hxxps://youtu[.]be/uIYVSkKfFis

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youtu.be/uIYVSkKfFis

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe
Token: SeDebugPrivilege	4680	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe
4680	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4680 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 5088 wrote to memory of 4680	5088	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 3092	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe
PID 4680 wrote to memory of 248	4680	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://youtu.be/uIYVSkKfFis"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://youtu.be/uIYVSkKfFis
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1868 -prefsLen 25455 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc97a499-e8c2-4887-a20f-206442b142ba} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" gpu
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 26375 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33791237-4cf0-441d-97bf-448d38536b32} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" socket
    3⤵
    PID:248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2936 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdfacc77-d0d3-49b2-81d3-8dbadadcfe2a} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" tab
    3⤵
    PID:716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 30865 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7bfa9a0-3c94-4b1c-8aa7-b8412e28bbb9} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" tab
    3⤵
    PID:2232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 30865 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a5e81d-7af2-4e7f-95ff-e4bad5e8dfc8} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" utility
    3⤵
    - Checks processor information in registry
    PID:4508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5164 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f14e314d-b6c0-4a4c-ade4-55e98bf57e83} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" tab
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27f51e42-8452-498c-a2be-762daa18350d} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9723d810-dee9-41ed-b9a8-932d159d1d3a} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" tab
    3⤵
    PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
d4c4cc8cd2fd2eae514a7a49eddaa5ee

SHA1
3a92c381d04c87a14a4c5d2abc6c0aa8234a91df

SHA256
3f308c00f4f75cab3aaa4a73fe019678d6e4eed7606ba50c58b229ce9235cc4b

SHA512
a449adc1536e46af59c121cb689ac92d0f2b489fd14eaa65babc0a9b418414c8e36deb27053e6c2bb3d5bda5c2583221ea2fc5a20cbad8dc09b88e5b95e36ccf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6dde1e55a2a06ae696589ea23b8d8234

SHA1
51c2d6f6e043935c7eb0b61949fbda202a13a4c0

SHA256
1aa7d11ebc48946793ae0521a4222e5b83ac25f34adcce382b69514e919a9382

SHA512
60c98cc96fc5b027a058930ac1ba9ff06c3e68b5b37bbcc652fd80b42a42d7c3b3d5a4ae8b9c9e3d47b741d5abaf4529fddb33fca60ce6d6fe618879856fb71e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
86c4c032f1af71e7aa5201866849f1b0

SHA1
f5d4864174254e627dc77fc342fe09321fdb7fad

SHA256
c839b12f3f4b9d1452d6aa5e5ea3f2cf52165c166a1102c174343c8c0e13a17c

SHA512
3558a25ebb865a5f37000a98169aeb4017864133578db7be9a259429ce774b78d8ad466777fe4542525cb7e3265c7b88890d62837a520860d6e8bc0aad161c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
86c27945f4c542dfd8f7d4cdee549d89

SHA1
b1ac5312520beec0eb1e5ab880a06ae30066c982

SHA256
ecebeeb16a426575db0ad09f953a98cb5defc3f87fb37d263a6fffd59b293ab0

SHA512
fe0e35a90c69a06a1ab34bd593caf93985861e6683e212a2e7a1b991c92aaac9d5a0ade041fb9f02a732d900d154b6c4eb35385d64730df4ecc7fd43033d103a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
11KB

MD5
ac5e2a674e0960e02db0426d499210da

SHA1
671cc177a187d6eb004bdebb8e852cc97f8f9384

SHA256
f21c182ea3510ddeaa776776f8e12389e74be6ff4de8a12de239d0a211d7d074

SHA512
98dcfbd78dd21a72f5f6c97a32831c44608f370fa9a48d1d4fab120b41971666ec1d19409b134c039fe73e4f6b02930942d43eb676579053d866d48ddc43c28e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\2dee061e-3a38-4c7c-bc2e-a15ec7413ab2

Filesize
982B

MD5
9f2ef926b53fc75b7ba1435e88b002c5

SHA1
2919e8de642655cdd39c9ad5f919b7fddcefa7ba

SHA256
ff81768b2776b0a522ec0a0917b02f548079197fd938748723578201eb3f74a9

SHA512
b454d214038cbf6103ac63023b1d3288e039e920edd536bafc6174c8f7338b87e98f4ec1a85ff2cf10f12036c6f9950d9790b1c2bc63f71629b4a203b671f9bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\3090bc21-c7d5-48b0-b27b-8f3501f40d34

Filesize
25KB

MD5
f609a8d691b75f234764f89758acc7e1

SHA1
65e67ecc1ab054cc810b9ae96365e96d0cba05e2

SHA256
b47b69b7a409a7ec1626298d97453a131a2b3c1fb3e7543d7103e9fb2c2cf180

SHA512
5150fc3a10dfa6e0491ece6c76ce1ccfeb94c543097f09970e3d723bca60a5771380ec0247ea08da01ba8b14e4915efb3525272404e49d58cd21284eefc4fe75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\5a868379-daad-4096-9bfd-40bade4044ad

Filesize
671B

MD5
e01ed8dcfe10e188625b90fe8c7199c6

SHA1
e15d80f23dd9611031c5fc0fd125d51ef8fa0792

SHA256
4f6e76f43ca68acfb2b65cf739f64cc1ccbf8a99c0401e6237c566e620755e8b

SHA512
fc7fa1e8d5ce514b62cf8bde3e9f23b0fdbfac5b6e2a404f6f929254fdfc98e1c2f697763e7e6b5bfea319d16eb22091ae4ff5597b73b84ddf65f3a9b423d63f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
9KB

MD5
6d6254c971f6c78b0d1fff5c7012296b

SHA1
1df3cb82722758a92d29839fb18c9f2e47c23d68

SHA256
be6e18409fa0d97b362656c2a71d17e36e5af6d6a09387799df331229072ef66

SHA512
c5e529e49f7ae53fa97d762f74a7db196bef846e0f89f58e7a3f88d63fc0c5bb2d55285760bb7c8197da9c2fcca6d8ceae72257b1a1d9417cfc74c3c7544b2bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
6fda9711d74ed9fa48f3245c6b4f8ec0

SHA1
f4783f9fe9f732dde02920b61ea1051382e4c26d

SHA256
ea6858dfa1b4a6c6905153b421e209ef3dabee1fc22ae78073ad9f83c1570e3b

SHA512
412c0e362967496d25c89d2cdd5ba958ecb5f03a2302844c5316a755428be52621107599770f8a6b50c8673417ab411d61cd9672ca9438166cdba7995d7c8415

Download Submit