32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864

General

Target

ngrok-DO-NOT-USE.html
Size

146B
MD5

9fe3cb2b7313dc79bb477bc8fde184a7
SHA1

4d7b3cb41e90618358d0ee066c45c76227a13747
SHA256

32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
SHA512

c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3332 firefox.exe
Token: SeDebugPrivilege 3332 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3332	firefox.exe
Token: SeDebugPrivilege	3332	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe
3332	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3332 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 1036 wrote to memory of 3332	1036	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 4048	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe
PID 3332 wrote to memory of 2868	3332	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\ngrok-DO-NOT-USE.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\ngrok-DO-NOT-USE.html
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1824 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da42d9f-da50-4486-97ad-926ed9380489} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" gpu
3⤵
PID:4048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c579977-6e35-4a0a-887c-f617cb48d1ca} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" socket
3⤵
PID:2868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2728 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 26747 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb54dc69-fc72-4066-9173-bf450485202f} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" tab
3⤵
PID:2536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3568 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c249b0c-3b6c-41ff-8fc2-2e81b390bf2f} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" tab
3⤵
PID:5056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4352 -prefMapHandle 4460 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69bc9ae9-75ed-4113-9863-940210293572} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" utility
3⤵
- Checks processor information in registry
PID:4808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4845547c-69c4-4894-9d8d-64d3aad8e0c4} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" tab
3⤵
PID:676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63c56a6c-e84b-4661-9812-36caf8c99632} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" tab
3⤵
PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07ffde28-6399-4009-af6c-599dd45d65af} 3332 "\\.\pipe\gecko-crash-server-pipe.3332" tab
3⤵
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c64ea0d8c9c8ae6f70de8253a89aacbe

SHA1
1e356dd66f50bc8f2ceb426bfc1e3393a61ff1d0

SHA256
73357e9078d11969634f12d22cb4ea319fdeb2dfaf03970b0ae53f826800fa8d

SHA512
7116be619bb8516d40ccf9cf2182e40e3abd0a08b630be4a3c01311911ba1b15c0a463b50767779b323f3c111ce020e510ce05a41f95eb8e0153acf1f722fdba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
90e255f2d44836f6da7d14b7f12f27cf

SHA1
03aea0a23f2a468bc198d66c9570bae1a3e967e6

SHA256
99aa3cec2417b34c9d1a5fe69d6b3cc19134efa6be20541df0eba673bd8767ab

SHA512
02c49dfd09deea782413b16b2309e7e07975024a02bc1a9971e79548f64a116f5ce7e344b1f913e6df98b6224fce480b9033ff3a6b9a57aba5269ab77c56b7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c3f301685207cb51a664ab50e1450264

SHA1
1c7e2ad875067c5720d7167060c3b5a80137d144

SHA256
267cd49860484ad7c239d6926f0e84be4009a7e983b6510a38efb3039b56359f

SHA512
fa4360a031cc2645dff36361ae6ec89ed596f88848a8e02acdae75d62baa2b8f9574016676170c91e24a73ca71f815984c3deaf34e3c8e6e78b0880eb8c878c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\2cf7790a-6826-4d5a-80f8-315e37df6d41

Filesize
671B

MD5
55f61a0dc045157051304a80575e8bdd

SHA1
107f9710dd603f6662f786645c07f9bfd7055cd0

SHA256
9169be4676d3c107f433462008d53eaafca1dc031b57878129613d08601d369c

SHA512
1c603c43857a2bab0728ad576dcec8f8f762834117dd87300487169895d1f5463f8a5651c6f68b0865a5dc6c5d8988e3e8c80e1c0ace12f7b6c839939e2a35b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\497d4a85-2f32-486e-b920-76a055c3f826

Filesize
982B

MD5
f232a45984b6aaf58691b1da87353402

SHA1
1e15002611d3dc402976105b3ae87974de94dcd0

SHA256
efb2b64736089e84ee3f035eb28ff48c0e075387a0624a7ee805220e4fcc6c35

SHA512
b4888d601a320c4d12381b59a52bde4971983ff9cc78c0c9fa00e7a79f99de13c5cbc4f3f2161909ab2c15d19b3d14d9a0729b636baa2805dd66dbe35c741d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\6d524d22-d90b-4c64-98b6-7716f154eb7d

Filesize
26KB

MD5
7a7e0fb667021ccb4ae47eef5ab57997

SHA1
8502759171bfd3bbd0bbdf24c8163aeb36a01191

SHA256
f5a09929d4c9a6566c3fc58052dcba219f30c406450754c7204fbd0fed430e2e

SHA512
fd40194acc79eea90d93fd3fbca5922b608317a2d087a99db7b456daba85037295d48feebcaddd2636f741ba6aa3e00b4e95edf4ffee942b76fc7a010abb2357

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads