hxxp://track[.]mealgate[.]com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu[.]edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023

General

Target

http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1988 firefox.exe
Token: SeDebugPrivilege 1988 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1988 firefox.exe
1988 firefox.exe
1988 firefox.exe
1988 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1988 firefox.exe
1988 firefox.exe
1988 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1988 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe

pid	process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

pid	process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

pid	process
1988	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 3484 wrote to memory of 1988	3484	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 3660	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe
PID 1988 wrote to memory of 4624	1988	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://track.mealgate.com/?xtl=1dwllwvqmtp2bs4hyjn337pgiyxf608ivxcn0oupf4xmnnrivzx3ivrcw173w8yrvpid7oro171fr5ba646snd1rzws5ezasw1yukm6jo14ng4h1otkiw1qgo2fhjftr22nqdpd9fugc4x4va9qw0mxbzb577ujc4e09g6hvrwnkkwn5ks9edq16prnm8wa7oqjiq51iztua8x8fc3o5kidyo4t3kpoof32trytjyzo0n8tl1ytddn3otnq07pnsu99g&eih=1l5wnyt7mvmj0rn8kf13pz70crct&__stmp=sc00yg&email=rcolwell1%40ewu.edu&first_name=Reynard&last_name=Colwell&newestsource&Source&YearAdded=2023
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.0.1208483152\106752262" -parentBuildID 20230214051806 -prefsHandle 1724 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5de6540-b25b-457d-99fb-ae29e7e5fd61} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 1848 22666d0d458 gpu
3⤵
PID:3660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.1.1790350156\836753186" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2468 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {629dc40d-de3c-44bd-aa15-80a5579a0469} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 2488 22652a8f958 socket
3⤵
PID:4624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.2.297985418\54836449" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2944 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f8e88c-d676-46ec-a553-19622bf19d13} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3036 22669c3a258 tab
3⤵
PID:4724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.3.470542854\612449116" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e4d9d6-0b0c-44aa-ac28-d0b987f5934d} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3684 22652a7f058 tab
3⤵
PID:3848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.4.1222443869\695854022" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb472448-0895-4ae7-9740-4f24b5bebcf2} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5132 2266d317158 tab
3⤵
PID:4904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.5.1884509928\2031098698" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5296 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77aa1b6b-ad41-4efd-843a-2e3325776d09} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5280 2266d318358 tab
3⤵
PID:4804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.6.47374142\594768506" -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5016 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0162332d-62fc-4509-a7fe-f0518901085a} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5460 2266cd03858 tab
3⤵
PID:3144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.7.1368938356\2126567008" -childID 6 -isForBrowser -prefsHandle 3324 -prefMapHandle 3264 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e99bb49-5a26-4fa7-8ab9-4c962b129958} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5756 2266df3ac58 tab
3⤵
PID:1628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.8.1653074326\1280863007" -childID 7 -isForBrowser -prefsHandle 9852 -prefMapHandle 9860 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e55479c3-2e0b-4356-a600-674ce6ae4e44} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 9840 2266e451058 tab
3⤵
PID:5504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.9.722755974\1361290707" -childID 8 -isForBrowser -prefsHandle 9584 -prefMapHandle 9596 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1810cab7-5247-4533-be34-43db25397f29} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 9608 2266ec71958 tab
3⤵
PID:5904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.10.2001582829\159525864" -parentBuildID 20230214051806 -prefsHandle 9292 -prefMapHandle 9300 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db46c106-5cd5-4632-92fb-511a425193b6} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 9400 2266ed28b58 rdd
3⤵
PID:6036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.11.1365742279\251953689" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 9276 -prefMapHandle 9304 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9487c483-e38a-433e-94a2-5797593d86d5} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 9416 2266ed25b58 utility
3⤵
PID:6044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.12.446824683\1452366196" -childID 9 -isForBrowser -prefsHandle 8992 -prefMapHandle 9008 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76d78bf2-6e8b-44f7-98f0-3e142d5a1e5e} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 8972 22668158558 tab
3⤵
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ossp351b.default-release\activity-stream.discovery_stream.json.tmp
Filesize
24KB

MD5
f8b6cc07a8fc3aa96adce3a2812049ad

SHA1
086f070d2e43f6dfbe3031ec3ae9541d17f6fb39

SHA256
24e4fea262d7d323d4d4707e69e48b8525f9b693f4cdf8dbc88b8cfd388d1d15

SHA512
68c5b80a2283666170f78a1651ff14fdb3e3d997a4a0d3d68fe27e892cfa0ec8fe34f5c5f1c64369e3bdf9c5a5165b44970eb589a355f1a714bb71283a1c7961

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ossp351b.default-release\cache2\doomed\9121
Filesize
112KB

MD5
8a476780731881a15ff335b718c83bdb

SHA1
d7b5326aea399e3b282e9c1fa46157a6453cccfd

SHA256
95da87aa68cad30844767bcd1c1f8d6903f47ca61c58a39e5a85350572c054de

SHA512
5ff9d77c8bb4f1e529e3e3cd89e7867d3be87686151078c49cbf3fb39f6267bbb48c06a9f9878d49442f91b4e52ee46b9179187b8c2bc421d0cb630d9296069f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ossp351b.default-release\prefs.js
Filesize
6KB

MD5
5478d996c8c65b8ed80a25ed3fc4ad36

SHA1
0129644354c58cb3f4b5d1c3620066f7a4b54a5f

SHA256
58a6641e8d0a06f7a3d2b040a8f9f29cfc078316ae969757cb5b2efdc27a968f

SHA512
9f4719356bc60762c0149483bbf741b7e996eee5fad46d9028af4561f17e29296b4a42d1facc8f4597f6cfdd2bd90b520eab748cdcceddbc2e4e41da29613941

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ossp351b.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
cda2f5cd6c8b6c81c810191a0acd6467

SHA1
aee778614b7266b3a538c9b67d9154a32c1fcd4b

SHA256
7fec5a8d251f37a292f345f79a8cd62a244800870b140c8c1138709d069650d9

SHA512
d5630f54d5b76d3f16fd4f7c1e68233129197e3205a3c6dafc847b40bea8c65eaa8b4f03f616dbc6c583d8d278c32bc9c95e85415292e07d8b3e5bcef17440e1

Download Submit

Resubmissions

Analysis

Sharing