hxxps://stylesunlimitedph[.]com/

General

Target

https://stylesunlimitedph.com/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 4628 firefox.exe
Token: SeDebugPrivilege 4628 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4628 firefox.exe
4628 firefox.exe
4628 firefox.exe
4628 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4628 firefox.exe
4628 firefox.exe
4628 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4628 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4628	firefox.exe
Token: SeDebugPrivilege	4628	firefox.exe

pid	process
4628	firefox.exe
4628	firefox.exe
4628	firefox.exe
4628	firefox.exe

pid	process
4628	firefox.exe
4628	firefox.exe
4628	firefox.exe

pid	process
4628	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 2796 wrote to memory of 4628	2796	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 3500	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe
PID 4628 wrote to memory of 4116	4628	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://stylesunlimitedph.com/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://stylesunlimitedph.com/
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.0.652403795\1440713628" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1744 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {388e056f-c839-4c85-a50f-9329f339d535} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 1852 1872160ce58 gpu
3⤵
PID:3500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.1.1033186744\967550575" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe1d45f-f4dd-4513-b5da-ef39990d11ce} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2444 1870d285458 socket
3⤵
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.2.503440113\598258919" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb107569-89f9-4bcc-bbc5-87b48e37c2ec} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 3000 18724557258 tab
3⤵
PID:4260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.3.1674860531\318204005" -childID 2 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2feab5c7-4fe2-4bc0-a9f6-ca74536c77c7} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 3832 1870d277858 tab
3⤵
PID:1324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.4.160467565\113633547" -childID 3 -isForBrowser -prefsHandle 4960 -prefMapHandle 4800 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cce6e39-e734-4a0f-a8c1-c3754427b43a} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5112 18727a84458 tab
3⤵
PID:1000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.5.513725086\1766454530" -childID 4 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {548eb569-ec24-461f-8d5d-0f1f2b215346} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5252 18727a83258 tab
3⤵
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.6.1620568825\809176983" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5464 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d5b8c86-c828-42c4-a698-285e11bbd202} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5540 18724a05358 tab
3⤵
PID:1272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.7.580351586\1015990129" -childID 6 -isForBrowser -prefsHandle 3068 -prefMapHandle 3088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c4fb6ea-184c-4446-b0cd-cd85cf73b488} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 3056 18728a71858 tab
3⤵
PID:3740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.8.1187406738\829039255" -childID 7 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87a20ea3-9858-4403-be48-62fd83edc63d} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5776 18728a70f58 tab
3⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
2bd2820d2f52f9d78394e265c55b8874

SHA1
1552e7de6144b9dc189d66704163a9868621164b

SHA256
2faa2d075fd4ed2d752e61724fbb81eecaa4dbc21d888de0e15911c8712d8d04

SHA512
b893da478bfd144b8078ace0c80538cd2caa94fdefe4d16a5e7e02a9bfd641d13818e3f19beb9ded8dd346c6125975ec09fab7a52d8b4c2abc9fae2833c68bd3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\cache2\doomed\1341

Filesize
12KB

MD5
129f5e8a6c857542a06db693acb065ac

SHA1
62e69793a8c01eff9c51fc692267d991c1dea626

SHA256
05df3a1cc5ca8aa0e4c06ba81c5cc87f6651de10c6c17fc3cb3f009da42f11a4

SHA512
c9c48a4c7bd473528df654371a4dc906e8eed47daa2e0b5caafda4fdc7adfc44c6b774979bad61ba596e4956e0d510074351b880734e8dfa15ce9f5235d28f1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js

Filesize
6KB

MD5
f7ca3cc43cc07ce741d3274e27afa19f

SHA1
e08e299eb6caec6c1eef6efa43cc80cc28626665

SHA256
9407bdb676739c47540e271648a7faf8f782ba6e82944aa8c9701712dc766692

SHA512
f843969eb6e096b992ec51cfc6b77a5e0b5f91b6eef715a662e1a29dd0c1cf48950cc6dc9b62a9acbd7c4e8f2d9eb2f09393a7a15866ec7177bd98b78412987e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4ce9c73e71ac858e95c12f8eb834b0c6

SHA1
8a2fe9d63d2fbd32e1473a96aef12bbc51faf784

SHA256
e268013b820df259bfcf0b683cf09ff70c6c3367ee67c877fe522dd7ac274d41

SHA512
5edfdcde818d6a7122f300fe1cdadd11f8b1722e77bcc5a1ce9809895f49e25632fafab14e581dc01b27e9d9fd53c59aa478c49b96d0c2fb59f75a70875e73ad

Download Submit

Analysis

Sharing