hxxps://gofile[.]io/d/vCBo3j

Analysis

max time kernel
1771s
max time network
1780s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/vCBo3j

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe
Token: SeDebugPrivilege	4140	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe
4140	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4140 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 3688 wrote to memory of 4140	3688	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 3412	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe
PID 4140 wrote to memory of 1828	4140	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://gofile.io/d/vCBo3j"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://gofile.io/d/vCBo3j
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 25455 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3390dcfc-0e98-413c-ab8b-51223a99ef48} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" gpu
3⤵
PID:3412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26375 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dde64aa9-9a35-4af6-9746-be1e88e8621a} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" socket
3⤵
PID:1828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2552 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3088 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45b44ca9-6070-47e3-a249-7a9b62c78e4c} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" tab
3⤵
PID:1820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 1452 -prefsLen 30865 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d288469-da7c-47df-bd76-758ba56b0ce7} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" tab
3⤵
PID:3904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4612 -prefsLen 30865 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ac544f-c338-4f62-9fa1-2f651b4af6bb} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" utility
3⤵
- Checks processor information in registry
PID:2280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5208 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc064b00-621a-47fb-b39b-83e997e62110} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" tab
3⤵
PID:4432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5488 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c4005b-0ae2-46de-b55d-9fc0c9efe20b} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" tab
3⤵
PID:412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f9a567-b43b-40cf-a55f-7a7a22ea3a2b} 4140 "\\.\pipe\gecko-crash-server-pipe.4140" tab
3⤵
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\le59fmg0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
18KB

MD5
44e70dcaad00653f1bed31f9cb0dc808

SHA1
bc87094328f9cf2367e39686f6babea17cae3cd4

SHA256
889ae665a0ad92c54ad2f66767231edb8662bfc83d8f0c8de359d2f7a49f21f6

SHA512
d0c4bc2a034934de3f41e14fce1ce97c3015e1584781c5aba4aa18930fca16234e038751eb6a2a1622e3c216f27b3bc6bcb919b2e3f4e63b2da35e687c07d99b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
3dd04788cb224743181ff95c1dc6bf3c

SHA1
110ed5a343237dada3677bf7c7e7f6b0a0870701

SHA256
0605a5676727260adc17b0c91b7d20cb3d3687d29db3591d166fcf54f6fa8093

SHA512
22de5ee4d663ffb1d17b1541f17d11cef38ecc5ed1a21b3865496d09aa51fc4cd4cf055aea6ea09639b56fa90ec2341ab6610350cb2bb8d7691fdb92cb2930c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\bookmarkbackups\bookmarks-2024-04-27_11_mGTFwAw7YmppE-OCl3GXPw==.jsonlz4
Filesize
998B

MD5
6599dc0d1940d463aee3ef42a28e0375

SHA1
4900c004cf4168cf367e0225c7ec4a4255d08600

SHA256
0ec9beed2d3299da57b1773daaba2a3e912d8389664195aa14c2e11d897e9d77

SHA512
4329155a245439448de6cbc1259bed9c50d7ac04c85e8e75c1ef7a4b67911594dcac7d495b25006179f5ff200497cca8016840a2eab6e58fccabacd79b4ba5aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.bin
Filesize
25KB

MD5
002a90f6609d6fd4533fe5b8c329d934

SHA1
fdb29332fb55f6921940c68589f8284dd16609df

SHA256
1feb66a43f60431e2bd4cd79f32440f4931ff80839d488cc72fa02e66a97fc9b

SHA512
a4cff91f49f7304f50ddcd38efe6f422f0a6ba00d5ce06d6a3d46e27e050b46b8e1ef7254fc635e4db07f8373dcdfa1fb236528467a2eb4b8d5461087b62f3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
b76e46c978eec5b4aca7069df7fc1483

SHA1
26bd991f832b1e1a35a0be23651653a231c5b71f

SHA256
ad51806fde05ae89326f6a54f625c7bed71aaba1d3786f0c54b8fb5161290540

SHA512
e9d6521b23cee3bf0dd45cff2d191f79cb8be3ba02bb3f6b7587c88d2b5f015b0c815362fd6c3f135e4d47b1ffd5ca54268b674f84a01629e166dce81da73139

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
Filesize
5KB

MD5
502856983b88415538c7ab9d5406bf91

SHA1
9b3b9f60c6c177a23bf34da4d5d218b27c3d2db6

SHA256
bf7d2cc779f81c6f64e58fbcf6dd2c6a81219562a6c4eca23b3e22d5e47dde0e

SHA512
808e3f218d6af076cf8604b900a5daf84496dfd1a8283610c08f2df35caa219087aa32f08c3ee4d4ad03877b9373191c11cf199d88b54f8c355eb3c00635215f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\db\data.safe.tmp
Filesize
21KB

