hxxps://crypto-o[.]click/K1XP8K

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crypto-o.click/K1XP8K

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	3496	firefox.exe
Token: SeDebugPrivilege	3496	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3496 firefox.exe
3496 firefox.exe
3496 firefox.exe
3496 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3496 firefox.exe
3496 firefox.exe
3496 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3496 firefox.exe

pid	process
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe

pid	process
3496	firefox.exe
3496	firefox.exe
3496	firefox.exe

pid	process
3496	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 3496	3128	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 2988	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe
PID 3496 wrote to memory of 4332	3496	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://crypto-o.click/K1XP8K"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://crypto-o.click/K1XP8K
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.0.1668775006\1809259181" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {562b2b99-5487-4084-a353-2dc13feb01ea} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 1904 269fa20ef58 gpu
3⤵
PID:2988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.1.1796500499\1079760133" -parentBuildID 20230214051806 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad8394c7-cc38-48cb-a40e-3de379c940b4} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 2492 269e5e8a258 socket
3⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.2.373113035\286747712" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1012 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b21994ed-c095-457d-906e-61fc18e3b783} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 3020 269fd049558 tab
3⤵
PID:1272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.3.1737955799\2127633727" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1012 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1b9008-40a0-4170-9bc7-9e56fc20b2b2} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 3388 269e5e7ae58 tab
3⤵
PID:1768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.4.1678619013\695694386" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1012 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6433ee9-7f84-4d9f-80b6-7e2b34cfc83f} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5116 26a005c1058 tab
3⤵
PID:1800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.5.2100933783\930438521" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5172 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1012 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24129024-a7bb-4ef1-8069-ec48121e1ba7} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5200 26a005c1c58 tab
3⤵
PID:5068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.6.664483559\66847031" -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1012 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a1588f9-8906-4d44-9099-63f4eefe505e} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5376 26a005c2b58 tab
3⤵
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
c45f9b87048b27f79081276c1aba5607

SHA1
9da122a5c3684397b4df2e463355cdf5871058de

SHA256
d2be91532e7e2e69cfd917121635501d47947409957f7ff0c1289cbdd386f82a

SHA512
74eb423e90dffc2ea0e3eda8761ddb134e6289741996b943a8d4b1dafe80c55962a1a9a3728ed9232bac860172bad0375e823bcce760e796c847b3697da08247

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
fb15c18236b113d436a793c157416a47

SHA1
8d89d159e1eb868fdad6275c84caf93ea8bf678b

SHA256
6506ed1653503f2aa0c717a065e856158c34a1c161a15d43ab35238791f5717d

SHA512
1ce9063b5cb526fcbef694af8070d2cf60acd96c7a9713fc63c82d3c7b34961443dfedd5e7a083fe3e6492a51c130a33e46a9ca293e65934dbd154e7519c58de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js
Filesize
7KB

MD5
7089a59581960decd9522fde361074ca

SHA1
64f037c0f4df8ae6945f2ef70901271c8faaa4f8

SHA256
3b8be9f6d7380e635d7623e73e581eb2c994ed4c34d8baa831cf39e514bd53f6

SHA512
d7c207be8c60087e7789523f8063a88ecfad70f206a4c8aeb82d192fda79b13ff8eb98730ab8c00ed3c810a7a97747c3ead2f854c4d0612a43b56a161a3f1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js
Filesize
6KB

MD5
416336177a20ecc1d8c0c55d0ee77610

SHA1
6dcbceeb6f89c95f4c8d0b3e8e0e7f1c2a92485e

SHA256
6e4126c8fc3bc3d599bb104b091b42b8883db6e76d2c45335e4b66dfe1e58d11

SHA512
cd44c14df6bbe2c0ce21881ec38acfc2868479db2db27acb9eece8ba07034324265208db450053794ecfd4504e05320a88f20455a6b43674fcd5e54f513ea535

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1017B

MD5
86ef57ddd143ca4043413f9781e07e69

SHA1
bb08687dc83222330c1b0deb7e5cff7b4537d5af

SHA256
d789dc1a860e274e7f0451cbcf515d7cdd5b47423ec99f5c3cf2dec69ed7f027

SHA512
d396fb02c02c789c379062009af22defe937609d8c8477837c2640097ce8238cfeb2ee17b87882cedf32c7e7f3ce37a5fb04d4d849b5bbbb92ed8ac245ad9de0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f85e9fc896434e0e5371c157f596e5f6

SHA1
8c8a332d25505b230bc0290ce99ab4da4dccd705

SHA256
19cbd0081880894f4eea6ae012add7a65b6bd4e0380aad79893d03818f701f18

SHA512
5bf7d1d8198dddc7b948a6ae9cb6989879fb8b6c904bb97b70383b1cb30b68c610043fb1521c48a00c167f63e5cf0d463cc07ffe47097d6ba7d105bbaaa25b12

Download Submit