hxxps://region1[.]analytics[.]google[.]com/g/collect?v=2&tid=G-NG3X7N18WW&_ng=1&gtm=45je44o0v882517426z871307953za200&_p=1714244910918&_gaz=1&gcd=13l3l3l3l1&npa=0&dma=0&cid=1553257986[.]1714244912&ul=en-us&sr=320x640&ir=1&pscdl=noapi&_eu=EA&_s=1&sid=1714244912&sct=1&seg=0&dl=https%3A%2F%2Fmembership[.]honorsociety[.]org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen[.]net&dt=Honor%20Society&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=4046

General

Target

https://region1.analytics.google.com/g/collect?v=2&tid=G-NG3X7N18WW&_ng=1&gtm=45je44o0v882517426z871307953za200&_p=1714244910918&_gaz=1&gcd=13l3l3l3l1&npa=0&dma=0&cid=1553257986.1714244912&ul=en-us&sr=320x640&ir=1&pscdl=noapi&_eu=EA&_s=1&sid=1714244912&sct=1&seg=0&dl=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&dt=Honor%20Society&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=4046

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2860 firefox.exe
Token: SeDebugPrivilege 2860 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2860 firefox.exe
2860 firefox.exe
2860 firefox.exe
2860 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2860 firefox.exe
2860 firefox.exe
2860 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2860 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2860	firefox.exe
Token: SeDebugPrivilege	2860	firefox.exe

pid	process
2860	firefox.exe
2860	firefox.exe
2860	firefox.exe
2860	firefox.exe

pid	process
2860	firefox.exe
2860	firefox.exe
2860	firefox.exe

pid	process
2860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2720 wrote to memory of 2860	2720	firefox.exe	firefox.exe
PID 2860 wrote to memory of 1336	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 1336	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 824	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 1700	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 1700	2860	firefox.exe	firefox.exe
PID 2860 wrote to memory of 1700	2860	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://region1.analytics.google.com/g/collect?v=2&tid=G-NG3X7N18WW&_ng=1&gtm=45je44o0v882517426z871307953za200&_p=1714244910918&_gaz=1&gcd=13l3l3l3l1&npa=0&dma=0&cid=1553257986.1714244912&ul=en-us&sr=320x640&ir=1&pscdl=noapi&_eu=EA&_s=1&sid=1714244912&sct=1&seg=0&dl=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&dt=Honor%20Society&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=4046"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://region1.analytics.google.com/g/collect?v=2&tid=G-NG3X7N18WW&_ng=1&gtm=45je44o0v882517426z871307953za200&_p=1714244910918&_gaz=1&gcd=13l3l3l3l1&npa=0&dma=0&cid=1553257986.1714244912&ul=en-us&sr=320x640&ir=1&pscdl=noapi&_eu=EA&_s=1&sid=1714244912&sct=1&seg=0&dl=https%3A%2F%2Fmembership.honorsociety.org%2Fmember%2Fdues%3Fwelcome_back_mail%3Dlouise_arnaud%40mteen.net&dt=Honor%20Society&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=4046
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.0.2060771233\1366358555" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e049d63-3c30-450c-95e4-325544f5a1b1} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 1812 2db92ed6a58 gpu
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.1.1474591765\1954992164" -parentBuildID 20221007134813 -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7836f14e-1e1b-49b6-9907-c1d844613f43} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 2188 2db92bf9258 socket
    3⤵
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.2.10814582\49874730" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2744 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58da4e17-cc3b-40e5-b0f5-38145a6c7120} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 2748 2db92e59458 tab
    3⤵
    PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.3.1084659951\1558656095" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a4f5e7-15ef-44e4-be1f-1797b9b913b3} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 3488 2db97f7a858 tab
    3⤵
    PID:2336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.4.482823121\2053943644" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4632 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33134650-8975-491a-b3f7-33e870ea6fe7} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 4608 2db95195e58 tab
    3⤵
    PID:3896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.5.415310701\482499826" -childID 4 -isForBrowser -prefsHandle 4772 -prefMapHandle 4776 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {713ac297-8a54-4d1a-96bc-3f4138211be0} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 4760 2db98fe6a58 tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.6.1240409724\772468231" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c2e029-bbbd-4f3e-b218-401fd7238471} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 4960 2db98fe6d58 tab
    3⤵
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
a1214b2f1a3c8b2ff463ed45a1a2cfcc