MD5
9f1241595d2b6d9a382e743d9b2e1711

SHA1
7019067492359a6370571d17fca73d2ea9570243

SHA256
1b2d90530b5dc67cb9c14b398b077325cb0decf8c38de119e9289f07984bc8c2

SHA512
c74f455ffa6308d82367686ba890493cae871521719f3a2f9bf46846a79935d8175abe8550d506edf5b52140782d5270201586332e8e5a88410147e01b309969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\0a85fe8b-04c2-4b8b-8990-b4891aebde47
Filesize
982B

MD5
9afba681b5110b84850473554694d79e

SHA1
9f0db697a3028d6caf9c22e0f725044e127ca669

SHA256
3de498c052a69bcd31531a916dea7fc7e992e15bfa195dd701ede63f13352863

SHA512
a40a4a0b52369b3a6ec977701a94e6e30a9fb359e3d6e6d829d52b91eb5ea738505b128a4150993bfa3a7dfa91728e16771409f93fcddee80986bf8daadad7da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\2a893c9c-6d92-473e-be55-6bd49c30462a
Filesize
25KB

MD5
3a463bf7e777f5c18b7401731ca5242e

SHA1
d3095567be8a369eb1262973789d57c3eddb1bba

SHA256
0fb71860b059cb0494215b40b6fc292e5ac08fd3d1ee3c0bf02d8fe9feb4168f

SHA512
31ef4045c4cfe40f2c127f104f25f392227e0e91f50d16228373cdbc65956269dde315372efc7e8256da83adea525cf75825c31b1afcca042ad504ccb4d1cb02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\datareporting\glean\pending_pings\dc38e9ae-1c3e-40a6-8b8b-50d300c4d254
Filesize
671B

MD5
2e170db55ec3c3a091a81d9ef5579bbb

SHA1
7f4fef3411a50555410fce1eee004601f05e4aca

SHA256
5cfc27a59ed5901f3580e450b40523c7d796f923f5cff58338d86fc7940b0b72

SHA512
fc280b021081d28e596e7c454be65c3257019ead774814b81c6dfd21bbd595ca1fd16bc5f247b84f1325aba55cea4b6d5943bfa4fe221a630402a3c47f6f49fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\prefs-1.js
Filesize
9KB

MD5
6be9268d75c816c12d374c61682de7bf

SHA1
ad771fcda659b9945a4807a1a34f264690949a54

SHA256
6fa79765612088d88220cbb4c5188b1204ed600364d58ad78e0aa47d0ec8659b

SHA512
17e5a4785dcfc243ca9f7b3ef468b08b7b8b64f4eb4759ab85342f10e3e520b78f5cc4b031c3561eb44914efe121ecc0610c5ff30ece718a905e8aff2f84e969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\sessionstore-backups\recovery.baklz4
Filesize
1KB

MD5
937b531bf0ef2d6e616e1be907c8336c

SHA1
63450a55d1a42c01550bf9c65c7170aceafe7dd5

SHA256
800e90726b658d6d51f61b3b926b4c2d1951e4825783a3e728b73af9a1c89b61

SHA512
a86c03b26e52b8c90a4e9c0a4b9e35cbd97aae988f00ce97d38f9221c141f2a18a93bc5f92c46645551f8f67a9c97ec7b2f40b52b0feb805da32bde4b13f2121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\sessionstore-backups\recovery.baklz4
Filesize
1KB

MD5
b4909ab49e2455b80c0d889bdc7a907d

SHA1
cb90296341b2e13edefeaf7f832b22115baab4a7

SHA256
2de131193cab37cfd3312db2c856aa9890c7b928b1acd987100e828b0e5cff2a

SHA512
89699a47a3d5dcf564972b4a957b9ff94a1fe9377ce5eac1fe98a48134ccf5e7b0331e0549d63e838a4fd8d6195d220829c80adf6ac300b99e9b5407f0c54a87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\le59fmg0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
200KB

MD5
f1d4ac939bc7c588c1fa64974f3dfc92

SHA1
78c2eb08bfc21628dbe4a4b2c10eb4e80fcac7c4

SHA256
6ae3d8b7a0a15cd4f5f41078654452a7d1e9065f99fe269e0857f0f4881cdee9

SHA512
71bd948a98adb38393c1912a21768bee68bce0785b758d228080cba7f3a572816380d7721141bc4ba414828e36f71a99c6e5b2b1af625cc40ee25899a71d76fa

Download Submit