hxxps://paste[.]ee/d/PFErN

General

Target

https://paste.ee/d/PFErN

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1616 firefox.exe
Token: SeDebugPrivilege 1616 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1616 firefox.exe
1616 firefox.exe
1616 firefox.exe
1616 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1616 firefox.exe
1616 firefox.exe
1616 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1616	firefox.exe
Token: SeDebugPrivilege	1616	firefox.exe

pid	process
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe

pid	process
1616	firefox.exe
1616	firefox.exe
1616	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 2108 wrote to memory of 1616	2108	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2116	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2116	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2116	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2620	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2956	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2956	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2956	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2956	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 2956	1616	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://paste.ee/d/PFErN"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://paste.ee/d/PFErN
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.0.133653329\1444998453" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1268 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9db75ef-36ca-44a3-a39c-7054ca574ef7} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1340 110d1a58 gpu
3⤵
PID:2116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.1.319570298\713563198" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {473a3a5a-66f5-49c3-9f88-6a4bef64268f} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1556 11003258 socket
3⤵
PID:2620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.2.597576622\390618526" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b97717d-3f1e-4cf4-9183-438f5f207867} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2084 1105d458 tab
3⤵
PID:2956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.3.682193676\2061619652" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {713b53f6-7360-4cb9-b72f-4d1f54dde3a5} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2912 d61c58 tab
3⤵
PID:628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.4.2049617872\326425803" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c11fa9d-9bb9-4ff8-af54-008cda992e1f} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3676 1b90bf58 tab
3⤵
PID:1736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.5.349915349\882654309" -childID 4 -isForBrowser -prefsHandle 3676 -prefMapHandle 3680 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91977f0c-258c-485d-b411-fb36f713e64b} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3796 1d437658 tab
3⤵
PID:1328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.6.1989124613\1894481993" -childID 5 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18abde53-911e-40a6-a2a3-bf05748248e1} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3944 1ec1a758 tab
3⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
f06e15a668700b14d2eeb998b49ead3a

SHA1
4853a4ef3b08c4718cc7f04167d140ae8b20483c

SHA256
f39c6e5f6d94404c5908cfe5bc7cd9a1451ff220f494e05fc38f008504e525ef

SHA512
ab869622eede4f049ac26b906b22b26abf796264450e347b36dbef0a6a6f13aafb845571e3b5f6d21b31ff639a4be80da43bc35c990338bc8334b34dee93c22d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\5517db6b-8317-4cea-86f4-f9e0945fe84e
Filesize
745B

MD5
0028f48a702a1b181e0e7d104ead4917

SHA1
10a3ae27eb62279cd1c32b83b89117f39dc3c0ce

SHA256
23e9158da60061e445206fed6930a3614a180a408df51862d3b29c077d022da5

SHA512
e1b8b9f8cbe03a95ccd1ec4ab629744e70f06668bc58eaa1de8d3cacbecaf470ec797602325df386aa388761264011f5d76797635ae455a8fbf1d0c23173dd4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\f39ce4e1-4086-4154-be85-d0399e094857
Filesize
11KB

MD5
1b95903055996edb4a5f1559212ffd00

SHA1
630c6327e079ebe78fc614096daed117b7741051

SHA256
a11ebbd11ec5bf7ca0d1d432c41ee54094c3fbd1e985f3a1a8cb26de4306ccae

SHA512
01468aa89a0622abf90c14c6721d14f0af2b582a5a48d5188283a583dc269d229ff36e61017c500daa99d71257329b18a13ca40eef69335597eed21ea2ba08e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js
Filesize
7KB

MD5
7c71d6ed1a4ab519570e2ece6a70605f

SHA1
248d3d316ae604114837033a104df82a0b8e6133

SHA256
6a5a6d4992aebe0e4a916db21c2ffbaa20c6d58f38fd1468e2c7273d8df3192d

SHA512
a84e1a79653c00128c2f539ee91ba9184b2b87373a4cc930395cc0cf39e93212692004e2cfe7da1d4d6371cdabdb39919c1814eb09b094aa5224e449cb576acb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js
Filesize
6KB

MD5
c4679842ae837d25f202293846fee4ac

SHA1
7ab16c71d9ed914851c5b11aff3c94b888fd3211

SHA256
fc7fb4ed52e2bc240ceb36c8a67c9cd57f5a1af353ec2b09db5eb62c4dc3539b

SHA512
84396448bdd292cf53d4ac7567c2b2e7690c0aac3dc859375e8dd945717c4ac0a541cb31a2d99fa263a77226d098770f4b26628349836274f4ac507fb4255a1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
933B

MD5
4826c447bb0468e934582f548da409e3

SHA1
bc45aa1e56471330c011afabd5148c47a809c066

SHA256
bedfcb3e7800429ec7c480b5672273dd487eba42b5d9e7def7059480bc0e077f

SHA512
91035e446b306ef5bad954be6fe8013d2f00bd5a0efae2878bf3bfba5af7b04fa7f5e01a777b9af84b983bfce62918291e4657dd4ff8237d263fa59d25e0c5e3

Download Submit

Analysis

Sharing