hxxps://steamcommunnittly[.]com/gift/activation/feor37565hFh3dse

General

Target

https://steamcommunnittly.com/gift/activation/feor37565hFh3dse

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1664 firefox.exe
Token: SeDebugPrivilege 1664 firefox.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exe

pid process

1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
1664 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1664 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1664	firefox.exe
Token: SeDebugPrivilege	1664	firefox.exe

pid	process
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe

pid	process
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe
1664	firefox.exe

pid	process
1664	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 64 wrote to memory of 1664	64	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 1096	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe
PID 1664 wrote to memory of 3252	1664	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://steamcommunnittly.com/gift/activation/feor37565hFh3dse"
1⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://steamcommunnittly.com/gift/activation/feor37565hFh3dse
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.0.1443658371\1535813083" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1a44a59-1091-4e3c-8d90-00acd84b350d} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 1864 294df50ed58 gpu
3⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.1.120353667\1235832095" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2464 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6facc6ce-3275-4272-8a18-66b743078994} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 2488 294cb38a258 socket
3⤵
PID:3252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.2.473074462\1878776338" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b687ba-12f2-4f42-9d47-64c935b5ef5a} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 3004 294e2547458 tab
3⤵
PID:4984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.3.19168493\60888965" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a82f0fc-2f88-424b-8bef-376694605bc0} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 3648 294cb37ab58 tab
3⤵
PID:3528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.4.1757312850\1218838227" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5116 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c15accd-5927-4312-ac78-8062f0f05105} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 5156 294e6147258 tab
3⤵
PID:1848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.5.863346021\1612874629" -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {184b6606-8c96-4d27-aa68-37a40908435d} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 5376 294e614d558 tab
3⤵
PID:1932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1664.6.1940254478\866400309" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49fd8a66-a1bd-4469-9090-a4f25856e397} 1664 "\\.\pipe\gecko-crash-server-pipe.1664" 5144 294e614f058 tab
3⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
f1e9b90b10a518370ca6b50a79a26208

SHA1
1c45ea2de618f55c89e56783f0c5bbea9ab060c0

SHA256
c9ce1496fe3263df5e06f2e67148e8cd2b494f1869f5a88cd65d0459926a11aa

SHA512
e6075962355b8864f302fbbea60dd05b89a2fbf1b741c01043b1681f4068ce7f1c10361a62893e32c4274b6f37304def4afa476351be5be4f013b096a0e18045

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js
Filesize
7KB

MD5
b997859ff8dc12c7e462cadf5d81fe64

SHA1
1a21a42dfda66e4b999f9fc72939a3f23a62ab03

SHA256
3a5c63cc073f53e6cf332846b218a9da2e4d24f75267b3ca0fef515342fb33f4

SHA512
21c8fd6f73e800812bba756eb341696e6b1799237872c37d4ac3f9872be62c0c76cc163cf76f54a13523012390351c0e8acccdef02f0971c4179a505cbe9370d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
Filesize
6KB

MD5
dcfe166fa2784f08fdb45c207a35fca0

SHA1
be8cdd6dd534c9e7eca310a797e6d163283b0afd

SHA256
5e645e5510dd4422af57865aad66706e60bde21482fc95492f0a3b02b0f1988b

SHA512
076df70aa80a98e9c9625a8a5331a5bdfa97cc1162474045c567a018f0c11c83f756e5f4b1a86fba84703f9e90ed3d34ccd85fe601e4da2f8f70f065c9291011

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
Filesize
7KB

MD5
3ae218e02c387b5add7a02d02766a0ae

SHA1
e1dea7df2d67850fb8ba89ce2b8d3798dc628c77

SHA256
4d8bf00e367c22f6724118bb23f8fb2467697646fb67130966924a93141297ed

SHA512
1bb05445e1057e5b813c44476c60b0fe84f6343da9d18e0a4cb6643a149e99500680ad6d72db5a3e58f42a2a71612da99f1df3dd4bb55c52236d3c956611c7af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
871bb0291a171509c556812303744a58

SHA1
4650b158c4f2047f2797a8343d1c6497362c09b8

SHA256
1e260a38e1df6cf0d9e3f73d3dfa9f0de23cfa0b5117e36dae91ba850464dc12

SHA512
70a720dfcf4b65abb6a7ea5484eea989dc8a4b0fdd6643c0ed0f50a7b46b6aa403696f4aa05f3595e1537c9a6c074feffa05fdfe61bff1bc455862c5c4ccd3f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
2c252cb37526d061f03d9beeaca2684c

SHA1
1a7981a287e35e8af3073970e9f2878c04e65ce3

SHA256
ca04c6a3113faa82a2dbb95a8dcf68648ab9759266305e79c09589eb5dc2f82f

SHA512
5d9d98f1e845e78951dbfebda524cb3551c55c12e4fffb62a620fe24a17bc2a5648837a1134a2905f7d92af72059ce2ab00770500bd82c82682dc251391c0451

Download Submit

Analysis

Sharing