hxxps://egirl-paradise[.]xyz/tlg

General

Target

https://egirl-paradise.xyz/tlg

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
664
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 920 firefox.exe
Token: SeDebugPrivilege 920 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

920 firefox.exe
920 firefox.exe
920 firefox.exe
920 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

920 firefox.exe
920 firefox.exe
920 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

920 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

pid
4
4
4
4
4
664

description	pid	process
Token: SeDebugPrivilege	920	firefox.exe
Token: SeDebugPrivilege	920	firefox.exe

pid	process
920	firefox.exe
920	firefox.exe
920	firefox.exe
920	firefox.exe

pid	process
920	firefox.exe
920	firefox.exe
920	firefox.exe

pid	process
920	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 1048 wrote to memory of 920	1048	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 968	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe
PID 920 wrote to memory of 3120	920	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://egirl-paradise.xyz/tlg"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://egirl-paradise.xyz/tlg
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.0.862565384\88434801" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b86c51e5-3e1a-4bb2-8e2d-0d224ee2caca} 920 "\\.\pipe\gecko-crash-server-pipe.920" 1848 255db929b58 gpu
3⤵
PID:968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.1.1437121611\677762223" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9463453-a65e-4d25-b101-c7e930e28126} 920 "\\.\pipe\gecko-crash-server-pipe.920" 2420 255cec88758 socket
3⤵
- Checks processor information in registry
PID:3120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.2.1969124455\887243228" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2912 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9875256e-300d-4a2a-865b-a41609d5ab2e} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3204 255dea35858 tab
3⤵
PID:3512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.3.1522041184\1617676978" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3624 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b4e4dd-797f-4637-bd59-415388109912} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3632 255e04cf858 tab
3⤵
PID:4540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.4.928360958\1883847891" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4984 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2848201-202b-442e-b296-1ce7b05504f0} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5008 255e1ab4a58 tab
3⤵
PID:3924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.5.434513597\666252834" -childID 4 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1127b35b-a27c-4bcf-9c0f-a563afa546b2} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5144 255e1ab5c58 tab
3⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.6.1789682792\1192979530" -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5356 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {403d2049-9581-437c-92b5-3a46331316a4} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5400 255e1ab5958 tab
3⤵
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.7.1857341696\6224105" -childID 6 -isForBrowser -prefsHandle 3596 -prefMapHandle 3516 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f34bd1-0415-48da-b8b0-80401af246b2} 920 "\\.\pipe\gecko-crash-server-pipe.920" 5596 255cec81058 tab
3⤵
PID:2820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.8.1365475691\355259634" -childID 7 -isForBrowser -prefsHandle 3228 -prefMapHandle 3216 -prefsLen 28036 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {644cb13f-a19f-4148-929f-efd3b1c23f18} 920 "\\.\pipe\gecko-crash-server-pipe.920" 3312 255cec83e58 tab
3⤵
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
0cffff6e312deaa9d3794f6eb1576bcc

SHA1
df81d8e28278e02a4906abe22165f15ff92aa2b1

SHA256
baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc

SHA512
e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
acdf2535417e9a9b1b67bf3379ddff08

SHA1
773a646f554bc3e892999b4850c48281536867d1

SHA256
fe1f80780f03d3f65adfe9bfd00adf865550d9e6cb45a2148df518c5fcf45bb7

SHA512
6a159e5ebf3b46337abbac61aab70fb1c4b3334a45048fd58b2e5a3f0f955f877409f93971aae1b41addf6c5ccead64b14c3bd7bd2a446c27c6b4e82b5a42c35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
ee1e292a972fed798ae1d163628ae012

SHA1
6b58d7a8acb857a21b520827bc88d3e6f03cf656

SHA256
9e40a0711c4c7f987170c8df0517fa656721a34efde7911de65e21d9c8e827e7

SHA512
a23ce4911c50d068220393797c44bac098e86d1c8f934a63c67316b65bd2880d625dfc82147f60e8b444a1d0e1e93ef06bf7286033e2ce49a7a0ed05d5d54e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json
Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1020B

MD5
b018913aed6f993ebe55ccc11a342b9a

SHA1
5455f7b40113a4254982d09bbf0006f7401ad68a

SHA256
29fb25b0151d1390508eb27e596a7fbd5c126b5eb7ae380f5fe8fcd1a9fbbc15

SHA512
e54c681a0bbedc89a0f1751acfd4de681d233cdaebe23c0997213b4291e33a24d0a29bf3a503d747b06c59f9902b9c49c733f680408efd7527569278d1b7d352

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
357b226595d83235f36595479629fe68

SHA1
655c744a7df1d0293cf0dec4f9ef594048998998

SHA256
46180e2170e3f9e2ff1ccdcbe70477fd509f63898bb19cae70d637f344c76f48

SHA512
1c9e0e7d8128fb1552e8e684ccc895519bf108410fb9c9cc6b7baa53034f53ef02e0be43b738863f49c61aacb1c10f0ab77ca0b96a6088025d15bc6591e5b154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
ce0c8a88790b35aa110903b6f9965c40

SHA1
6e8487e3927222cc078495b84b82deb66b4df45a

SHA256
d9bb1a483f669659942b9ec574bd78b1e44fcd315a899036495a4a33de8e8e09

SHA512
a8eb7b71a4fb496a6304822e6b14d90ec2d52e52beca328fc67a088f5e79907cd39718dd2e829a0f1347decdddc78006e249279176e80641022e351264d8a458

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
Filesize
1002B

MD5
22dc1d216418b6db0e5945722b300865

SHA1
6582aa49ffdd60d7a78fc3b0c2f60ec6ce31b42a

SHA256
4320ba919ebb2f0847a81d81524696e45d24c67b89118932bf55d139c3dc5230

SHA512
294c0433622fc811237d2c0c4853ae047c637c3cf8bb42d6223508d6ad1d3d911215aa6b49fa1e75b937077672ae766387048a56d5cdfe5d17aedfda54c8b2ac

Download Submit

Analysis

Sharing