hxxps://crypto-o[.]click/K1XP8K

Analysis

max time kernel
132s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crypto-o.click/K1XP8K

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1900 firefox.exe
Token: SeDebugPrivilege 1900 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1900 firefox.exe
1900 firefox.exe
1900 firefox.exe
1900 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1900 firefox.exe
1900 firefox.exe
1900 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1900	firefox.exe
Token: SeDebugPrivilege	1900	firefox.exe

pid	process
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe

pid	process
1900	firefox.exe
1900	firefox.exe
1900	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1616 wrote to memory of 1900	1616	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2716	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2716	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2716	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 2772	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 848	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 848	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 848	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 848	1900	firefox.exe	firefox.exe
PID 1900 wrote to memory of 848	1900	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://crypto-o.click/K1XP8K"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://crypto-o.click/K1XP8K
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.0.1257023047\2111128015" -parentBuildID 20221007134813 -prefsHandle 1200 -prefMapHandle 1148 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {874c64b3-dc6a-4958-87c3-167542f6331f} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1276 10fdb858 gpu
3⤵
PID:2716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.1.1518501247\1831466914" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72ec2215-36ca-4c55-ac9d-f82888a2e15a} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1492 40da858 socket
3⤵
PID:2772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.2.1059674455\601811799" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11925338-ad67-4059-b82c-52929954ff7c} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2100 1adb5058 tab
3⤵
PID:848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.3.172944760\1442243492" -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6a1e04a-d4f5-4d07-8de4-1d4f2365cd86} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2892 1d2ed558 tab
3⤵
PID:1544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.4.1373679356\540533391" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3664 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24d9315f-14b1-4bb0-ad12-7e3acffb59e8} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3680 1c6cd858 tab
3⤵
PID:988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.5.1010409293\340225850" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df6f3ff1-76b8-4dd8-af93-5176b02f33ef} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3768 1c6ce158 tab
3⤵
PID:3044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.6.1581115603\862002361" -childID 5 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94f046ab-0ef0-482f-ba8b-825b3bc95c41} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3944 1c6d0558 tab
3⤵
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uu0g08su.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
aae26dd5e9c118295af4c100903f76c0

SHA1
916cdbd3e66f67dde4d687e86a9fbf3bc6bc3094

SHA256
ac3c2e89c599cca0c1cdd9ef23b5a92a0311bb74f413ee9170bb58fb3d598408

SHA512
75d669a943fe2092c0b10bf9cca1ff4b924d6e7df5536f4c24908e2e2f9986249e28b4decfee13e5429ada844315918972eed8b79b54ebe3071034d21d8a7c57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
32addd090f226017d740e69083e94ca3

SHA1
66ab1f1c04a2ed567596aa652aacb8726702b4ac

SHA256
c6555f74e53f98a7b86743a187cefb48bceb5d13eabb20d0498babda51990a70

SHA512
01d36e427d0babb65b7f8466aed109ca41bc6c7f9af5bed5733f7a34271d79be0e86043f188b3072515da34c2950e15f7cc9cceb7542d8f8adaf332de6890ba1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\b843fd24-9531-4d70-9969-0478383e5f73
Filesize
11KB

MD5
44f699769fd5925b6fe61f77cb748737

SHA1
5e0cdbeb9716b60f1b84c7e5eaf08fab31e170b0

SHA256
f35b4e582ed57da58b85fc23b040a369103be09672c9f8e664568c3256920c98

SHA512
a595f167314bb0e3feb2f0b28a93c7559923b60b932efe8704e90546036edc749fb7c8b0eb19e29c141e64e0fbae1c5e4325af648877d8fc21a055bff45e8b13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\d8936e53-1c42-4e80-aa2f-5ca5ddbd7dd2
Filesize
745B

MD5
e6ba441d5525ec5322e3573ee9e5228f

SHA1
a6fabf1c6dd8047acfad6fe031cdca7ba2cf004a

SHA256
8fa4e7ef96cc91cca65867d0a9ebaeb73006aee8804a2f11ae861eba9b42ea6d

SHA512
d3b500c11aa02c7f2ca5687a7e04aa7cc2b049843b68c79a14af4adc9aa0e7c8a2e0c7c20c146205b0264782e7fb0057f1485e8dbccaed45d1990bf05401d3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js
Filesize
6KB

MD5
f58cfebc12934664f5c23922e8b37d74

SHA1
e2e5cca41960d81ac6743f275d4051db94ed3a03

SHA256
fb73c647cf5b3608c2ab0ac487655abf61b16e3e8aae6c1307c7373166aa4048

SHA512
0dfd1cf30319e958e9273154c714225d469d8128f1fe3ee5cfa4dec4c4bb9998b2de448ab57da0db56ae2c1ec20d9876e58f63c6866ba0bf52ca9e107eef5d14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js
Filesize
7KB

MD5
747562e9de8772a0dd6550624b28d779

SHA1
788493f6138f5d8ba4e0df0ba9136e2d1b59dbf7

SHA256
57874dc1036182804926bfe66d27b7cd228804689b500286028ee309df951c40

SHA512
815fd261d7f92f80c3d4c117092387091816a63b11cf99e81e3ca30496de934a6d4e8357b3ef789fa9230906fa27a9ed3a809ff438ad19b224ffe0e4fd9624fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
ad566e734800c761f36cd16362b046f3

SHA1
300dcb6b058a7344c41d1172db0471fecd2ff8b2

SHA256
f49755f522a9c2ee76946c46ac92b2fea9400e62f4be08fc47222ae19c04fa2d

SHA512
a2354b2fee7a1a7709c2b317ac9e036800514ec998d96e13b4a85bb0f5fe028d9c67aa440837e25b7f1ecf8bcbe39b6acc2711674a96cefa4d351db511c2b3e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
935B

MD5
d227450c037bb4a95342dafeddf2ce7a

SHA1
1b428d34a0f4d5da9488e307351309fb07d6c9eb

SHA256
a5b5e93ff4d35a771d40ef01c3bdce729d27608b3a230475007d8a733b8fa43c

SHA512
06ac077b49e72b8c2de5d80386ed7bcca901f5c67e09941ed2f9695ce6b8eed1d2681efa0866d7b46d8c96254e4a8665709fd5f2be25fa2118cd90c542959bfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e09281b75da564329bf04a422d3cac6a

SHA1
4e82cb256252980e632d20e79016955b334a0049

SHA256
64a7cf192ce8fd1785a8c8a315b9a1f6a8ccff04f00d1cd9fc20edd667677dce

SHA512
6e69a1e58ccef8b774bce218d29a989f8165317f3fbdb692fc0d162073d5ea8a7386f0ec5d06907918c8b18766459b252155264e3220775de42e52c9ca1c3c87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a980b2aaad8a459d0972bcb293de2efc

SHA1
fe8a89b34672fc6f71df2e3de1a7614ff9c2ef8e

SHA256
1b5e1b1aa3ab343893738d158e167a6dd9e0c94a30d5192c305225c92f6f5b61

SHA512
4c4f8e52aff8e4f2176fbba7b03cd111999ce629b34f088bf25e1b5d5f810ee8e45f2563d46d6a5535caa13a855bf96fbd1f0b1316d027d9ec82a385cbecab62

Download Submit