hxxps://www[.]surveymonkey[.]com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnT836_2BYB8hBwteIGMtJsa3Y1vxLzMQx8hQ_2FIcHYekp4uZGtyNOKmLj8uWYeMIRBECJQxK6aoUPBuYZsxlyfy8J0u00yFYvNWLFaJPH4Vds9VvgVOLmxU7CcX1Vswz6ckLCveIH0qxIepHjn5Wd9isAk_2FystH3tW8IXVH8bueBv_2BZx

General

Target

https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnT836_2BYB8hBwteIGMtJsa3Y1vxLzMQx8hQ_2FIcHYekp4uZGtyNOKmLj8uWYeMIRBECJQxK6aoUPBuYZsxlyfy8J0u00yFYvNWLFaJPH4Vds9VvgVOLmxU7CcX1Vswz6ckLCveIH0qxIepHjn5Wd9isAk_2FystH3tW8IXVH8bueBv_2BZx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2144 firefox.exe
Token: SeDebugPrivilege 2144 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2144 firefox.exe
2144 firefox.exe
2144 firefox.exe
2144 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2144 firefox.exe
2144 firefox.exe
2144 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2144 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2144	firefox.exe
Token: SeDebugPrivilege	2144	firefox.exe

pid	process
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe

pid	process
2144	firefox.exe
2144	firefox.exe
2144	firefox.exe

pid	process
2144	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 1804 wrote to memory of 2144	1804	firefox.exe	firefox.exe
PID 2144 wrote to memory of 1972	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 1972	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 5108	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3052	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3052	2144	firefox.exe	firefox.exe
PID 2144 wrote to memory of 3052	2144	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnT836_2BYB8hBwteIGMtJsa3Y1vxLzMQx8hQ_2FIcHYekp4uZGtyNOKmLj8uWYeMIRBECJQxK6aoUPBuYZsxlyfy8J0u00yFYvNWLFaJPH4Vds9VvgVOLmxU7CcX1Vswz6ckLCveIH0qxIepHjn5Wd9isAk_2FystH3tW8IXVH8bueBv_2BZx"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.surveymonkey.com/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FpF_2Fhy3EhxbpxJDHYpYZT3PErDK_2Bf6OjNYOPsqZdKwg_2FdGRiGnm_2F0m8noAHL9RnT836_2BYB8hBwteIGMtJsa3Y1vxLzMQx8hQ_2FIcHYekp4uZGtyNOKmLj8uWYeMIRBECJQxK6aoUPBuYZsxlyfy8J0u00yFYvNWLFaJPH4Vds9VvgVOLmxU7CcX1Vswz6ckLCveIH0qxIepHjn5Wd9isAk_2FystH3tW8IXVH8bueBv_2BZx
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.0.592919320\317714345" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d54ed609-fe9a-418f-9541-35de1e3772c1} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 1996 115934c0a58 gpu
3⤵
PID:1972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.1.1229730511\85032472" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a76f0ed7-a069-4c16-80d8-84c7a65d8bed} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 2404 115933f9558 socket
3⤵
PID:5108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.2.923183614\958156522" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2952 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {879de8b0-b5c6-4ab4-9fba-6f49ff7a3073} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 3032 1159345d858 tab
3⤵
PID:3052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.3.521086013\436616829" -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30ad5af0-9798-4fcb-8202-f9678320ab5e} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 3940 11598834558 tab
3⤵
PID:2856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.4.2037251716\829613935" -childID 3 -isForBrowser -prefsHandle 4600 -prefMapHandle 4612 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f4def42-213c-4a75-be86-d159db99ed93} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 4844 115999eb658 tab
3⤵
PID:1208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.5.1294851899\30816400" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3dc0a9-6210-4200-9afe-605d41e2b513} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 5040 11599749d58 tab
3⤵
PID:2228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2144.6.1773924094\361378020" -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2e6f306-b414-4fc3-96d4-48bfd95553b6} 2144 "\\.\pipe\gecko-crash-server-pipe.2144" 5240 11599748858 tab
3⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
2da6f0760cd2f41b4250ccd17dd9a2e9

SHA1
1dd6080ac302e0ebcf95dd775a031ca8a8a79cd8

SHA256
a1e5ae7606cf11616be77b94d79741ca614a30e35f8dbed6269d10b7a1d50bae

SHA512
ee6e8acc260d71f430ab7b522edfc41aee9affc0d3a4f88fdd89d3c57b154c308f69ae86fb4286e3e5fa4964be53b2200af865b902c2aeab52aed0a2e2d089ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\84a0e85a-48a5-4b78-81a1-b6deb1c287d4

Filesize
734B

MD5
546021ecd8aa410ff5d735b8286f8f61

SHA1
aa8e4a3972e68103f1feac688e129030729dcec3

SHA256
f4ebab9f1fee39c4cd28e68e2abf61b809457464e9791d0fface761abeed67d4

SHA512
ffb37f1e00093d4d3a4aa32dc0b793e1cd9e32f02f6c003af4e5706173572ee96e83ed13fd933eb9d8c6f40676551140050efa8193ef0f431b4c5c26314f1991

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
e83f167de7fe30244a27d8068c5a4878

SHA1
1531c9d57dc1917adb22025168269068209da79c

SHA256
5eff0f9619a2816839149a3057243b230fc5126dd174b159377ae332dbcb4992

SHA512
310b80de6c1cb951034cd9d2440e2e6a738a519d995ff9f119df0c5c96d21b3000546f179df943fc35cb8384c67584e703f99daa1ba359120390afa063bf3d24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
88db53b2a517683cb963ec6487ca54b8

SHA1
2f71f3ac192c8836c21d177a36f8afcc55ad3a5a

SHA256
7aba6c79433b8539d173a52d7f0b96730c06d5d262e362502a1266f3aa4c0dc1

SHA512
3bcf3a9920de7e08e5e712eb5aed6057209a560f914a0c32151a723e2ee6f51a6c68d0a388020e2c22f040cdba7ae43d1d1e17415d96b8f25cb220228665fb4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
9084c43df43a4a6fa3011e9275a55545

SHA1
0be563eabd1612a2de97431d6d0fd0a0bf14985e

SHA256
a0935fffe163e8327f57fad15ac0030d26bfc1a021ce34e7a797f05d262a85bc

SHA512
cca58ff3d1aa77b2fc1da3846a91c8a4c0ab4f1cd4f738d2b9f3866d77c50466e21d9a41c49816e41d67d07abcaa3030e78de04955fce998fe49522b376a2487

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
89fb414d778d11d3a12991de60301815

SHA1
1d7a63ca92d9ad28930ce2feaac8c71c3f699ef7

SHA256
935ba660008416f0b46a028a709944f11f9c2858243a2f7bc0b57aa1d96314be

SHA512
49f06dc78f2e08621ba4ed19925d8c7ed040502f13edaeedc7df3d675e77417d8b7b3c0b3feaf7f4fcef989091b363f5af1fa9258de57cee5bd904e1d7a31f9b

Download Submit

Resubmissions

Analysis

Sharing