hxxps://risky[.]biz/

General

Target

https://risky.biz/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3576 firefox.exe
Token: SeDebugPrivilege 3576 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3576 firefox.exe
3576 firefox.exe
3576 firefox.exe
3576 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3576 firefox.exe
3576 firefox.exe
3576 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3576 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3576	firefox.exe
Token: SeDebugPrivilege	3576	firefox.exe

pid	process
3576	firefox.exe
3576	firefox.exe
3576	firefox.exe
3576	firefox.exe

pid	process
3576	firefox.exe
3576	firefox.exe
3576	firefox.exe

pid	process
3576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 4660 wrote to memory of 3576	4660	firefox.exe	firefox.exe
PID 3576 wrote to memory of 4856	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 4856	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 828	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 4632	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 4632	3576	firefox.exe	firefox.exe
PID 3576 wrote to memory of 4632	3576	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://risky.biz/"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://risky.biz/
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.0.2014172689\1896207429" -parentBuildID 20221007134813 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d62d0a1c-68b6-4a55-960a-bcfeda7468b6} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 2004 1c0307e4a58 gpu
3⤵
PID:4856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.1.1103927922\882380164" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f77281-30c8-484d-9761-e8ec0b88dbaa} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 2432 1c02ff42458 socket
3⤵
- Checks processor information in registry
PID:828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.2.1118544258\1142084110" -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7199541-d385-4c5e-b2cb-0d995f298f0c} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 3164 1c034537f58 tab
3⤵
PID:4632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.3.1475807758\1313390979" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0adf9d9-de84-43e4-8985-95a51c1602d5} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 3516 1c01c762558 tab
3⤵
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.5.1095615878\1640050928" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31ee16c4-d493-4d7f-9d2d-f4787e3702e9} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 5044 1c036671b58 tab
3⤵
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.4.422398377\1004828755" -childID 3 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {685e0a8e-af7b-416b-96ab-adacf922902e} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 4916 1c0363b2358 tab
3⤵
PID:2900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3576.6.1294789271\1031885914" -childID 5 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20d754ec-0318-4c93-bf9d-ec09d42a3155} 3576 "\\.\pipe\gecko-crash-server-pipe.3576" 5244 1c036672a58 tab
3⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
94a4518588b3ddf3df04f80264ea1c4c

SHA1
d337a8a7e47fa5d9d671dbb31a614275b30d930c

SHA256
e842367558435772b14d323d6c58bcb4ed8eab9ecbd4025898e3b544ad7fa370

SHA512
53a1b882162e38bb53d32a917c013fe3afb846b5db7f1db5455373ae1e4d676876d0d8d06b5648fc2f32751116893a4e5a726defb853f4f00ada339bfafc64da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\644230d9-c422-46b4-bc68-187013b8efff

Filesize
11KB

MD5
84daad007df767cdeb4a7e6d487c7d10

SHA1
1d83c5a4e41a9461918401e2457f285bd220ab94

SHA256
bfa9a9552d0797d1755c7e193e6332f8ab4f9b2847cb84ac81f5493cc8cf1f02

SHA512
e91570ae1f6bd09a7bd3efb96da5ba959768a651ad5c90aa6c068c01d3552e6f0c8192e3c568722fc5dec395ba8ff6d3a2be24f2681f6733e2c461c3b0cabe40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\e16cf08d-9802-4e3a-a949-7cf63dfb5aef

Filesize
746B

MD5
0f61cc59f7b503c07b6053bbbfc1ca8b

SHA1
54657f2fe86c9eba1e59a7abe3e7c567aa32bee1

SHA256
3792163ff6b2f3d661e22878806dc20a6d245bbb3e00d03c11a4a69a7a4e0965

SHA512
ace73828a4fe9595f37f0919322193b7941a5d875437e8fc81ee403c23a1103f3d04b6727831d7beeeedfa711d677fa9b3996dc8b985054cc033867bc2afbdaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js

Filesize
6KB

MD5
5a08233a7ec6cecea05f35a2faafd4ef

SHA1
bd0cfcc480c2b75e55b9b68d15b8344258084691

SHA256
eef9c9a26cd11b41b6028905bc9a3505f052ec8f5ee2a83eb244c2a62ca04115

SHA512
a05eeac8f91b6406b9432df287c4b7e1f29b50618d4e1d7ef3a4bdccb362a161bf857fcf1e1939a3d8703286cb834e37b9e078a1001f4f05e5e1f259f73f5bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs.js

Filesize
6KB

MD5
ab8e327a3f9ce916375476263894c1c8

SHA1
13f5c828876f1b8cce4ac8620c0a4eb065b8b0f8

SHA256
4e69fc0007404323f49d897ed0fb27df0aea2aca668f80668b38ccafd6fd62b6

SHA512
4df5c8d979c5efed83aead60b980d4bae1b3266f43732243af37c924a07e48393732152504f90636e562089c055bf826ff0cb40d1f190da4078b9b85b490cf52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ffad080842fed3d4730dbde8795da508

SHA1
3caf4830caac926dc3ab0d97c88b4f157eb1d223

SHA256
39cfc42a99b8a1dbef792675032a26f4401541b48f6390fcc8f3c7e932b77a34

SHA512
a64b7f0cb85c83c97082c161eea16e175151a994435b08df46a7a04a39da131a8a9dab715c9e1c790f197311cd659647ee75d817b4c8930b33d9eda242d4d005

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
ede44dce3b17a3515fc3a9ea53a27bc2

SHA1
ec2b2ce4b758bc4c92b76a132b649b1b3a3dab08

SHA256
56ba2c2e846d1eb2188f5f57985e8ad37771c38287a4b62e80e7580912b76aed

SHA512
df70200067fb67b986c948af1eadb3ee5945480d17f52a667180c07154801cb1ca2e69f2f2457d41b29ce1b98dbcfdc2971977158e3fb3d8a0ae98a51f853181

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
fcb7f0509a2856e75f48535bb88a0989

SHA1
49e6b8082725fef501fce4218caa268c9a317fd6

SHA256
c6659868cb893164b87da53576fc4ea809afd5772ef19cfbb2d1d9506a28f769

SHA512
b623d6ca521723ffaac7547092552f1f802158e62c3f98af51d7abc7c1f78d96a2565d25c5b0da475a55abc6c6e9d51b4ffddd5f23d064562e7a5ad355eaaa40

Download Submit

Analysis

Sharing