hxxps://steamcommunivy[.]com/gift/7656685934763976

Resubmissions

03-04-2024 14:55

240403-sah7aseh92 10

03-04-2024 14:47

240403-r5t2lseh44 10

Analysis

max time kernel
34s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunivy.com/gift/7656685934763976

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4968 firefox.exe
Token: SeDebugPrivilege 4968 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4968 firefox.exe
4968 firefox.exe
4968 firefox.exe
4968 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4968 firefox.exe
4968 firefox.exe
4968 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4968 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4968	firefox.exe
Token: SeDebugPrivilege	4968	firefox.exe

pid	process
4968	firefox.exe
4968	firefox.exe
4968	firefox.exe
4968	firefox.exe

pid	process
4968	firefox.exe
4968	firefox.exe
4968	firefox.exe

pid	process
4968	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 3756 wrote to memory of 4968	3756	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2192	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2192	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2080	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2556	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2556	4968	firefox.exe	firefox.exe
PID 4968 wrote to memory of 2556	4968	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://steamcommunivy.com/gift/7656685934763976"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://steamcommunivy.com/gift/7656685934763976
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.0.1009914604\1459983941" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16f2e1f0-ae21-490f-ac79-97db4719588a} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 1960 1fc338e9858 gpu
3⤵
PID:2192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.1.1005385684\1048877238" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96504a01-76e2-44a2-a859-95573a218e32} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 2400 1fc33803258 socket
3⤵
PID:2080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.2.423950603\1471500240" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3044 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad9b9d17-60d3-46d4-9f45-83d81dfc1d25} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 3068 1fc379d3358 tab
3⤵
PID:2556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.3.2026717577\387548859" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3568 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c83fa612-5e9f-465f-93c9-00111ea02206} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 3632 1fc3875f758 tab
3⤵
PID:1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.4.1144198456\1698165275" -childID 3 -isForBrowser -prefsHandle 4952 -prefMapHandle 4864 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd7c402-8f03-43d9-9cc8-1fc429d74ea5} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 4996 1fc39993e58 tab
3⤵
PID:2828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.5.891459972\1830254600" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67266e80-bfae-48fc-b043-f2bc639802ff} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 5012 1fc39baf958 tab
3⤵
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4968.6.1338169941\1255777637" -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e321210a-86f9-40ed-8c16-f6cbcfc08b25} 4968 "\\.\pipe\gecko-crash-server-pipe.4968" 5012 1fc39bad558 tab
3⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\cache2\entries\7DE10FAF532404113132CE318850BAE0029D65B0
Filesize
1.2MB

MD5
15782f7f8b78111a1dee9979ed2fb674

SHA1
5d97b743d5358aae2ab68a756fd7b5b01612e1d8

SHA256
fe90f0dcd821686d74ba0236626612a747bf2dd1f0f92f9c13648bd04da707d7

SHA512
d03b9e76e5a1e439289b8de2db1a099bd7686aa89218bc48cfa40d70f4630568782ef4a3abfd72293f20d80d18e3d79ba2931c84d929ca097f70b489702f5384

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\cache2\entries\FC3D293F5F6A3097565FF82491249F75FCD59E29
Filesize
404KB

MD5
ba3a8fabd72f5ad65a1d67daea69bec6

SHA1
8f55fc46be17ea3a5896b36f3029aeddb4ccd9e8

SHA256
2e61ef5a26429666576697ee56ea9d23c7571a1c07d297fffe5459ac5a42bd44

SHA512
d8286ed60687b24bd4c72f0202d3139d9da29d53709ae6abc606cf8749fd920c4509168a9202761c470e9bca46228c3f1b2eca9918664cf4dd7c76b1f11eb490

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
8674202d8196585ecfb783e78892925d

SHA1
0c6e2b1511db6bb716bd868d3d7457b8371bcdac

SHA256
67d2ea0c505cd5a23e9dc8e31700c518af366c86506d2f11f4e0a8cb78f05f43

SHA512
850fb61f4a94ad3eb411727f177dcc2b303bb65af895341f5d48157b8dbd1638c201fc81790e8cc1a7a77b9f466340f8c20f6fbc45be0a32db60f2642aa56581

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\709b6bc4-eb4e-4fba-a7ab-88a61a248b5a
Filesize
746B

MD5
b2c5d158fc5d6d3cc4ca9fa646f7a436

SHA1
0b8a26e2ab07819842b98b2bcd1035d3c780b5ff

SHA256
9b0000fec088c73c4b4ba78ba880298253a9db36b7cb8ff36eeebfbb92a39b25

SHA512
ed8e4ea0797bdd5429d1fd98c42f32587dc1755891b00a7fd09cf921b6bcc1e1f918fe27c2eed3a64e89a8f9b168ad1ee4d735307160fbf217fe680eb0d56784

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\7f790137-0128-4568-9cb4-d2e2514cf9d3
Filesize
11KB

MD5
7ee5edf7a9188b3391c8aa6298753c58

SHA1
71707e66681919715838fe37344e105aa7f3c400

SHA256
a81a2cd0e45594637c7768bc25cb5c9434b96c1a3543e68e47df268d79f1e9d4

SHA512
77729920d3b7def061c7570e2c01622f2eb060871ba20a659a6f2cc59e187cf792d07bac5a52014819ecd4559e4777d6756b64dc6dad69da4d99ff6722d4e5e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
Filesize
6KB

MD5
829b627a5706bdf60710fc269f2ab57e

SHA1
824d9b6f8e3c38389380f99d7ee67ea64d0d9fe4

SHA256
3b8bd6b1c9632a71a58db7ee243b81bd8e968cfd99f295300955e3046f11a067

SHA512
d92d88e3f277ae3ad75ff5a4f875e4cacd587ec7171c165c93da8066a5f4015ab7ae1656b7d32eda0bad0d4b7c2094fb9a3b85b68679ee1cf0ec8afb25a966c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
Filesize
6KB

MD5
315c3aca74c4cd87498484ae8e7231bf

SHA1
45f1b3eef53039dc2092e2181043d7c119bad0f9

SHA256
415c0055e882b37c571f979ec697bcba7d16d37a9704a96676c52268be9673c3

SHA512
5faa7a049b36bd15928651181c8aae8338144456c085c3e5db933840aecab7ab8dd5d3b484b77822c0b6d4bd86bd2fb891c8f96af15da5e96ca92185fcf6493f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
6b1e73e9dc769f57f63fce63b2bc9c3e

SHA1
7e6be8d2eb2c472a7f17ac640bce5135e151dbfa

SHA256
69859be39479f6075da87d33e1846d07f349bbee9789ad291cc3c8068ea65b6c

SHA512
142a9b39f2848c6edd43239f8ca61b874409de3c8519950393146b461fb358edf848e2ae00a49d3ba5a14584c80f320d701557cb91098577dbae81f554390eef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
cc4f370fce6b0e28afae5a6e6456458f

SHA1
ae892b3cb8f4bff84727137854a29ea49ecb62b5

SHA256
5a950cd484a2f02519d82b0564a6cffd5720cde0e4fc97d6ddbe2f927e0b9b93

SHA512
0e76cf0e38261c1ed5f5cb20e179042638ae3efbd15b84e2d00f1e33b0113c9fb3058bd97599a2769f321e6b6be151fedf1493b8112b11407058800830de723b

Download Submit