hxxps://sc[.]link/nDfPa

General

Target

https://sc.link/nDfPa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2188 firefox.exe
Token: SeDebugPrivilege 2188 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2188 firefox.exe
2188 firefox.exe
2188 firefox.exe
2188 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2188 firefox.exe
2188 firefox.exe
2188 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

firefox.exe

pid process

2188 firefox.exe
2188 firefox.exe
2188 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2188	firefox.exe
Token: SeDebugPrivilege	2188	firefox.exe

pid	process
2188	firefox.exe
2188	firefox.exe
2188	firefox.exe
2188	firefox.exe

pid	process
2188	firefox.exe
2188	firefox.exe
2188	firefox.exe

pid	process
2188	firefox.exe
2188	firefox.exe
2188	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 1380 wrote to memory of 2188	1380	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2552	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2552	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2552	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2640	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2760	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2760	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2760	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2760	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 2760	2188	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://sc.link/nDfPa"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://sc.link/nDfPa
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.0.1213857844\1302098506" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a7ec69a-e490-4a85-836f-4b5c0efd48ea} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 1308 f5d9c58 gpu
    3⤵
    PID:2552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.1.817611476\277352598" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f953e5cc-c161-4ec5-b04d-63e88ef1631c} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 1512 e72b58 socket
    3⤵
    - Checks processor information in registry
    PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.2.1254460458\2030547639" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b673ec25-cd3a-4bc4-8922-9194df96383c} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 2128 1979b258 tab
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.3.2098279138\1307038963" -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2596 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6633f778-3e3b-4ba2-870c-87f36343b0f0} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 2608 ee3258 tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.4.286785789\22883496" -childID 3 -isForBrowser -prefsHandle 3596 -prefMapHandle 3564 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb3dd26-5d48-4679-9235-fcffbe37009c} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3628 1f792258 tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.5.1387223440\1363867935" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3748 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3eb222-4be3-4e18-a312-de545d963abd} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3732 1f793158 tab
    3⤵
    PID:956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.6.1858184719\1953499769" -childID 5 -isForBrowser -prefsHandle 3844 -prefMapHandle 3848 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6671fdc1-8217-466d-913f-46404a5c0c8e} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 3832 1f793458 tab
    3⤵
    PID:1412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2188.7.1685829876\299567160" -childID 6 -isForBrowser -prefsHandle 2328 -prefMapHandle 2160 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59c41ba-57e1-45cc-8a25-762d949486e3} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" 2132 1fbf0458 tab
    3⤵
    PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ab7d146dd812c033ef2e4b3bc8c602a3

SHA1
ecfba95c92b1fa23437174255cfe1006d5fefb04

SHA256
858a6e8c6534733329127a01962d5688d8add90321f08a47444c5584afd9bba2

SHA512
fe4e7c9b2a26addf0cc96b7aea82fe24981a9151600d8266ef5abcb846b5e40a6c19725d25fb819f886b4f8804901190f23304994bf55a9ca606cc46aabf1fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\datareporting\glean\pending_pings\0049460f-a229-4c7a-b69e-3ab8a55aefaf

Filesize
745B

MD5
3bb26c7347494a5e858e0f27d23ba6e3

SHA1
720a0184c34889cbb19f23c69b8465df18ba6543

SHA256
00ddf345176775c7ef5628e1b369c3261da39476195ef1366284031c8f98390f

SHA512
3074a8e89c64dc692cbe50f0b84f79f495a31b82abeac71ad07bf823855a98201791957e1020d1dcb30093de1c5a960a8ac33898a0dce84c4d22ead18b89e587

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\datareporting\glean\pending_pings\bc866042-fd62-4231-af83-e86834b65bdf

Filesize
12KB

MD5
de2951fca075140376b624ff6a868449

SHA1
914247f2512193548de3a2bc3a034538a69f1b48

SHA256
581aab055420b1e71c0fb43f4845267aae6b6fd71fdcb8749e581b3d3d48dada

SHA512
b5fbccbfebecc4e9d357b8e4ef251658afaf8df63686258513ac24669496fc9cf17e780c9ec461e0ed089b7e4d6e3abb8266d0815c201620d03d45cc4bf64b25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\prefs-1.js

Filesize
6KB

MD5
b57c18878a511292cff270dc189d90c9

SHA1
49f425215ecd4e580f94964fd4c8633d871c22ae

SHA256
b4389200411ae2d95e2a4b617dd85689befedd02a8324b49a2be441d28833c04

SHA512
0e8028f815399385e8ef199b0089e3511a98e947250804ddd51ea8389164d4ccfb7d85c9e49c67197dd36deba506895b71285900cd505e9fb70756d3d95ccd2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
41KB

MD5
d41bf3842186a016cfbb0c15c095658b

SHA1
93062b7ea7f947ae8bbf7da649afe53d263a3f5a

SHA256
6a4e5e217580d17f4673c706749d4c45dfaac2ae04772a61b4df9ced35eaaae9

SHA512
84dc81bfe991480b5800e22c62eda2a0d5e474cf749a1437a56b95e06404846e689a1d5f616ffc184d7d8838f8afe18738f0f3bef2b5fc098130ca6a8f087513

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\sessionstore.jsonlz4

Filesize
41KB

MD5
f972c0b993bb1eda13da21eb95fa1d12

SHA1
c417d08ecad7ab7ce0580cde7267b988f3a8ee14

SHA256
1192c3dfb51aacce34fc6c572475c4466476927867943393d419562792c58811

SHA512
de02dfdfc6a219c8bcd601ff718b15a18f2956c4429a6ebfb7b962fbaa6c3892451d29008f19b97ffbe97d49107320477c163ce545295e782ac76ca3787ae792

Download Submit

Resubmissions

Analysis

Sharing