hxxp://a7d70[.]invesmig[.]com

Analysis

max time kernel
89s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://a7d70.invesmig.com

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 2096 firefox.exe
Token: SeDebugPrivilege 2096 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2096 firefox.exe
2096 firefox.exe
2096 firefox.exe
2096 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2096 firefox.exe
2096 firefox.exe
2096 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2096	firefox.exe
Token: SeDebugPrivilege	2096	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

firefox.exe

pid	process
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2652 wrote to memory of 2096	2652	firefox.exe	firefox.exe
PID 2096 wrote to memory of 2932	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 2932	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4740	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4280	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4280	2096	firefox.exe	firefox.exe
PID 2096 wrote to memory of 4280	2096	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://a7d70.invesmig.com
1⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://a7d70.invesmig.com
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.0.370396787\405682089" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f74dc027-7233-4423-bb60-f8e25ed0c224} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 1940 23dde3e9e58 gpu
3⤵
PID:2932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.1.1872019445\2018314152" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21628 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97b1a717-bea5-4be4-977c-dbbbd00ba4c3} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 2440 23dd1472b58 socket
3⤵
PID:4740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.2.1654443089\1623494189" -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 21711 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed3322ae-5043-42af-b048-2da06527f9d5} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 3240 23de22df758 tab
3⤵
PID:4280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.3.1960049871\410684545" -childID 2 -isForBrowser -prefsHandle 4092 -prefMapHandle 4088 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b95c8c88-cb44-4ccb-880e-77ee946bd0f7} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 4104 23de0caf558 tab
3⤵
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.5.1860838760\1117202886" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35f3fc47-ceea-4d6a-bef3-2065e07f667d} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 4872 23de4a6eb58 tab
3⤵
PID:4480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.6.950222940\1966399424" -childID 5 -isForBrowser -prefsHandle 4868 -prefMapHandle 4860 -prefsLen 26754 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {674bdfe3-188d-47b0-9a10-b93d485f8834} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 4996 23de4a6bb58 tab
3⤵
PID:872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.4.542458750\1745203610" -childID 3 -isForBrowser -prefsHandle 4764 -prefMapHandle 4720 -prefsLen 26579 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79a9c344-6f39-4481-b6a6-30d1cb1f220d} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 4756 23de428d158 tab
3⤵
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.7.1600254684\1914625356" -childID 6 -isForBrowser -prefsHandle 5296 -prefMapHandle 5448 -prefsLen 26754 -prefMapSize 232645 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85096df6-22cf-4ccf-bee9-4dfa7a655d3c} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 4804 23de40cad58 tab
3⤵
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp
Filesize
144KB

MD5
310134f1f06323577fb707871eb15f86

SHA1
ba6f8718a3e48d4128c8c78987b17701a9c43dfb

SHA256
78d7244d1dddc50aa21dc43974727db1d88d711a9a065ecdc2d44675872a6b18

SHA512
266a11c73aef72df95c835b5c1a25d35c8340a6490b76b4bce9a0073f3720c4b777532f5391e44c861bd28f58b2f9f49b773de389b900ca33909d4426c03d711

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
aee1fc3dd8e58a568de43ce80a794c45

SHA1
0bf5bb83d76b24baa35dbc4dca2650dc3b851420

SHA256
8d43533b395bdf75f9d777e4a88adc8b9d001041d1325c9cd5ce8a61a62c1b6b

SHA512
5dafcd5c0105f288ca3e75443faf03398df725c46027916f3d87072308df793e55d5073450a5ced9b0f835789c76504014f86ed1adec15a382f2547f4f8da8c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
50476a37407e7ce516ca0ca4d40c09a1

SHA1
4e6f6daa2454a159247e2d7d5736aee67e8106b6

SHA256
96826f39b7af059bc99f754237b46781edc417056fe33478b78c16170792a670

SHA512
10148c59b12bcf4f712258ecad081f4abf0ff2daffcd1cb82d827da8e320757c79b57e3073c5dd1da3a9af079dd8d47e113792c736be3974e6a6c68d3ef89969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
5af8fc415f617b339c6f70319fb2e194

SHA1
91e3e69bd70a869d69cff02b09b09de7a97a759c

SHA256
f444c7e3a0fb5488074a8a8001fb214f1221289618872acfb48dcf059b80ee8e

SHA512
5b046aca4489c5f879db8fdb415a97615d3301f129b609dcdf989ad0ffc7f03eab082582797d294cf4b733a25448f3b21d5062847cea7d618431c1ce6abfd33a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
6KB

MD5
0e7a8aa365e2ee032b393eeb0f61c77d

SHA1
aea074546aad6b17ca8d5cd92a569e8dfef2894f

SHA256
462bfe05b8fdb7ffbac575d9f7df6cea712dde1a136030c61701175babd88aba

SHA512
1f1b0c1ab9483df0641210e762130e80ccb4db067ed13a325a7de4397fd7f3897d210463591984622cde4fcc356de5700ea56e7578b565662eb70acef6dc159e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js
Filesize
7KB

MD5
0deec089530e8f303154174ed923ae59

SHA1
d0c781dc02081b8efa2fa932c0bbf0fe32a5b32e

SHA256
c64703755e05a619dc2c904a4db7fad55e87ca0b4fd72799e5693e2d79778760

SHA512
df955c8d5c97d97441aaaac73d60651c49fe4898c91912bf554a03df5adfe31749a7f0cc3f32d2d8a47f3a0abc1fba524f5f4b0206cf42dbc47feb8d7122c1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js
Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
eaeb2157014cf5138db91d91da17eb86

SHA1
bc47a848c65b93b9bc0b25928c5dacb5f54143ab

SHA256
03c5a2db8c5c957dc20eb9a789c80ba5974de29f40adab70b4d793ffa6001f1d

SHA512
829b0d08bc56c87fc6d24766beb3b76cdf5ac84e92d75ce01b2450a8cf352f1cf2d9117fa0f652330b766d00a047c2a91780d1dd907b8f69fa6935925dee007a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
54a9697484d56c372ea1c114d4c9c07d

SHA1
147229fef491fca6c07878cf73514302975ce2f4

SHA256
4a272829874ba056398031b9207ac05f4b36941ce5f6a7aa39e9afab25a8b620

SHA512
099c64385693ea97c926288dbd12f5bf1cb74a5427935f1304e2eb30a0bd69cffb4be83eca0548498366ac2812a64110318f6e6f182b28267487f42d28c5b822

Download Submit