Analysis
-
max time kernel
1717s -
max time network
1726s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 17:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ
Resource
win10v2004-20240508-en
General
-
Target
https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ
Malware Config
Signatures
-
Legitimate website abused for phishing 1 TTPs 2 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1332 firefox.exe Token: SeDebugPrivilege 1332 firefox.exe Token: SeDebugPrivilege 1332 firefox.exe Token: SeDebugPrivilege 1332 firefox.exe Token: SeDebugPrivilege 1332 firefox.exe Token: SeDebugPrivilege 1332 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 1332 firefox.exe 1332 firefox.exe 1332 firefox.exe 1332 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1332 firefox.exe 1332 firefox.exe 1332 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 1332 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1644 wrote to memory of 1332 1644 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 4912 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe PID 1332 wrote to memory of 904 1332 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.0.933478509\988451151" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72d0610-0bbc-4a5b-bc74-ce6ec5ce2268} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1908 21e475b6058 gpu3⤵PID:4912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.1.17376753\547702505" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9050e5e-8c5e-4a8d-b41d-8c21b943026f} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2492 21e33288058 socket3⤵PID:904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.2.1885153895\877317870" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7873d20-3bb4-4376-8e5b-98c6ebba3ec5} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3024 21e4a314f58 tab3⤵PID:1520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.3.1760773706\1833795906" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {899e6825-c7ed-4b3e-95a2-44d33cc2bc14} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3672 21e4bfe0d58 tab3⤵PID:3408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.4.1121478776\1988297350" -childID 3 -isForBrowser -prefsHandle 5072 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6dcec3-1fc0-4b1c-93c8-1c49a0835706} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5060 21e4ddb3e58 tab3⤵PID:2768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.5.13048580\1919925001" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ff75e4-41f9-4f84-af08-6e07274cc630} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5160 21e4ddb6e58 tab3⤵PID:1460
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.6.1047265835\1549683447" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe31125-d35e-4786-b897-49841946312a} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5352 21e4ddb5958 tab3⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5003473f5b1310023c548a6f38d1e2483
SHA1c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5
SHA2567b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93
SHA512a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2
Filesize16KB
MD58da2fa59621975dc6c919c12f7a4060e
SHA1f85f92052191ca8b3125c998d749492a21169f74
SHA256b37cbca48e377f3ded6e085b8e3aa2bce2ea6130a1d5c7e04bc8c10da59862cc
SHA512de62caf08dbfe71ae62f347bcdca7d61722de0a7bd8127aea31cb4aa31c8b42413278bb8c08e5236d5601bdd0af1197641e90730aa2fba27cbe046779daad76f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize5KB
MD5146b8b8b18b04d9c24d5d26f28bf5a73
SHA1c36f716cf38d39a497d4699b5eac6116fa99bab0
SHA25685b320441b7f36f0f7b9fc60848ac16b36983df7a7d9bd1df371bc5e2c4c64a8
SHA5125b461acfc68ce3bcad08b9c441caa9445061b00bd4ecbafda7113495295eb82db1fba30f33b8245b23d7d75c9371b1469d0dbb1c6b6347b631e202b691ac185c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\bookmarkbackups\bookmarks-2024-06-13_11_6FbckyJm0QBdgL38IDXwrg==.jsonlz4
Filesize1010B
MD59c8f179bffdf51883025521c6fa45420
SHA1e5aa6965c48c6c07b2449dc9e883a4130773f1fd
SHA256712d45cdbe4f40f8f927606700c290a2c2ae7b333b35938f77e2335117c1a2c0
SHA5121a9e0d0e8ac038c3e0b2b85cfed5ab125c28d44d09d7848d8efafabf73d0dadf75d722fe8bf5717e82118ff6b4bf4496b45794e101177afcb367829f90f854e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
Filesize
8KB
MD53c3c12e74e45899c5a5a4ee36ab8c915
SHA1b331d1c5b0d7f1222f25f0259a64ae39a6a68ade
SHA25644c13e0c8c184cb060745bf28fe7383abc3f6a441ab00fe1e6ae133440a96316
SHA51244d071703542bd10fff53b03d30c08a61ef163988bbf3d3199b164161967180ca5401c19e58ebc1b628f6875e5b364fce62573395e84e5dc995663bd5b681f22
-
Filesize
7KB
MD5daa5cc9938084484e36ef7669f69eebd
SHA11334ca3c23ce2852544f417a4d71b5d737a10d8e
SHA25685d5e16dde01a2b19177ea6989c50cd1e901735857eab3439ea21d7a4acbf736
SHA512d0c9b2657c39c573126178b1514147e4379db344e9f3b58172abc90c87d397b1774e7294ff2fb3115e0e72e882a07d1423d9a470f2d1ba69b1681877938905f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1019B
MD5993b84d80a037f1acd85ca92ce8b6f7e
SHA17683bc71249d62c4cb9df519432ba2ae912e8345
SHA256e5f22c18567062b27feca67917d4935a88d97c5a9c6748b9a2ea42b31a37027a
SHA51209df657e43368a894b7a15a65eea434ee63d1fae50de46043aaeb093bd3f838f7a311e399bc21913f8d18f58307146cf4a32257f5f7fa1f09ae643d820b93c1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD50e3183d829eaf81fc0e809eb570d8f51
SHA1a07ce8ea4484e6ba3a4b5557a5ceac3a856f5636
SHA256af7d4960371b60d1db7bc7a6017ba48fa4a90530d498a9ecd5cea1dd83982736
SHA51299b141abda2ca20431fc025d6d748a3463f84135f43860d04993ecb851b1aae24f5154d4a7e1720cac6d6a208d03d7afb4171aae2084d7599978e2193bb04d39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\targeting.snapshot.json
Filesize4KB
MD5aa366a4c257f4b497c7390d76d6c9ca1
SHA1b998f4876134ef89fc64c04b049165c3e5e282a4
SHA256bd2148f8ff3dd760e04286cbea59eb9b1ed8ead9c1fb1521b1802b6de49e33cf
SHA51279f32bde61017ae6b4b0e3085c47f0a0cd8413f5c9a5409c85c12bef6abd28a11c31694f354a119f8fb916282355cf7b873ad7070d8bdea6ae284a13e7e7ddb0