hxxp://185[.]215[.]113[.]66/npp[.]exe

General

Target

http://185.215.113.66/npp.exe

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3304 firefox.exe
Token: SeDebugPrivilege 3304 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3304 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 2524 wrote to memory of 3304	2524	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 4816	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe
PID 3304 wrote to memory of 1172	3304	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://185.215.113.66/npp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://185.215.113.66/npp.exe
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1492 -prefMapHandle 1860 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c9f50b7-2991-4670-9e97-3a6da48ede6b} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" gpu
3⤵
PID:4816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2284 -prefMapHandle 2280 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a969245c-b8e9-4aa7-b182-f47143de2913} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" socket
3⤵
PID:1172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2816 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {959e7622-73ce-4ece-bbe4-50f730b87fc3} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
3⤵
PID:1644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3644 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b030a65c-5340-4893-b30a-774c80ae59a8} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
3⤵
PID:4556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4572 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {235bdc0e-87de-4c4f-9e21-b81089ddce97} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" utility
3⤵
- Checks processor information in registry
PID:4728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -childID 3 -isForBrowser -prefsHandle 5176 -prefMapHandle 5160 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9da6f2c5-500f-4fed-8585-bea1ab52636c} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
3⤵
PID:692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee05be72-8c5b-40d8-a678-5763b7de29dd} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
3⤵
PID:1932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bebd737-6069-4e8a-8d9d-471dbd57ebc4} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
3⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zdbhklj.default-release\activity-stream.discovery_stream.json.tmp
Filesize
20KB

MD5
9cde88c24c2791aa998b8134c4c9e86c

SHA1
916431528f787b6484a36af437b767b8008b4033

SHA256
88a7a4458340a075a51b524e9ebc4a731c5b5011ac22acacc3e7e24d7733b33e

SHA512
2dc6cdf2b4ddf480b110132aab87f239181c586f210ef8395dc069c4d8ccea6e74c63a27841a194ef551f423a71b37b6e71d57fe4eea920369fd19b587a43e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp
Filesize
21KB

MD5
1675dab15c6876f6027f8a5369b94098

SHA1
31d4d3395446be307d51b42b84ad09f873e94d6a

SHA256
2ef95e7444a1e6d91424a43f0ffb12662e60345379b34d96d4b6c260757d56af

SHA512
eced7bafbab3ebe5770dc8117efac2f36703e3b2d59addfd48f86b2ad56da4d1649f3a6e24e4afe886c65ca0d123bdcb6b7c168e94ce9fd2f8f33daef4ac3ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\db\data.safe.tmp
Filesize
21KB

MD5
7d8cd3d311af3a1aae9e35fc4a021641

SHA1
54028840a605c552599edb6f07f69dd55c11b566

SHA256
41e7a480b57c4d04749b5000dad9a69d9fa91a54f1a320f4c4da68b63486caee

SHA512
1202c7afdd525c17f9a439df32d86336b833fb380611f13be9396adc0dfd54c41944a23417de8873a09fc3f109151f848fd9dbc1ee90c5f82b7d0808059f98ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\951a698e-76d0-43dd-a33c-b8beb40b002e
Filesize
982B

MD5
e28e5003c4352480fd243360180ec597

SHA1
defc3a89d5adc533b5e70ec00a21db8ddc51ffc4

SHA256
cd51596ae56bd740e1a3452f0528f2a0d10e80accf8b530d04ab858bc99493fd

SHA512
d8d778dbe764cd6370764dcff5f6a4ba7304cf57563e22be34664ff28ae110ca022e7f004896f8f1427206729ab16786d028a351e158ced4e378779d3515f103

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\datareporting\glean\pending_pings\e9c25432-ffc2-4a95-9d71-b7c9900338be
Filesize
659B

MD5
6d42539ab802a8b462728e5b5bcddeba

SHA1
3b13f90f19f95c7d946835cba878da16b279daba

SHA256
0841ab2065a0f36839accdc41f6483f629a30b75729b365ec815a054465268bc

SHA512
c51ac343b82f70086dc6a45f2280bcecec9831eff985dfcc801fac7783d65ccbc9e7faf28d913013e5392c59a807311270334f9ca95aadcd973e05eed6cc296f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zdbhklj.default-release\prefs-1.js
Filesize
8KB

MD5
4abe6d85f9e32f423b466e7fe7423871

SHA1
53396cf81c737261a0ee2e50d05f361e71918ffe

SHA256
c99515661bb77cf31ff624d64ec082f14cdb029823781b060f2f1afcffbc014a

SHA512
9c7ac8ce52cae94762cbc3b3b1cc79e696d5751682f406fa1d72c5dbd8269ea8c60aaf8b94280080297d56cb085ffa6e5254bb9773dd04b96e826dad8d2e48a8

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads