hxxp://vlt[.]me/[.]30mtk

General

Target

http://vlt.me/.30mtk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

firefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1288	firefox.exe
Token: SeDebugPrivilege	1288	firefox.exe
Token: 33	3320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3320	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1288 firefox.exe
1288 firefox.exe
1288 firefox.exe
1288 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1288 firefox.exe
1288 firefox.exe
1288 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1288 firefox.exe

pid	process
1288	firefox.exe
1288	firefox.exe
1288	firefox.exe
1288	firefox.exe

pid	process
1288	firefox.exe
1288	firefox.exe
1288	firefox.exe

pid	process
1288	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 4100 wrote to memory of 1288	4100	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 5084	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe
PID 1288 wrote to memory of 704	1288	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://vlt.me/.30mtk"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://vlt.me/.30mtk
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.0.905469961\1969096265" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {816df683-2324-44c8-9100-9d519cd769b7} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1860 28b46b23458 gpu
3⤵
PID:5084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.1.6334342\989540785" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4948a5c4-9e32-4882-963d-cdc592e18994} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 2404 28b39f86f58 socket
3⤵
PID:704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.2.223200563\1186930870" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 23028 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eed73f6-28b5-4417-9ab5-98f3c889b44f} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3052 28b49f3a558 tab
3⤵
PID:2284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.3.146294931\1329285840" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70a524c8-48ad-4852-a606-4adfaa05b3e2} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3600 28b39f77e58 tab
3⤵
PID:4352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.4.403929411\1812656174" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb1d0f53-f538-4096-980c-55aef253090e} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5200 28b4ea89c58 tab
3⤵
PID:4524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.5.687409325\226938444" -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047ae272-42f3-4e98-85c8-f7dc462abd1c} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5348 28b4ea88d58 tab
3⤵
PID:4864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.6.616898732\613272711" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7a3295-74f4-4691-b6c0-a424408df0b2} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5540 28b4ea88a58 tab
3⤵
PID:3116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.7.1007744135\685365963" -childID 6 -isForBrowser -prefsHandle 3044 -prefMapHandle 3048 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb8f405-ff28-43c7-bc5f-b683ba908631} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 2960 28b49f37558 tab
3⤵
PID:4100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.8.1606274014\583319026" -parentBuildID 20230214051806 -prefsHandle 5900 -prefMapHandle 3248 -prefsLen 27695 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16730031-ef34-49f5-a7a9-3dfb64f3e11a} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5932 28b4f319d58 rdd
3⤵
PID:3448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.9.1799383278\82055015" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27695 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f547284-83a2-40a9-b937-31905c22bc45} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5948 28b4f318b58 utility
3⤵
PID:2292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.10.866758535\456507803" -childID 7 -isForBrowser -prefsHandle 6260 -prefMapHandle 6232 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59d52166-f488-4689-bf5a-84c617d5680d} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 6288 28b4f51b458 tab
3⤵
PID:4780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.11.1875381605\1476957186" -childID 8 -isForBrowser -prefsHandle 6244 -prefMapHandle 6488 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed96b09c-332f-4345-9f9f-442d714d4178} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 6480 28b4eb94658 tab
3⤵
PID:3544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
5a5c63d240a852c41f87e381dc6a138f

SHA1
fde692f8e0c2ca05eba0b8b3ee95a03c2382082c

SHA256
5ee88448a8037cd733be4fb5294d89752bc985446b6e26f140776df492ab221b

SHA512
1aadb85fab17d455fc5f7d3a40168c8cf222ab33f0882704e975c9553d6688c39138a8df2e28550120f58af8958075dcd14fa59cded9809a04f8be5b08ec7bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
69df7796ff91a2d38b5eb290eedbee58

SHA1
ecf673148300544a788822e766354dd0bd843d02

SHA256
83cc44cb42ab44cca31bd83de21eb54f438bbc13d52f4ec5b3f6e1ff7f011530

SHA512
f21e3b6748eac6bf2a14c1d1ce758bec45e78704c41342b4af5305f4d1c627858266f70c41e51188969bda9b0506b5a21e9376267a6ad6d51a32cb1488f490a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads