hxxp://xvideos[.]com

Analysis

max time kernel
132s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://xvideos.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1744 firefox.exe
Token: SeDebugPrivilege 1744 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1744 firefox.exe
1744 firefox.exe
1744 firefox.exe
1744 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1744 firefox.exe
1744 firefox.exe
1744 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe

pid	process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe

pid	process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1744	2056	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2752	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2752	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2752	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 2848	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 1868	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 1868	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 1868	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 1868	1744	firefox.exe	firefox.exe
PID 1744 wrote to memory of 1868	1744	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://xvideos.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://xvideos.com
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.0.295960495\341609759" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b689df79-b8c2-424d-8722-2c3eced01905} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1332 f5d6e58 gpu
3⤵
PID:2752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.1.1302999699\313660122" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17873adb-31e9-4f38-be2d-97cf9c534d0b} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1528 f2eb558 socket
3⤵
PID:2848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.2.1521719722\2041759181" -childID 1 -isForBrowser -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96866e6f-4671-489f-8603-ed6b7dfb1239} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2320 19ec0558 tab
3⤵
PID:1868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.3.1506163924\1077649199" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24327de0-483f-4a6c-8e3d-57a674148be9} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2896 1d38e258 tab
3⤵
PID:656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.4.1145917707\1422464620" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3400 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d04f854-9051-4183-b7d7-b4f8a742df95} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3640 1b0c2658 tab
3⤵
PID:292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.5.243791586\1263924171" -childID 4 -isForBrowser -prefsHandle 3740 -prefMapHandle 3744 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58653427-8ecf-4d63-a6d7-0e675173a776} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3728 1e9aba58 tab
3⤵
PID:2020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.6.855374179\1048262914" -childID 5 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62fca3dd-63d2-4cc4-b7a1-51f89754f093} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3912 1e9ac058 tab
3⤵
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
ba1983ced140bb935b24bdd131bd42bc

SHA1
3562856d15d8041297a5b39e41a7c726fc173341

SHA256
796d3b26c81197d1b19aaff9bbdfd37e92d7e103bec556c624a63d1eb42e01d3

SHA512
7cfff5bd4e8604dd671bbd96533a4c9529de52a2c385da24c5b535c0f1ceae462aa35daca83b02ff515138b743c581ad2fae9297be65676e321926a6067a24eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\db\data.safe.bin
Filesize
9KB

MD5
725c5ac9b16f03bfb07cf6adb1c09d85

SHA1
b62bfe8f6aba8884b757db5488c82b9f5e6f6279

SHA256
e77eb8d24cb77c8f2f663b0e60c94b37f99994c63a30884e00ad10003090b82d

SHA512
09bdf4f1b72fe0de4e51ba48bb858dfe47ef541d722b7bdc5cb86c97b402d731caf20f7d715d7a7465c7c58abcdbe6f422a17295d72f8b3d797f9dad8fac18e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\datareporting\glean\pending_pings\9e3d6787-eff1-4f25-8825-46ce0ce6cddf
Filesize
733B

MD5
4eebaf92632700c8f78748e4720cde1a

SHA1
283c6dab8db41b2397ca2d54661cda86080b2984

SHA256
333494fd879ee1405db4f46e010777847a499e2e3184ca09f5b1aab1a4dad75e

SHA512
12feb6af7e0edb2540801f81e501dc825956e29166b6ee38da1ec33fad91c6c56726a8e61304bed456a08715829fc52341f8a8175f90d86c2329456e0935a423

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs-1.js
Filesize
6KB

MD5
364d39a4599b6cdbdc1e316b165f88e2

SHA1
bec361ed796d20dc4d5c066c71b22bf2f89edc69

SHA256
d9a8a7b9463dea8e7d690cffccb01fda3bf0dcd09da4df1f35c95127112bb591

SHA512
01f9f0d5200bda7ca6b094864cc4ef89f533d8f6eefb16e21ea527bbfa9df7d06233559918bc53d29e84fa9ffb368adfe22952ba61d688b3c81f031a9d38f63a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs-1.js
Filesize
7KB

MD5
211e822c52ccf3ead2ab8f733fcd87c3

SHA1
36073d7b31d880504dd2889545eb61a7c798904c

SHA256
5eed6f244fc11d78d4d0f4a849867e88362c1fa3afec71c5cb5856f02ee5cf19

SHA512
2c50d2f23493ad27bb019aacfcd1d9fa275803cb9fb5dfe7eeeddfcb55f852c697a5ef54e50161c7402519c5ba4f8fd3a6dde827e9fa06199084a6bab721a622

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
930B

MD5
d3c0692cd0638e2ac8467ffbd528d059

SHA1
ffd86d25279565541619a8fe38211a915335a161

SHA256
adc04f0590bff77cccc4c88c0a0164db655b0cfceb708faf55b7e5231e18119a

SHA512
46efec7cda06c379d2f9fd4352c1d84eaa747dd8ac45a91cfac75b28d578f7e96893d15652970d76c56ff677130809ab42865d500206e3ab8770e3373071f588

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
5733d8a5d3774cd121597e2fa4c626d7

SHA1
a90a4ee028db87237ac61e7caf966500d142d77f

SHA256
ff3a4870265725936f1d68ad2d60becc0abd45a7ff28eb7a68a92f7a7f230fd1

SHA512
2787b074ca29589fe7a26ca1ce3e07eb75c46c8eb742a9c0e4ed210e51e3cd3ce93f3b30f94260f2f63ffe8edcb89dedd003b450a1d2683e2f29ab0212b83aed

Download Submit