SHA1
7c54f290d86ad5c38e6d7bc68676a4f7bc87b46f

SHA256
75a90db26ffcbb7a6295e7af5113cbd0b36163fdfa7a85c15eb6401a5b6271dc

SHA512
fc36636a64a981c027881060fa678c10db7c811d9f8561eda702be7d9b37bd0a132d2437be3e49fa5f1d5a53bc79aa8f76707ee253fcfde1635c8fc513853a6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3068195e08dc62ccafbbd1653ec77f65

SHA1
7f20f13999d6ea14a48e4d13a900cb8453957f11

SHA256
7f38b1c37d22d1e9125b7ddbf4c997e5aa98df8290e707cd12b11e4fdc844363

SHA512
d9cd9c186c7c42af9acb2cc6bb502e0e686acfd893f1a5494e2861c79ff39b600aab739a9cd3456e9758b2a7c96ee74800dffec420580413d1ded3d6670d88ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0bf7e09c-85c2-46f7-8420-77b45c042875

Filesize
10KB

MD5
afb07cef418eca2a2fb79b6995e54f39

SHA1
5c3b9c91f7b0674f55c013f3983eacf80a162b16

SHA256
f3ae8837491a2f0a8ec44160f7538f912e5a503dae4a6c14022a45640a20635d

SHA512
7bf835c04bc4fea7d9bd80aadfce990062f23f8227439bcf22cfa67e8182dcb02bb3006fc557f3b2c889feb0e3b0fc598fe07902df4a9094ecbdeba989f93dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7735ce4b-37ce-4545-9ab5-f6b424e4ef24

Filesize
746B

MD5
497372895a34f72c23e9c4a047e4150b

SHA1
cda121cb571fdc9d3c8ee0ce02760e4aab950c96

SHA256
87ec76e8d42fa671f5628c2aad8f183b427f88c23fe0aab3b4cb1acab5f933ed

SHA512
22774c1c0efebc6cb0a3e4d826ae42657c1fc5d49b3c7e0b405d3447a81f00640f6d0a385ce76c8f9551141019d4005054f0f44cd164f93281e368fcbad6b74c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
27d1ab50bdc2ef0987d709da21798915

SHA1
58356f8ad51e91287ae3f981a2f3d947751fe7c6

SHA256
9df4cf85ab70d6042248a76779764eebe39cc05087255b6e55c76c9692b26a6e

SHA512
43de3f217443f816544540dbcf6ce4481b37107d4625b89a33abdd7bb370600419d12394fca05bf4b1d84f255b351f3d2aa47c07cfcfcd3b074e084fda61243e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
e372110c58688a9b31cd35ad9e5fe1a2

SHA1
4dee7f1a03ff44615ce5e33af629abec52f9168b

SHA256
6e49f375d32550db32f91aad85f8ea2c6b03a61509359f6a43b3d5e2202f48ff

SHA512
e670d2c5e3f6575ebf489802dfdca147270e230ef529a1dcb1ba7c043093cec863caaab9ecf1085c50444084af95c6257baa2bfb579d5f564647e095b8676b80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
989B

MD5
05a7f67b4c5043383a4ea4fef05d45e0

SHA1
72a8d68d02d7e3310ec579e2fd183d0c65e000c3

SHA256
7eca9e0efa8f0d712081595542182de1a0420dd75f5e4e427ed0940daa3882e9

SHA512
d49fb3c1b00097ddc56215926376f65af2a1cb295615f6f7458d18eb618e270ba1443afd1da88931dcc3096914af36dfc9177393b41a13bb8b51ccaf28a4117b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e7f7396451e44199316097600aa8cdf1

SHA1
2200d90eeb0fe3e66dd10919f7aef0d06f6497a4

SHA256
f380e73a3d448f3c1706cc4ca0a5567d302dddf8c8ff89e0fe9cc44a20b917b3

SHA512
9dabfc9b20f563b028daeef090c70262a18bf1ff9b455dd66cd6ccf8c8867e7442983bebe68e4c99417c17356b4a9c2d590b1f4d558fcfbbe92c52d21e08e893

Download Submit

Resubmissions

Analysis

Sharing