907624EE9395190F1B26CC8BDE7A7229898B872B

Filesize
8KB

MD5
425840aa92ae8f66a08d18023ab608d8

SHA1
4f0a962955171dae4e83ac5b37fa66b86a10ff6b

SHA256
0cf17ecd11fb1ab9e86e44a818446ad9c0e40449c28bb21bb5e3492882acd52f

SHA512
09ddf254e4087719ace9274fe01e9dd342d197b883da9c2571bd2878fd6262ca96a965b519fac3faf95e43f55a3ba84609c52dd8cbcc37ca1bb22c4d77e5fd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
47KB

MD5
2d866e6b191b29f2c8349f9bbba619c3

SHA1
587752de1bfb71668954d21e396cd6fe1a46f422

SHA256
9496374c50632648ca8e4bed7c2c013dce7d6d60f577d314c964d1068666c059

SHA512
4dfa51b4f57c0dc98888fa5a29798b399d8ba78a3ea143d4c305df82454d14351e4f0de3cb9fe90591f8158c243e0c1b05a48f04f9f81ce13f415508f03b1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
43KB

MD5
0a4c050d07b996bf7a746d442550e120

SHA1
5ea6268fe03f447c22d36f18ce4a7cb4a238b8c8

SHA256
93575d97f14f13d26eb54d2eca09032291e7d3ac24d6d01983e86f2960373b76

SHA512
7aabe2a34c825550ac2cd303b03ced9f5c92103dab2d199409e6297b462661a085827d74012837fb6ebc7442f27d064c4965af4a6733b4e479a70eebe9cb6499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
ab7fe6ed8ac85ed94fae89cc7359d036

SHA1
2b68fd1e52fe9f9cb3caa5a2486f4a6076bbaa58

SHA256
4f37eb38e8c20d0a85ebfd55999c1dc6835c085a48921dbc83ccb61ec5c02d14

SHA512
eba047b7ab99512aa0ba4a89f4aa195994592f91ecd09db03ab3af04f08def9257165dea9b8b6b5fa6963be3971a4b09c3b15303f63a3fcb36ea548a675a2934

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\pending_pings\bc29e60d-af1b-43c7-a6c1-943fd4bd3846

Filesize
745B

MD5
e0c5c851c876310297b7833ff3102b06

SHA1
5b7831dd8c89ef6f6fe023e29e795b4a791435b0

SHA256
0a40c04837f09c880e98b1561c6de9dbfab3be15a46080d1449a8ea6dc282ee0

SHA512
d0a2f29dbc792902a65b9062ba828aee22bfe909df22575ea5a8bed61019a8f03565d8a3812a4a14b684ab153fd4dd2dfa74d81f15cddfec5d52c5af3eb1cbe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\pending_pings\fee53ff9-0c0b-44ad-ba20-37bec8e0b2fc

Filesize
4KB

MD5
c71c7f2439cfdf154d8d8c8d06c904f2

SHA1
a64c693432e55a6a2296f0cc47d22cb253f793f9

SHA256
addd9a16ee37a6fc8648c3599ba36d93da6f469fa7657c034d3c8bf1b6ade8ee

SHA512
de7edba15666d591f26e2721e1ce4032933622599d8df7548b56814d95d39166b66e0e10de9d6676d4bbc5745e565ed6b2947e743aa4d5bc92afa2922c2d2077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
24KB

MD5
90956672d50c82382c0ba19b9f103943

SHA1
8618c27b32f48ef1143a418dfcf256338a9eaccf

SHA256
58c4076f1c48393b115d6221e0ae85fc8c95f08dc5fa3bdb51c61dc22a4a3658

SHA512
14feafbbd0c028fb88f1eed9c1542a7a546b089a37f9de5deadf8fd3f8fe255cb032c88eec7d9fed99f83bc18ca2d56e7245255ebc374802ddb1db28788162cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
57KB

MD5
265e05a0c053b9f23db573be56427d93

SHA1
21fb2a26d22c7ab78eae193a421880bd4c62f7e5

SHA256
4cae138e4af6ed24c00b53245022585e8d11599e43013a784b2ea3167a0da4e0

SHA512
029a4b78a78681cd4b9b09ce2102a6aadf971529dc52f251300bca6c1e2dcef0bbf0c4768599b338ad8d46b09942ed6bf114a290ea255cd19dca1d9fd7d39606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\prefs-1.js

Filesize
6KB

MD5
de1e90c26bfe9e95154193ea94181d3d

SHA1
247ca7527bb758ddf2025941d4875bcd7231f4e6

SHA256
6757aff45225596b1513e2ac563671092ac0a83624ec0973587ff10cc2ac7ca5

SHA512
3f3741d003e5a1480ca97a18589084fc11d188e8da418f0a648f39e32114dccd902a7a6464b6d0b5cd4a0dc689d752ae4e4f080e6fe960c3e598e385fe3c3c63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\prefs-1.js

Filesize
7KB

MD5
84a5f5ebf7c9fe5d2b7d01b72d90de72

SHA1
8357a66516b1965bcd0fe6bdae8e719cd9cbc906

SHA256
e6b8bfd981fba331316e625f5b33d135f8810048136759d44fea8a9caba24ca0

SHA512
8e79f725f6c1a0a029b5d9112aee19aa5144c2ef8836f46beef53b74f3289bc6f244bc50468506e0affe4fe27f7ec7487b930f24cf998c36c9f37333146ffbb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
4cb0198098336a02e0dd53c53cbe961f

SHA1
914176c746e71ddfa24109b4ae5cb907b02a80dd

SHA256
3227a20df1572172d185273ac28377201a04b31764e654569d094a9a8c6858ac

SHA512
e46b6ccd26a0fb3d636914693f9375690ac258105e95fd7e6dc3c2b1ea720338f1c2bdfef24406f983a08c297f1520482641de3f363348e4ea8e84dcc5d3cb81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f7cfad0fa7c8396b4a6f28926a9fab43

SHA1
5c00909f3b2442a8dc47214c8a958e975c369fc7

SHA256
59f5db0b411fcf69c7ac44ac9b80cc212b098f1c6f0cde183f14e3528e5d7ac7

SHA512
7a3dd679e9d069608d481b14261ce31528e08ccd1a54812750f433cc53a3e3d1d1024f0c1a772e00391d6b88ac7a03105702aef58fdcc78b47c3618b33c4ed60

Download Submit