hxxps://screamconmmunlty[.]com/get-card/friend/50

Analysis

max time kernel
1166s
max time network
1167s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://screamconmmunlty.com/get-card/friend/50

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	1892	firefox.exe
Token: SeDebugPrivilege	1892	firefox.exe
Token: SeDebugPrivilege	1892	firefox.exe
Token: SeDebugPrivilege	1892	firefox.exe
Token: SeDebugPrivilege	1892	firefox.exe
Token: SeDebugPrivilege	1892	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1892 firefox.exe
1892 firefox.exe
1892 firefox.exe
1892 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1892 firefox.exe
1892 firefox.exe
1892 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1892 firefox.exe

pid	process
1892	firefox.exe
1892	firefox.exe
1892	firefox.exe
1892	firefox.exe

pid	process
1892	firefox.exe
1892	firefox.exe
1892	firefox.exe

pid	process
1892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 4300 wrote to memory of 1892	4300	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 2464	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe
PID 1892 wrote to memory of 1496	1892	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://screamconmmunlty.com/get-card/friend/50"
1⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://screamconmmunlty.com/get-card/friend/50
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.0.623122712\267028762" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea1f2fc-f2dd-490a-85a7-5a3f5b5be3dc} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 1912 244dde15358 gpu
3⤵
PID:2464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.1.205085735\1652715262" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7ce7bd-d33f-422c-9aca-7ce9ea4cc5c4} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 2476 244d118a958 socket
3⤵
PID:1496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.2.1562453910\538637617" -childID 1 -isForBrowser -prefsHandle 2692 -prefMapHandle 2784 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b01d1bd5-df7c-402b-8490-a92a9a6ea8aa} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 3020 244e0e26b58 tab
3⤵
PID:5108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.3.863190170\1199713615" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c48a4b95-66bc-4223-9817-b6d3688a2525} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 3660 244e2aa6b58 tab
3⤵
PID:3568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.4.860474900\2108686991" -childID 3 -isForBrowser -prefsHandle 5016 -prefMapHandle 5024 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b33cdd-0b7f-47d8-8714-720985dcfe00} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 5032 244e42bc758 tab
3⤵
PID:1056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.5.1483003477\1843292459" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28d6342c-548d-439d-8b9f-752e139c112e} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 5160 244e42bd658 tab
3⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1892.6.1457620410\1000812315" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 5368 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a8ff239-f5eb-4773-91b0-9cd63ff46dcc} 1892 "\\.\pipe\gecko-crash-server-pipe.1892" 5356 244e42be558 tab
3⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
f33d0293458297765678060a6f9570e9

SHA1
a9708b66b5ca1f630e8231ddd1243180ee9ce558

SHA256
37d96e1688364945372f90a0558cb8709c69d45577deb110c05d650d51fd0d01

SHA512
7c5ce9c3a75bd7989eeae1d3472a02a28dcc7f5dffbe94c7c3565ee79dc10bfce9a1d66025a992da641b7d880a00cc68eb7320da2bc3e09997bbe1c74aab7ee3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2
Filesize
15KB

MD5
0f2e155c981cf3fb182847f3142870df

SHA1
94c794d38ef38d38b207588663a8587e15e05be8

SHA256
202c8c584f0aaf9ae513092e7ee96dc802447da00723c51d94b9fa70709cbaba

SHA512
35a8b718b598e9a57d5feb406f93fa5e85e3d8922c79c01e51c0db994a4e55fb20215b45acdf91d9afb544fe2cd6197a72275340e3b0f0459dc3f2203d174862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
ef02b3cc90ab6d0f36ff68a00df42309

SHA1
fc7942ff63ef86e910e2c7a21cec7384d29df737

SHA256
2f7b2c0cafe0fb8493123efb8b42ba177a819be5650faec16ee3680d7dda05e0

SHA512
f18cc1ee07f3e24a02ac829964be686fceecfe7a79968a1d25e31bd01210e5977089cec1ef4ec38a90b2417d20ab9e4fd595cd8d804ef7bde22ed2397b3c5ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\bookmarkbackups\bookmarks-2024-06-15_11_sEInrcbjNuQU78LVjPjgjw==.jsonlz4
Filesize
997B

MD5
438e9000da555630c15edc578fc888c3

SHA1
bd773d897b3740a635cc9b5769c53ea2b4bc8fd1

SHA256
bf7e59f07dcb198444cb7c15c5ebceab10b0153cd4878019df4b8196edc36909

SHA512
632de477ff13d808ccf79c194de42c47114fa4fd2dc0b695efaabccf2d4deb575e23bf20b04e94b7437d9538b8dcbd8b63b3e57503ed5e2e3c9a7f1c54088ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\broadcast-listeners.json
Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
8KB

MD5
05978fd4dab84dffb904731baffd9aff

SHA1
cd88415c1d54620aad781e8dd4f1662223fe3bfb

SHA256
a2356e3d14c4c5be8417345891d68ba4b79d283650bd3fba603ddea64841d4e5

SHA512
aa1829403f3ddd33018764f3dc612dd54d9fa6e30de565d29278d88881a7c3e1235a145d56e04316152ed3dd4db6937f35f73962109e7ad6fd1ec0e02c2ef5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
49f9bffa28cdaeeafa15150eb331c511

SHA1
16958bad346f089dad9f25f9101eb3cdc369ea4e

SHA256
5f1dbeb79194f3720e995444e64a095e8ab6529223c94a70e16c5484450db697

SHA512
887af63bc3e98702fe57b4c46b43b8e74b46993970c37ae214c75e30bdec29807448d29b4fcc520787fa6d4e8be26e562548a69e61344fddb8cb836ee0c039d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1019B

MD5
8ce4bbad45c550b288c02ca89b94c133

SHA1
6360999bcfa0b27e5a867b7f6870483ac56a322c

SHA256
3f79a6383661eb0996b2666ac6bf115dced58afc113242a48e3e74ab69634cff

SHA512
5d9ab1b673bcd8e67b0649595e8b42d5bc5cd7bfbb9b010e49f35a83e4f471730cfe660eb040fb9b65459bccd0f70e902843fd131ba2b6b822b3053aa0cb18e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d00d378003cedccb557e55bec63c62ba

SHA1
03393ca1788d5c1b3e3b350a00aaac624e0869fb

SHA256
a9e78c82432f46ac14d20423f467261c0cea0bf5168f690cf2ca6da0f9cc3da1

SHA512
0b2439d847c51981a02114f8eb4cb7da69d8ac80d696d7916459e12f65a68877327fd6cde1a1df1bd887df9d36135aebc3ff626159be4c38d1593253b9f37412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\targeting.snapshot.json
Filesize
4KB

MD5
98fbf0ef8f20d0cc93313982c73ab2ed

SHA1
d3f4fb9232951e0ddb97734f8ed9635d2b654860

SHA256
0804a9beb8666e3fa8f309cb439810ba42c9814ef353991a9339210f8c906c82

SHA512
c5d3a7b781ec1e752f24ac5231d9657b3438c4be0f6e66955c222c6b61a3d3b23e67a21037a49e8df65a9847ccba26561c003bf68b1a79a793f825705afb962b

Download Submit