hxxps://go-link[.]ru/oO3BR

General

Target

https://go-link.ru/oO3BR

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 548 firefox.exe
Token: SeDebugPrivilege 548 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

548 firefox.exe
548 firefox.exe
548 firefox.exe
548 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

548 firefox.exe
548 firefox.exe
548 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

548 firefox.exe

description	pid	process
Token: SeDebugPrivilege	548	firefox.exe
Token: SeDebugPrivilege	548	firefox.exe

pid	process
548	firefox.exe
548	firefox.exe
548	firefox.exe
548	firefox.exe

pid	process
548	firefox.exe
548	firefox.exe
548	firefox.exe

pid	process
548	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 4856 wrote to memory of 548	4856	firefox.exe	firefox.exe
PID 548 wrote to memory of 1484	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 1484	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 3748	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 440	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 440	548	firefox.exe	firefox.exe
PID 548 wrote to memory of 440	548	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://go-link.ru/oO3BR"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://go-link.ru/oO3BR
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.0.336620354\144313116" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f4e78b6-77ed-4c94-bb57-fe9e7d5e3619} 548 "\\.\pipe\gecko-crash-server-pipe.548" 1984 2c4de807358 gpu
    3⤵
    PID:1484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.1.128040294\699629640" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41293c5f-08c1-45ae-b6fa-881aa2245d46} 548 "\\.\pipe\gecko-crash-server-pipe.548" 2412 2c4dd5fa558 socket
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.2.1301954727\189339036" -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3212 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31f5a713-5cc1-428c-bcc5-f06231806000} 548 "\\.\pipe\gecko-crash-server-pipe.548" 3192 2c4e17bf458 tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.3.1631736475\1644996250" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4de2e55-39ac-4e99-8fc3-b5441fd580a1} 548 "\\.\pipe\gecko-crash-server-pipe.548" 3624 2c4d0e62258 tab
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.4.269042413\1235031068" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddf79468-8619-467e-b358-ee58f825f277} 548 "\\.\pipe\gecko-crash-server-pipe.548" 5036 2c4e3afab58 tab
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.5.1496919535\223053857" -childID 4 -isForBrowser -prefsHandle 3252 -prefMapHandle 5184 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e53ecd1-0674-47d8-aae8-de27fab7644d} 548 "\\.\pipe\gecko-crash-server-pipe.548" 5296 2c4e49f5858 tab
    3⤵
    PID:2624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.6.1571053341\2089099527" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05ca89d7-0817-4aea-8ea5-ebd2527a7222} 548 "\\.\pipe\gecko-crash-server-pipe.548" 5420 2c4e1864a58 tab
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="548.7.977071251\1316255659" -childID 6 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc7cef71-cc34-4cf9-a40e-356a20707670} 548 "\\.\pipe\gecko-crash-server-pipe.548" 5608 2c4e1863558 tab
    3⤵
    PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f2e608dd6d88f55a9f185b6849343c3c

SHA1
7a5f8ff009bab807299cc71a639a67d9f78b3eeb

SHA256
ce445ec5e43fc185de87347486d9a0649dacd396483f37b2774ca86d7dffb343

SHA512
0bfd6339ee198b66bd226600ee91704159235e1a65f94cf8e85339991981b3ac680335894f04854f9bb3e321ae128614b4d6d8b7ab546dfae703a7a184d5c8fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\9bd42e53-eed3-430a-92b1-e7ceb1a82d1d

Filesize
746B

MD5
85bcf61203e6497e293df435fd86e03e

SHA1
f8323f90dd4f2f92dc0df7730eabb4bcfd1f1ca8

SHA256
5ce5be1606b4ffb2096080a540f890cf0ee68fa4ea92106c7f72fdc83429770f

SHA512
b2a53316b54f20013ebfab9c81cac39f27d07cb2c44bd09ecb56052dea3b8c8929fc16f8c445afb8ad0e2eaaa2f084e1556339887e797323f74a94ec7dc562e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\ec45fd9c-237b-46e2-a446-b9b74f5f7dd6

Filesize
10KB

MD5
3debac33f54a9087c1484139c94f466f

SHA1
d78893202e3d578a93a16f3c610f5baa4af2e644

SHA256
a342154eeb90f5e77d6da6cadae528a39aed3b8b7b8e11466d1beea6a521144a

SHA512
55177d776c2b64937e7cee7f478264432d2108262129be358de53941ee13f306f450fa95407568c06ad19aa40bd2e076a6215f19f877b00cf516e0c11eb54523

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js

Filesize
6KB

MD5
2ba0207106ddd23f42d3a21f824c1ee5

SHA1
c202283514a0170cdb3c2c2e1913b6b8c44e2bd6

SHA256
1c4c24d9370b73d21709ec5baa72728fc5406cf06b96a144f06a299439bdab73

SHA512
3bf848b4e302655c399ba908d2cb24caf6b42f2cf5d0436fcff83221e2021c19ff871537be9b0632ff686b3fa8a8d857cf50921ea8f808d35d9e2b186d2cdae3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

Filesize
6KB

MD5
f383c452ce74e861fad45d9f0da99618

SHA1
141b14c4ac5d9e85ee1ff4ce0e623839ef100303

SHA256
0e284f7b4801e5a4c4b6df6f5b8e5e62a7deb0b6b8d9c31b05df861dcbe1b1f8

SHA512
58bddb39c6340c98e58ded836a8f371790bc6bc5ffd7670bde188a6b6d8ea7a717e9d7b37787fc23f2aa20fc174fae96f08ceb48eade6299624c1386c8dfe84d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

Filesize
6KB

MD5
889b70e58e3a2a41ce5e3b34d1cf68c3

SHA1
8d9a7d1f71721cb44614dac1657ffcb94defc5d1

SHA256
02e61d90bf92bb2fb53ce18966a0a44d62096d0d942f044dd4f9c1685fe322e7

SHA512
07f114ed6c961754f7d043cb86d34c8bdf1923deb35300523d07f51e6891a939090021b5e7df27076f2ab114014d43411a65b4f061fb9f1172c45b457d1ef22e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

Filesize
6KB

MD5
bbb4501d09cf9428b3b1ab85ce2db607

SHA1
499572460649658e9d7f35cf10ded48457ffdd53

SHA256
d354c872a127f539e088cc4214394cd93afcd4b8922da1d7e3b148a782d00919

SHA512
27e917712b46f486106474db266b05edf148d0199db466e37f3efdd285915922f0b8d9a9b0c24bd8201ee5bcb2cad6209eeec03547139e27470b9d9991f1836a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
868a6862a2f9f9643fcbdae38c61fb9d

SHA1
c96b4de8cea99220d380bc83ceea900736e4b51b

SHA256
fc80c933c2421a983e22d4f4a9da64f6485ce89e8b7d3031707ea1bcf39374e6

SHA512
e103aaafdb7a786eb8c2a300866769875af7a2e86c1b38d69b171d0b4b70c723cc0f4dd9b3ff06bf58532ec26808c2da5af628877fc9c76369fa34163cfc7572

Download Submit

Analysis

Sharing