hxxps://aka[.]ms/AAb9ysg

General

Target

https://aka.ms/AAb9ysg

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1520 firefox.exe
Token: SeDebugPrivilege 1520 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1520 firefox.exe
1520 firefox.exe
1520 firefox.exe
1520 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1520 firefox.exe
1520 firefox.exe
1520 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1520 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	1520	firefox.exe
Token: SeDebugPrivilege	1520	firefox.exe

pid	process
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe

pid	process
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe

pid	process
1520	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1084 wrote to memory of 1520	1084	firefox.exe	firefox.exe
PID 1520 wrote to memory of 1140	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 1140	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2616	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2980	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2980	1520	firefox.exe	firefox.exe
PID 1520 wrote to memory of 2980	1520	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://aka.ms/AAb9ysg
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://aka.ms/AAb9ysg
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.1956446822\1424148802" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab69eebb-cc68-4057-90a2-10a83a9848c1} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1928 15b96519258 gpu
3⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.1.285238781\859693714" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b03c2ed-de7a-47f8-842d-fe3a8c38a842} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2424 15b88572b58 socket
3⤵
PID:2616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.2.746485034\1190369770" -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3060 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dcc96b-4b29-4244-b404-46d015668a65} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3196 15b9920ab58 tab
3⤵
PID:2980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.1151619000\954464994" -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc97191-dda1-40b7-9816-61509aff489c} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3972 15b88562b58 tab
3⤵
PID:3636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.4.832036198\1139344908" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4636 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ed57651-9b44-48d9-b4d1-b80a95db65bf} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4968 15b9b288858 tab
3⤵
PID:2968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.6.880784610\237673121" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6e82b5-cbe6-46b1-ba70-7f67318b582f} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5196 15b9b28b558 tab
3⤵
PID:4928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.5.1859246749\58430650" -childID 4 -isForBrowser -prefsHandle 4572 -prefMapHandle 4624 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18045d33-d7e1-4c90-a913-b702058ba906} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4684 15b9b28ac58 tab
3⤵
PID:1696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.7.769762826\828342185" -childID 6 -isForBrowser -prefsHandle 3268 -prefMapHandle 3380 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1520 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aade054a-fb0d-43de-ab08-1f2cc349e101} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3188 15b9c96d058 tab
3⤵
PID:4276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
141KB

MD5
7133ebda83d2bb5b9211e1cfbca539fd

SHA1
7eac5f00170f21205b3c1ee5e4de7bad0e204b5d

SHA256
c089f1c68c250b32abbdcc24f6b32e9c41bd54aeb86d4181872c3da5cfc72057

SHA512
c1ec9277e79d69a77d99690b63a209b48f075267595b77f7fa2d3d3fde5feb5a0754003395f885f45d59623edb227366fcb8c7c3cd5886b4a089ffd8f91bad87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs-1.js
Filesize
6KB

MD5
184ab67085bdb6bc7433589ac5f9978b

SHA1
5ad8fb83653f84e15602f7f64481de79b5980e7b

SHA256
f1e3c8f196cdb58ad5f68c4ae74e60e798b9a01e7d08603efcacb47efba0ca4d

SHA512
40677b6237c18f260f3c48c68b713ed8b333cd9c79714d8a2c113198daa4911823e8c5d29e3a8774528207932f8c7acbc6fbe54dc6c108112f75b365a2f89f2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i5yk3ps6.default-release\prefs.js
Filesize
6KB

MD5
207077fed406e49d74fa19116d2712aa

SHA1
3ce60cb9b4fbd6b00a9ae26c599b9fdbe2b6c5ee

SHA256
b02701ad3c4478f891a550eac65f0a8c183999aa22a1dd171bd698b990124c58

SHA512
0c6398230b3eb103a0ce280f127515d998a6c9ea8908b8b248b132782f8166141ba8e1faabc7ace4b80e9c925bc5d7885f0fba8c16cb2e7798055727dc66190e

Download Submit

Analysis

Sharing