Analysis

  • max time kernel
    1717s
  • max time network
    1726s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 17:10

General

  • Target

    https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ

Score
6/10

Malware Config

Signatures

  • Legitimate website abused for phishing 1 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://qrco.de/bf9aBI?okX=x5jMsWH70JvqLyQ
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.0.933478509\988451151" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72d0610-0bbc-4a5b-bc74-ce6ec5ce2268} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1908 21e475b6058 gpu
        3⤵
          PID:4912
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.1.17376753\547702505" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9050e5e-8c5e-4a8d-b41d-8c21b943026f} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2492 21e33288058 socket
          3⤵
            PID:904
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.2.1885153895\877317870" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7873d20-3bb4-4376-8e5b-98c6ebba3ec5} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3024 21e4a314f58 tab
            3⤵
              PID:1520
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.3.1760773706\1833795906" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {899e6825-c7ed-4b3e-95a2-44d33cc2bc14} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3672 21e4bfe0d58 tab
              3⤵
                PID:3408
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.4.1121478776\1988297350" -childID 3 -isForBrowser -prefsHandle 5072 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6dcec3-1fc0-4b1c-93c8-1c49a0835706} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5060 21e4ddb3e58 tab
                3⤵
                  PID:2768
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.5.13048580\1919925001" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ff75e4-41f9-4f84-af08-6e07274cc630} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5160 21e4ddb6e58 tab
                  3⤵
                    PID:1460
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.6.1047265835\1549683447" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe31125-d35e-4786-b897-49841946312a} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 5352 21e4ddb5958 tab
                    3⤵
                      PID:1560

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  26KB

                  MD5

                  003473f5b1310023c548a6f38d1e2483

                  SHA1

                  c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5

                  SHA256

                  7b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93

                  SHA512

                  a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

                  Filesize

                  16KB

                  MD5

                  8da2fa59621975dc6c919c12f7a4060e

                  SHA1

                  f85f92052191ca8b3125c998d749492a21169f74

                  SHA256

                  b37cbca48e377f3ded6e085b8e3aa2bce2ea6130a1d5c7e04bc8c10da59862cc

                  SHA512

                  de62caf08dbfe71ae62f347bcdca7d61722de0a7bd8127aea31cb4aa31c8b42413278bb8c08e5236d5601bdd0af1197641e90730aa2fba27cbe046779daad76f

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                  Filesize

                  5KB

                  MD5

                  146b8b8b18b04d9c24d5d26f28bf5a73

                  SHA1

                  c36f716cf38d39a497d4699b5eac6116fa99bab0

                  SHA256

                  85b320441b7f36f0f7b9fc60848ac16b36983df7a7d9bd1df371bc5e2c4c64a8

                  SHA512

                  5b461acfc68ce3bcad08b9c441caa9445061b00bd4ecbafda7113495295eb82db1fba30f33b8245b23d7d75c9371b1469d0dbb1c6b6347b631e202b691ac185c

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\bookmarkbackups\bookmarks-2024-06-13_11_6FbckyJm0QBdgL38IDXwrg==.jsonlz4

                  Filesize

                  1010B

                  MD5

                  9c8f179bffdf51883025521c6fa45420

                  SHA1

                  e5aa6965c48c6c07b2449dc9e883a4130773f1fd

                  SHA256

                  712d45cdbe4f40f8f927606700c290a2c2ae7b333b35938f77e2335117c1a2c0

                  SHA512

                  1a9e0d0e8ac038c3e0b2b85cfed5ab125c28d44d09d7848d8efafabf73d0dadf75d722fe8bf5717e82118ff6b4bf4496b45794e101177afcb367829f90f854e8

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\broadcast-listeners.json

                  Filesize

                  204B

                  MD5

                  72c95709e1a3b27919e13d28bbe8e8a2

                  SHA1

                  00892decbee63d627057730bfc0c6a4f13099ee4

                  SHA256

                  9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                  SHA512

                  613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js

                  Filesize

                  8KB

                  MD5

                  3c3c12e74e45899c5a5a4ee36ab8c915

                  SHA1

                  b331d1c5b0d7f1222f25f0259a64ae39a6a68ade

                  SHA256

                  44c13e0c8c184cb060745bf28fe7383abc3f6a441ab00fe1e6ae133440a96316

                  SHA512

                  44d071703542bd10fff53b03d30c08a61ef163988bbf3d3199b164161967180ca5401c19e58ebc1b628f6875e5b364fce62573395e84e5dc995663bd5b681f22

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js

                  Filesize

                  7KB

                  MD5

                  daa5cc9938084484e36ef7669f69eebd

                  SHA1

                  1334ca3c23ce2852544f417a4d71b5d737a10d8e

                  SHA256

                  85d5e16dde01a2b19177ea6989c50cd1e901735857eab3439ea21d7a4acbf736

                  SHA512

                  d0c9b2657c39c573126178b1514147e4379db344e9f3b58172abc90c87d397b1774e7294ff2fb3115e0e72e882a07d1423d9a470f2d1ba69b1681877938905f1

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionCheckpoints.json

                  Filesize

                  90B

                  MD5

                  c4ab2ee59ca41b6d6a6ea911f35bdc00

                  SHA1

                  5942cd6505fc8a9daba403b082067e1cdefdfbc4

                  SHA256

                  00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                  SHA512

                  71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1019B

                  MD5

                  993b84d80a037f1acd85ca92ce8b6f7e

                  SHA1

                  7683bc71249d62c4cb9df519432ba2ae912e8345

                  SHA256

                  e5f22c18567062b27feca67917d4935a88d97c5a9c6748b9a2ea42b31a37027a

                  SHA512

                  09df657e43368a894b7a15a65eea434ee63d1fae50de46043aaeb093bd3f838f7a311e399bc21913f8d18f58307146cf4a32257f5f7fa1f09ae643d820b93c1f

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  0e3183d829eaf81fc0e809eb570d8f51

                  SHA1

                  a07ce8ea4484e6ba3a4b5557a5ceac3a856f5636

                  SHA256

                  af7d4960371b60d1db7bc7a6017ba48fa4a90530d498a9ecd5cea1dd83982736

                  SHA512

                  99b141abda2ca20431fc025d6d748a3463f84135f43860d04993ecb851b1aae24f5154d4a7e1720cac6d6a208d03d7afb4171aae2084d7599978e2193bb04d39

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\targeting.snapshot.json

                  Filesize

                  4KB

                  MD5

                  aa366a4c257f4b497c7390d76d6c9ca1

                  SHA1

                  b998f4876134ef89fc64c04b049165c3e5e282a4

                  SHA256

                  bd2148f8ff3dd760e04286cbea59eb9b1ed8ead9c1fb1521b1802b6de49e33cf

                  SHA512

                  79f32bde61017ae6b4b0e3085c47f0a0cd8413f5c9a5409c85c12bef6abd28a11c31694f354a119f8fb916282355cf7b873ad7070d8bdea6ae284a13e7e7ddb0