hxxps://fi[.]subscriptionupdater[.]click/WW/av/ava/promo/LP09/V08[.]php?lpkey=17f7077e7645235226&campaign=5631&lander=2971&domain=eu-clck-trck[.]click&region=Uusimaa&language=en-US&isp=Elisa%20Oyj&bb=0&uclick=17gmxobg&uclickhash=17gmxobg-17gmxobg-9ry9-0-8pg6-pmfvwj-usqddz-984d9c#

General

Target

https://fi.subscriptionupdater.click/WW/av/ava/promo/LP09/V08.php?lpkey=17f7077e7645235226&campaign=5631&lander=2971&domain=eu-clck-trck.click&region=Uusimaa&language=en-US&isp=Elisa%20Oyj&bb=0&uclick=17gmxobg&uclickhash=17gmxobg-17gmxobg-9ry9-0-8pg6-pmfvwj-usqddz-984d9c#

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 5540 firefox.exe
Token: SeDebugPrivilege 5540 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

5540 firefox.exe
5540 firefox.exe
5540 firefox.exe
5540 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

5540 firefox.exe
5540 firefox.exe
5540 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

5540 firefox.exe
5540 firefox.exe
5540 firefox.exe
5540 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	5540	firefox.exe
Token: SeDebugPrivilege	5540	firefox.exe

pid	process
5540	firefox.exe
5540	firefox.exe
5540	firefox.exe
5540	firefox.exe

pid	process
5540	firefox.exe
5540	firefox.exe
5540	firefox.exe

pid	process
5540	firefox.exe
5540	firefox.exe
5540	firefox.exe
5540	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5552 wrote to memory of 5540	5552	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3860	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3860	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3040	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3288	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3288	5540	firefox.exe	firefox.exe
PID 5540 wrote to memory of 3288	5540	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://fi.subscriptionupdater.click/WW/av/ava/promo/LP09/V08.php?lpkey=17f7077e7645235226&campaign=5631&lander=2971&domain=eu-clck-trck.click&region=Uusimaa&language=en-US&isp=Elisa%20Oyj&bb=0&uclick=17gmxobg&uclickhash=17gmxobg-17gmxobg-9ry9-0-8pg6-pmfvwj-usqddz-984d9c#"
1⤵
- Suspicious use of WriteProcessMemory
PID:5552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://fi.subscriptionupdater.click/WW/av/ava/promo/LP09/V08.php?lpkey=17f7077e7645235226&campaign=5631&lander=2971&domain=eu-clck-trck.click&region=Uusimaa&language=en-US&isp=Elisa%20Oyj&bb=0&uclick=17gmxobg&uclickhash=17gmxobg-17gmxobg-9ry9-0-8pg6-pmfvwj-usqddz-984d9c#
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.0.1125892887\1173369520" -parentBuildID 20221007134813 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ce91e2-a41f-4869-854c-0bd89809cd22} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 1836 140329c4958 gpu
3⤵
PID:3860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.1.1073117083\2122283851" -parentBuildID 20221007134813 -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b2a561-05ef-460d-8a44-387023a3485f} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 2232 140328e8558 socket
3⤵
PID:3040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.2.2043290182\730240723" -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3104 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68587524-0935-445c-adee-35be9c541269} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 3136 1403295eb58 tab
3⤵
PID:3288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.3.1514644817\1291676825" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4179b66-1285-44b9-863c-3ac2f19e74a7} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 3520 14026b65058 tab
3⤵
PID:5460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.6.1045695667\493480971" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e74c0b90-2984-469b-8e0d-ea1ff3187279} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 5264 1403a146e58 tab
3⤵
PID:1428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.5.1124431147\1524084509" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debaea05-6e07-4a09-8596-8e6d4a61646e} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 4244 14039c3ca58 tab
3⤵
PID:5548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.4.1412317404\2143326016" -childID 3 -isForBrowser -prefsHandle 4856 -prefMapHandle 4960 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89682b15-8963-47a6-adf2-e2dbc4e26a67} 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 4924 14039c3ee58 tab
3⤵
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
35e53438178267ea0a5b39a6544a4631

SHA1
2432a771b7e9bc21c7406b9ae161047c1b1d8380

SHA256
47089aaa9af6a149af28284b5e9bd2406ac96e63aeb6b59e26729a2df3200d89

SHA512
9b5a4cad6ab5054b85c813a1ef52a507a98b9f44f189d44edaeea3cc9191bfac535a2cf9c6270d7e10e8da1117f6cbe7dcce35080c630015be396cc17db36654

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\datareporting\glean\pending_pings\03da8c77-2d92-4bcb-87f7-4707903d8b46

Filesize
11KB

MD5
1b7ed1f19c89e4ac7bc1f260a5195eb2

SHA1
ed509b36f3a3181c50f523cb2837c0044191f5be

SHA256
d7a18133c2c50b7e9258818fea98aced99953ba1637edc458c79f27c1384f5a5

SHA512
fe496bc97daf0b88a9c1325359b3f3286347a3146a8bc82bdae8b70a4c0178e2aa240463121ba29479fbe280c5e90a52e4905ebd600cbf642ee017399e460faa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\datareporting\glean\pending_pings\ad14ca78-3bf6-457f-b180-3ae844b25f46

Filesize
746B

MD5
b45db8f3f2556e4853a9339e578fbcad

SHA1
de146944282fe857412f768d76ae7e889edadf21

SHA256
ac59d89cad640fd08ba37605fde3f220b4871255e997d549899ff74531fe6230

SHA512
392109e5181ecae7cccbad0abd17d905bcdb28fff7add85787eba9d75da46d839d5bc4dd5cf8b2ea60ac578033956e6479c7a426dc5e8ec7bd1cb8dd95189dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
990B

MD5
4e9fe84f19f02a8d8cbd6ce0b801cebe

SHA1
d379ecc732d03b76f030b5ef37e0a35df08865bd

SHA256
13901226738f36267b52840eac984b118bf49f7b5d02ad209c92a4cf6d7e9ac8

SHA512
2858457c9a3d8585474010be8c3b6ebb3eb41e4ec157e51d6d8627d691fb6e78c48b21eceed60c32d2e4509178ffcdbfc681ebd341bfdb88d332112397b7b973

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
28a47d31d7964de9e613fbf5adfdcddb

SHA1
eb5de3b0be9404127eb9b7e22557c4baaac7c5e4

SHA256
6a713ba552935f54e98a451eb7ede09eac9e70323983431d7862f99b080171a8

SHA512
7c6a77f258cd8117f1b022fa88e163b6ce98f3731d4c2599001f57d516c69a5dc53fa40ca0ab8bb1981ca112c10d961aaaf0314d7f6f3b924633f48142d0bae9

Download Submit

Analysis

Sharing