hxxps://links[.]newerainvestor[.]com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877

General

Target

https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 4272 wrote to memory of 2928	4272	firefox.exe	14
PID 2928 wrote to memory of 3700	2928	firefox.exe	17
PID 2928 wrote to memory of 3700	2928	firefox.exe	17

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.0.282049474\1487408614" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e96353f-fe68-4ff4-9643-a4b3b8c81096} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1860 29cff7d7b58 gpu
  2⤵
  PID:3700
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.1.2128763367\425079546" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03caaf00-cf43-4629-9ffa-0afd01997a5a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2264 29c883d0e58 socket
  2⤵
  PID:5048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.2.1803052082\1981258922" -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2848 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f2b942-ceb0-4b7c-95ed-a0a54ce61804} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 2724 29c8b1d3a58 tab
  2⤵
  PID:1444
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.3.1413340234\1618893304" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57ce9f15-b51d-4ed6-82e5-c1aa28cef634} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 3540 29c8c2ead58 tab
  2⤵
  PID:1680
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.5.1754084648\2041908654" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d7da44-74fa-414c-afe1-789be83bb533} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5124 29c8de85258 tab
  2⤵
  PID:1284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.6.1185127971\1059027352" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0e1d63-7c3e-4cb6-b0bf-d0fd66e5090d} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 5008 29c8de88b58 tab
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2928.4.1828296670\969746666" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4888 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b45e93c-5eb0-4fb6-9b16-1cd0c4af9634} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 4936 29c8d3ddb58 tab
  2⤵
  PID:1852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://links.newerainvestor.com/a/1652/click/1900/809596/6020a598e859944ad3a0bae2e630eb4386734adb/5b71a9828f3a33741a1e14a624fd08185b870877"
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d8b326bd7692c314ba6fee6059766416

SHA1
3c6b6764719508d95faf4c9e51a6ee8e96e82bed

SHA256
3ce28f7c75d1b30924caf0b25eafe5248487a8c70420b7b583d885b3b86c0248

SHA512
f3f3ef3534e16f1ac10f25bed007bb92d7f948044b544f5db040fa8957dc0c01dee536afad2eb31904e6671df5774a1cd846fa385d55e0d4527ef8663fc17cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\pending_pings\0e3f2b73-4959-4bdb-809f-9e1911040974

Filesize
9KB

MD5
2df4ff592fc271bfa8cfefaea9fcb286

SHA1
bbdea8a828d96d27d74aad981c125d536389c423

SHA256
7c4c99446749a5ebe5623f866309e11e9972fac146ca0caa8ed662ceb47906ea

SHA512
de17a94a7ef5cf3d346c0709aa4903e017e9ea9d892338344056be18642da36b2250c2e6370e745186f77bc56e57f410a9cd6973f56abfea5418e196aee7c824

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\datareporting\glean\pending_pings\1c2bebe1-5f94-44e4-b196-b014ea80693e

Filesize
746B

MD5
df09a347cc012d1a7b3326609bf9158f

SHA1
78e860e58d3100f4054afcce9aaa90494f75595c

SHA256
e17d19727529eab9fc38f661422fadf06ae29426869d243fe1f202725bd68946

SHA512
7f9da4764e23812ce739b1351e524a8556c6559c9f359ee9ad61471d90d8a438dd663307d3d866e9cd1fab1e897dd99980efc487ed7d6e200e8fdde31d8a6fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\prefs-1.js

Filesize
6KB

MD5
497005c593f887f91859a48ff4a284bf

SHA1
a75c41c61a04c38235eb453d8508258361110aa7

SHA256
4939298e69ba307471282ae3039c9d74f1ca9c304829938e6e061e322b751a37

SHA512
b7954efc0e2cd2957ef21a8e334c78b7800c6b35d64fb7d08bfde02095f0991b369f3e8652e797a122daac5722b7a54cae857b2ee9ac618aeaa6998d756b0af1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1d446ce4bc1d9093006542cfb50c234d

SHA1
b522fd332bab4d7972da8ba94a8c932cc2021f88

SHA256
d8ed7db0f1a916357ab2d7e142555f2879cd3156863efb7a0fe066b97f25e583

SHA512
ae39e23819d3880e995b6b2a83ce0f9cb4673af2b71cf700d1f61fd54200ccbc6bb01c85bfd4c9ea603a07c5804f9ba0e7ffa60aa8df9b27182661e205a49b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6fd8mnze.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
a90e4d9450cb3baf32ea3ec1aab1254f

SHA1
f34bee6ddf9fa10aebc271d11d3bd672f0cf6f42

SHA256
281b2d9f1c0c94cba9d8b8b9a58f3ca43077d047c1cfa38e70b3990d1565e51d

SHA512
d2b39fecd2dc7ea7abfc0eb45fdc01c033f31d59f68a227245219d94a2538b71f306570d12a75f58c7bec7a81145d9f799a831861bf238d1b632ed2f3f5b41db

Download Submit

Analysis

Sharing