hxxps://sc[.]link/Faqyp

Analysis

max time kernel
42s
max time network
44s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sc.link/Faqyp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 592 firefox.exe
Token: SeDebugPrivilege 592 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

592 firefox.exe
592 firefox.exe
592 firefox.exe
592 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

592 firefox.exe
592 firefox.exe
592 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

592 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	592	firefox.exe
Token: SeDebugPrivilege	592	firefox.exe

pid	process
592	firefox.exe
592	firefox.exe
592	firefox.exe
592	firefox.exe

pid	process
592	firefox.exe
592	firefox.exe
592	firefox.exe

pid	process
592	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 512 wrote to memory of 592	512	firefox.exe	firefox.exe
PID 592 wrote to memory of 2228	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 2228	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 1328	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 4448	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 4448	592	firefox.exe	firefox.exe
PID 592 wrote to memory of 4448	592	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://sc.link/Faqyp"
1⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://sc.link/Faqyp
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.0.1088591853\1407099856" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31a1a4cc-01ae-4baf-ac51-0eeb34c097f1} 592 "\\.\pipe\gecko-crash-server-pipe.592" 1780 266c29ba158 gpu
3⤵
PID:2228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.1.986699721\531799023" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f24193a-30cf-4211-98f9-04333cfb4dd3} 592 "\\.\pipe\gecko-crash-server-pipe.592" 2156 266c2905358 socket
3⤵
PID:1328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.2.1573085215\816824714" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {993cf038-832a-42a0-9c74-6ad92976993c} 592 "\\.\pipe\gecko-crash-server-pipe.592" 3096 266c67e7b58 tab
3⤵
PID:4448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.3.190566783\1495809602" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3536 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49870737-3bc9-4962-9d2c-a3611c9658eb} 592 "\\.\pipe\gecko-crash-server-pipe.592" 3568 266b0365f58 tab
3⤵
PID:5064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.4.642810647\770437396" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4804 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0220b4-a6f3-47ab-872f-a648ceefc4b1} 592 "\\.\pipe\gecko-crash-server-pipe.592" 4820 266c8bca958 tab
3⤵
PID:2856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.5.689749078\1837574169" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78547d74-5952-4d92-9398-ecf89b61a4d0} 592 "\\.\pipe\gecko-crash-server-pipe.592" 4836 266c9823f58 tab
3⤵
PID:4684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.6.1547605556\859489903" -childID 5 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e1592b5-0108-479e-b383-e47f107d3296} 592 "\\.\pipe\gecko-crash-server-pipe.592" 5124 266c9822a58 tab
3⤵
PID:1544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.7.324954709\424309839" -childID 6 -isForBrowser -prefsHandle 3200 -prefMapHandle 3108 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7dc926-a32a-4f96-b3e7-931c0ef8d76a} 592 "\\.\pipe\gecko-crash-server-pipe.592" 3192 266c534c058 tab
3⤵
PID:4376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.8.192689456\753594167" -childID 7 -isForBrowser -prefsHandle 9196 -prefMapHandle 9200 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a70f5a2-4dec-46b1-ae1c-80b5ee2c43c5} 592 "\\.\pipe\gecko-crash-server-pipe.592" 9220 266cad65858 tab
3⤵
PID:3064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.9.1354203844\448158006" -parentBuildID 20221007134813 -prefsHandle 9540 -prefMapHandle 9532 -prefsLen 26689 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9adedd93-0fbf-48c1-b530-322934918db5} 592 "\\.\pipe\gecko-crash-server-pipe.592" 9560 266cad66758 rdd
3⤵
PID:428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="592.10.1427017343\863795865" -childID 8 -isForBrowser -prefsHandle 5040 -prefMapHandle 5108 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a94542e-026c-4e88-baaf-f81349d7e48a} 592 "\\.\pipe\gecko-crash-server-pipe.592" 5052 266cadaca58 tab
3⤵
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
09e1233f65a3b3916671abe4ab7359d9

