hxxp://p1t[.]fun/?l=1031

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://p1t.fun/?l=1031

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	firefox.exe
Token: SeDebugPrivilege	3008	firefox.exe
Token: SeDebugPrivilege	3008	firefox.exe
Token: SeDebugPrivilege	3008	firefox.exe
Token: SeDebugPrivilege	3008	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3008	firefox.exe
3008	firefox.exe
3008	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3980 wrote to memory of 3008	3980	firefox.exe	81
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 4640	3008	firefox.exe	82
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83
PID 3008 wrote to memory of 2444	3008	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://p1t.fun/?l=1031"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://p1t.fun/?l=1031
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.0.1804291818\492398827" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca9833a7-b3a0-40e2-a008-3a6a70697c62} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1828 15ebd905d58 gpu
    3⤵
    PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.1.451363735\588747128" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2436 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3fe087e-ee13-4823-8449-66a9b72178c5} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 2476 15ea9486e58 socket
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.2.1031034603\1194673895" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70ccb2d4-393d-4804-a83c-3525fa04ff17} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 3004 15ec0742758 tab
    3⤵
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.3.68797813\1934751645" -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3568 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49edd2e4-070e-41ba-82ac-b3345783b02c} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 3668 15ec2317b58 tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.4.1232086173\875039439" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63ff2091-c195-48ae-b167-6a765f3e7b7e} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5040 15ec3ca7658 tab
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.5.762321263\1514333583" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5284 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc1017c-458f-4583-8914-f5a64315b0e6} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5296 15ec3ca6a58 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.6.829017378\2064223808" -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8446aab0-16c6-4571-83d3-8154ef8570de} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 5480 15ec3ca8858 tab
    3⤵
    PID:3540

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1380
- C:\Windows\system32\PING.EXE
  ping google.com
  2⤵
  - Runs ping.exe
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e6zhegwu.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
14bbf0c922a26adc54dfa8a5e00e194b

SHA1
0f9f57f16f002581ebe80a3fb9afa17ccc905312

SHA256
1093a0ec71a0301e07a27ff48895eebd9e33f58b25754d16a34fe417b4a65d4a

SHA512
1e67ecd74c8cc5f720b17cec5059689bb08359363a743f786744b26218875b8ba5d05562855128e620f146bb329de594de2ab7961348d066b71b75e7e98a604c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js

Filesize
7KB

MD5
e4081d1c04f1d890d48c32fa746de164

SHA1
b3f449dc3d059c297dd50e81c641f5c4fdd4ad66

SHA256
727ed0b98dafced1222d6a09b19b8dabc28ba93b6a8bcb7517f980ca8034e811

SHA512
0767c31b2ecc0c33358d29095e706654c6c319f19a7f3a1c44a9f09a655ae8fcd1f1614732b04f7f524c36284a5345ba2448ea72d4248b489a82578b12296596

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js

Filesize
6KB

MD5
ec03914c7804f221c78af8fd797cb395

SHA1
12c2e203b7e9b38e13272515ebc6568407ffa8e9

SHA256
12801f02b195ee80a37334e2b93aaae27b003ccf44deeae7021f23559b3c4e72

SHA512
ba8b070650a4a8e4bb674a85b2942ddf840d138be5435a8adc72cf7283e3cf8395459a7aa91ee7a051d14459bb8c9a890d3bf81c2e5de0fb3877334832268c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js

Filesize
7KB

MD5
c4e9bfed3496ace679581749dc4cff60

SHA1
15e6bbf2aa7b1921a91134795f5c3b4aeefd5807

SHA256
90eae6dfff907b03aefca2ee13c8b59e30dd9c34d0a2c27cb47478d6cda28e14

SHA512
1194e55e52e284d2ce661554a4c8fc831f0696be9f96d8d9070b3bbc1f8742c1a00c74854e5b6e2f27ca92b8ba44c9fda1b4437b6f63fb9f0d92e08e5f0a2b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1016B

MD5
81edfbdcb72d522d723f4d27846374e8

SHA1
3f0620aff92842cbad88a346e2347afbeff408c0

SHA256
eb54c0cd601b9c58d7fb7b861b61f7e2876b37c08b573b7a0c625faf799736cb

SHA512
16749dee873c854d427672306ef8441259697e039417f603cc1155b133e28ecb93b931d514cd95607af4406925fd109218f83ced66c9ac5c68a3567b2bf160ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
437be6fb1e9563a952c0dfaaeb6c2eeb

SHA1
60cfe572c78f64b95ab36d81eff20af510a8ebac

SHA256
8d1fb217549465478f2b42875d68db35af776da95c66bfdf2c6ad65240a6773f

SHA512
e04cc5f1612b867ae5805857d276fe1408ba07d5a66d8260a1185f40fa52092ed0599a2d55a6473fadec60b8b84a4d3fd2177ed0c548a041c5db26ba50a9d7f8

Download Submit

Resubmissions

Analysis