hxxp://p1t[.]fun/?l=1031

max time kernel
36s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/06/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://p1t.fun/?l=1031

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1492	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	firefox.exe
Token: SeDebugPrivilege	2816	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2816	firefox.exe
2816	firefox.exe
2816	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 1844 wrote to memory of 2816	1844	firefox.exe	79
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4712	2816	firefox.exe	80
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81
PID 2816 wrote to memory of 4600	2816	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://p1t.fun/?l=1031"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://p1t.fun/?l=1031
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.0.2039723293\471042582" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1812 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99e5dcff-a237-4580-bf53-57643ef6231e} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 1936 2a9fc72e458 gpu
    3⤵
    PID:4712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.1.1706170462\356302609" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43455b7a-e0a7-4e96-bf09-f7bd93f4c034} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2436 2a9e8589c58 socket
    3⤵
    PID:4600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.2.984504110\1709919436" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8bb8b46-9dc5-46cd-a5c4-68ba4ca420d7} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 3128 2a9ff536458 tab
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.3.1722690276\1811000786" -childID 2 -isForBrowser -prefsHandle 2984 -prefMapHandle 3252 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6512633f-1621-47a5-9b72-ab748b380c7a} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 2872 2aa01076758 tab
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.4.1464540496\1177829059" -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 5048 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f758164-9d6c-49a0-a073-940d36f4fa8a} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 5064 2aa03e05f58 tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.5.1439237714\1478073389" -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9c8a45b-ab14-43b7-802b-84e4b0d810fd} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 5192 2aa0385d258 tab
    3⤵
    PID:1920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2816.6.157147177\1109635884" -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5404 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 972 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a191441-c774-4671-a5a6-81cea45e2ef6} 2816 "\\.\pipe\gecko-crash-server-pipe.2816" 5448 2aa0385de58 tab
    3⤵
    PID:2668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1880
- C:\Windows\system32\PING.EXE
  ping gooooooooooooooooole.com
  2⤵
  - Runs ping.exe
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qt190sk.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
c4ee7425d28ecba26ef1754fa985ccae

SHA1
da9faecf82562a990d321d1c420dd887686fab8a

SHA256
84c0cf9f79b10b154db9f453459bb6fb95c7e504718df0f13173a4b1352998d6

SHA512
df0c88cd0471e45d4bbea14848c1446b79f7b58ca557a96f27e2b1f031ba9d2c1e500e7fa7748346c1d638cd465496fe278a1096226c3f85404b33153924ed03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js

Filesize
7KB

MD5
f1f2f6650dac0683c186e7dd6989ce73

SHA1
b04aa8542f4f18e07fd2edf06d6964d8f8ec1775

SHA256
3fa1856fa47db0aa61e8739253a14d8e9271204c7be934edf4739293d7030200

SHA512
30cfcdfa45b9100f20f4f92d83d77e1135cc4cb854889c11ca19473310d71057eb45400db748cd332f3108fb708a4afc12b4d6ce239fcd5125fa8d486ad20354

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1019B

MD5
8d4907f5ac7459afcd0f058a6b3344be

SHA1
fb4d14d9709b9ba197d0997dca73b4fa8c5f821b

SHA256
8f023d77c6a0b0b86491d8abdfce4b3860607bdd09beb9a6d5bd4b7cd0529eaa

SHA512
f4b210d67cbee94b388fce51feeccc06ccd7b838abe1c2dac6dafb24b31a9e7a8449a8e8d33130b35562b750d6d0c602e901aa5a6b5bacc2cc12c8839cd9e44f

Download Submit

Resubmissions

Analysis