SHA1
3734a730cd6d1ec10662ede7a1b6133d111752b1

SHA256
b66a894d6966696cd01ce776590287cb6e050d5115cea8744bbcde2cbfe377af

SHA512
73869d7de0586368f9a7ab3e87832f1ceb159168262ab4fd8c8048eaa35da7ac3982baa48715e5735fb9dead1e79a92ce8347d5665aff84f32a7f3e0f77b9373

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\23768978-d513-4fc6-832e-e5e1e1d0cded
Filesize
10KB

MD5
027698144ef902b6bdba68c64166b0ad

SHA1
c1c76365188e75e5fd2a56ec6ab4b8ebc7a7c115

SHA256
81fcccd90d8023e28a90a234f017e31611e72a6edd9e904a9faace8dda6c3863

SHA512
ead7fd194e1878946784770061500822605895efbc9e762140e62fe82c202a56606344edc38a176412e4847ddd052b43d8918a0d90f87332e2a2cad497e39fd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\f2e0446a-73f6-4ce1-bbc9-56459fe4eac6
Filesize
746B

MD5
301b1b611565bbd41e389173020c37ef

SHA1
077866b30333d2dc06ccdb9b9726e14cd9105bd8

SHA256
d43ecf21abe7339a6a8714e0e9e507fa89995c8bf81b4b0a62bbab57a9450c4a

SHA512
ba84c99fd4639581c42487492c856391f2bac9836caa99cab1fc02368a835606be0feedfe4d057f309a3eedddde4ec82fdd4f2cc3d904ec517c8eec0dc5bd1ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
Filesize
6KB

MD5
5570144d33583107399209e74f44232a

SHA1
3fe0aecc22f233d2807ebdf47d596ce432364d40

SHA256
ad4e1f6910b1e8191fcf7d5ab414c561f8374414be874ac2a1cd389f89cc3a8c

SHA512
3ce7a7623318629f8bb246792225b41c0474646af5b75797a8740c198187d0135dd357cef6fe53f7a77de3ac62776d3fc7d33dc3ca7693dd9e12707b13a45e9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
Filesize
6KB

MD5
b66c483a2307db307af20302328c0e71

SHA1
c93db09adfd259a29c1bf425a74c5dd3ed8daa99

SHA256
22ee98167584e272ec6c441f78b422967991ba1f2959897fe9384a8199f6c667

SHA512
fad1bc2adf607d57f980399074ce6a511541694b7a4111e5f29c489bfcd166b30136f82ba009334832d63f1646134857847107a9a0f821e9e044d5c81a7a747b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
40KB

MD5
342d4cd8b1f9e706441624484d904e61

SHA1
9dda3068697e3b523158e1572dd738358d5d534d

SHA256
2877484e72a1e366fa7b88eaa8c889f487d069b3d32c592bfbd06c7e164ab97d

SHA512
bbdd36b3ad9825780a19450b2ec0f54c71c91c6c65e2d3c3d6af80e2785defa9d6dba3398baeb4fde052509455213ea87a13b05fc4b1aadc608c8ceef32a8039

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
40KB

MD5
03793727bcce09cab350d04bed541284

SHA1
0cbd893c61829bf69310cb069e52fdc454503468

SHA256
2c52c913c6ce1e578259f6f3e8603878b638bf38321c74f513c28355e3d037dc

SHA512
65494698b8e95c3ed80c063ace2669348cb4b2b137c51f044a572896af8a1b497779c01ac0a402ca2e17edbb21fc981b65d06fa79d4c604d2d7b22d0ee66b22e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
3fce64c3cf23f070dbe67b544cebc92b

SHA1
84d5104a0aedcb8c73e2ce79598ae97d8190fb8e

SHA256
21679f659e81fa16d78fb675003b34c8cba5d361da34399b1938ab1a86e4590f

SHA512
8f99e44cbc39b256ae6087d962cdc1a31dc674ea3542eb48e55dbcd2ff8c3602ea8940373d8429036e86b2340e3d1cb267dee7bd97890c861601f212f6dde2b3

Download Submit