hxxps://tinyurl[.]com/72xhtw8j#lucerito[.]moreno-pineda@tdcj[.]texas[.]gov

Analysis

max time kernel
11s
max time network
13s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-10-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/72xhtw8j#[email protected]

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3412 firefox.exe
Token: SeDebugPrivilege 3412 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3412	firefox.exe
Token: SeDebugPrivilege	3412	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3412 firefox.exe
3412 firefox.exe
3412 firefox.exe
3412 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 1044 wrote to memory of 3412	1044	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4012	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe
PID 3412 wrote to memory of 4816	3412	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://tinyurl.com/72xhtw8j#[email protected]"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://tinyurl.com/72xhtw8j#[email protected]
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d3eb078-915d-4be7-8ff2-54359599da6d} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" gpu
3⤵
PID:4012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc4039eb-66b2-4454-862c-534a9a8927c4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" socket
3⤵
PID:4816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 2736 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d3e498-0c1f-4bed-81c0-747ae1566f41} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f338dfc-9f64-4dc7-b793-a79998f5dfdd} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:4364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be4430f2-71b3-4ea8-814e-25a67a7c7bcd} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" utility
3⤵
- Checks processor information in registry
PID:4544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f923d99-b13e-496c-85c1-eb78eaf6841a} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:1632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 4 -isForBrowser -prefsHandle 3096 -prefMapHandle 3400 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb27de4a-c7ce-4b95-84fd-f174ffac418d} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:1356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7e3996-faed-46bf-a16a-4138cce4eb46} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:1544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 6 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {188c8d81-400f-4116-827d-5e5d2b914e33} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
3⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
96a58101cd9ab3310162816057c65b58

SHA1
753e13bdde013d2f370ed2f00972f0f6212a3975

SHA256
14ef1afb5b7eedc64db3d31efb153844f38a8c00f6146d47ccff2625bcba1b71

SHA512
9897982239458a44842cc61eb2956d35d56f7f01267fd9aa7454ff9227927682d8d4e78a11e23e8713fefb69f994225c158ba336e3c13b7de23e2d3377bc9eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
13KB

MD5
a157c2c63cedbf15a05edf625c0073a0

SHA1
98575aa4fd450628c3accf736814ad00f00e1390

SHA256
fea8912f461bbf3a95b3d0bcd53e19b4c7f2557cc7854411eb94eac4c61c77fc

SHA512
d16d5c77fdca767a7ee848a34944e0023946d6110502b1261817bd050311f8cd6b343f113c19f3610cd47e6af94806e9513c04f454376f365a2450ca041050cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d110b5d6e97f4a730cfffbbcba319b17

SHA1
d2a76c8c1fe1aa42f215251c0001f40a4beeb98c

SHA256
6582824f8d7a45aa37b476788d4988c03b1ccf567345042261d365dc8571270b

SHA512
6b462e15f6e80660fe844f49b5d061a653fed807cbcce4acda04bb74fab9ff8a5d9583776225a0b4be330ae0b2e5d65d21c34eb975de8b49c74eb7b7ac432fca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ed11d93467ec0758e0b59a2b845e9099

SHA1
8696f24a51248a6a579fcdfe0bd6fd6b162410c4

SHA256
a032b78bc520054757a94a63cf12709e1b3d7d4f81bfbe64e6f626956ac7bcea

SHA512
65933df3cda14ff50d15905a337e1726082fb45ec19ace68e8a8030d827da85170b0f70b9a9608aef8c3c7cac2f4bdd7b4bebe77dab803b966e58f0e8ea194f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\2726bf9e-98a8-484a-a896-cd01224ced78

Filesize
671B

MD5
cbf694ba393b864efbadda3e7010307b

SHA1
570af509c361aad02c3c842b2cc4990f1f176284

SHA256
85e4339057f0a373f54f86a332a9f76d53e95f807640a7f83e909030706973e0

SHA512
2fb710059d0902ca8a902cd174272073a7de3fbdc60feadbd26f158ab8b9ec644b5287a66fdb616030c4f2064cdcdee2e2ece5e753051a98bf81a3cfbf88854c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\4e6ce441-0488-415d-9976-7978deef276b

Filesize
26KB

MD5
153b18cbacb02e8a99f549ce8e078594

SHA1
2770866a59f0d43117f503b00fa8806d410ab8b7

SHA256
ea4651a2c226d35adb3affce34c516d59532f7acb30a568f8b9cd76e5e514b16

SHA512
c025781d978857fd9f820591d3fc914ee1e8998c4fe312d4854970201b2fde8d4f2f2a9521a3a23ba5c8a8639af6bb97160105c0dec99f975fa0f136519dd9da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\78536be6-555f-456a-a6ac-c2eb586787fc

Filesize
982B

MD5
d0758a5bc6b64f33513dcb263ae38e88

SHA1
70aa9470260a9055362fa7864c05c98e44fdf5ad

SHA256
7fe6de854022b8448a5eddc3cfc9f90ee515d6d50d732c65e274aa4e9d98c10b

SHA512
ed6cb4bfb9d7a5e671be8c3351e3aed27bd2fc2d15bbd2fac5023630ad72314cb1e7912b6dcdf5f33cda1b6c489a4477c1f6b117736a0d90bb65962950c4fd4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
356cc2c78e5b0dee23741d658aae2b12

SHA1
a4806856ccc0755ac56bbb6d5be342d418bfcf10

SHA256
26bdbf32e338772de0a87229c3ee799d1b111a54aa7620e31a7e8f95050604e5

SHA512
882fb3f9b3df629902644a22ce7cba807970f039c12b82e8c637c78ba13b32de83edd5b5f2b34c209bcf1dacde756345429a2a55ca0ed425f88cac37841957df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
1b10db26940dc42fcb725b2ba9389499

SHA1
0c9d4004fb246d8edbd6f96f6c20a3b90fb165ec

SHA256
325f380cdb3a8144ecb6df96a77dfd1c66fb4bce1a3d509bec58f489ad50fd34

SHA512
b9c3530fee2465c21a798ed9349a41a0befc3c739200b4aca2679ca4d524adcb2199348d186fae46390256acee35d4f2b0d40354c9db7c895606236160ba57c3

Download Submit