Overview

overview

1

Static

static

1

URLScan

urlscan

1

http://aegis.adp.com...

windows10-1703-x64

1

http://aegis.adp.com...

windows10-2004-x64

1

Resubmissions

18/07/2023, 16:59

230718-vhmwkadd2s 1

18/07/2023, 16:57

230718-vf983sdc51 1

18/07/2023, 16:48

230718-vbld6adb8w 1

Analysis

  • max time kernel
    58s
  • max time network
    57s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18/07/2023, 16:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.0.1847842708\1480538905" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41923538-709e-40a3-a083-ed4b745b6e9e} 668 "\\.\pipe\gecko-crash-server-pipe.668" 1764 1d72ed0a558 gpu
        3⤵
          PID:4752
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.1.331553776\582921987" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e14753-9868-4b9a-ac5b-c873efd1d11b} 668 "\\.\pipe\gecko-crash-server-pipe.668" 2140 1d71b874e58 socket
          3⤵
            PID:4696
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.2.2125357780\196918537" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2640 -prefsLen 21835 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79c6a13-3046-4626-a725-caa48eecc07e} 668 "\\.\pipe\gecko-crash-server-pipe.668" 2852 1d731f7c658 tab
            3⤵
              PID:2268
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.3.998534613\615872064" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 3432 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6ae8e04-6b90-4335-96d7-040bcc210707} 668 "\\.\pipe\gecko-crash-server-pipe.668" 3000 1d71b864e58 tab
              3⤵
                PID:5096
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.4.286488984\7562440" -childID 3 -isForBrowser -prefsHandle 4644 -prefMapHandle 4632 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e374adb-f7b5-49d0-a233-e17e622490c0} 668 "\\.\pipe\gecko-crash-server-pipe.668" 4652 1d7344df658 tab
                3⤵
                  PID:1700
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.6.1216621755\1684700986" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4668 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3664059-3fb4-42ba-81af-d3c63d84b714} 668 "\\.\pipe\gecko-crash-server-pipe.668" 4960 1d7344ee958 tab
                  3⤵
                    PID:3548
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.5.1807110626\1609248896" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4588 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaef3bec-4a94-4066-8d13-0d4fa7ca4ab2} 668 "\\.\pipe\gecko-crash-server-pipe.668" 4784 1d7344ed158 tab
                    3⤵
                      PID:4964
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.7.1691572418\1464843400" -childID 6 -isForBrowser -prefsHandle 3100 -prefMapHandle 3108 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b686980f-09c9-411b-ae1f-24d26be189ea} 668 "\\.\pipe\gecko-crash-server-pipe.668" 3088 1d7317a9958 tab
                      3⤵
                        PID:324
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="668.8.872820029\1420936530" -childID 7 -isForBrowser -prefsHandle 5376 -prefMapHandle 5428 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38245bb8-b9b3-44c9-8f90-a0310120a897} 668 "\\.\pipe\gecko-crash-server-pipe.668" 4696 1d735b47758 tab
                        3⤵
                          PID:1120

                    Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            136KB

                            MD5

                            a23739917320c07195bcdd9e859cbc2e

                            SHA1

                            a35489cd443a3b883535f75cc6e3f780c591e6b4

                            SHA256

                            4e7a7767dc8066be5e7b85af1997667c8c2126a876acf5ee63a94c11c885a57b

                            SHA512

                            c81739491b655c62cb6c625b102de20144e3b9467eb176001e4d2f2194bf3a92bb0871501f4faaeddb57d43a6b9347c9a9b726df2c6894819a26d18d6e3b47b5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            98a5502c5297645741aaa94b03fd44e0

                            SHA1

                            9a40a94a89d1a1d8e6c0d77a33e0d44d0f675900

                            SHA256

                            a877b855203d6b264fa5303faca21d4ceed9deb7f01190fa2ee811b7a4454eb8

                            SHA512

                            3e59d7af0cc1150dde49265ba5b36885b3c049c5940d85fded936391f488dfb8cd659c21e38025fd0922eef3a92dfbd37443466f3b51641ebea33806f8ce5f66

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            61cce0c4629fa4fe1e241440930738bd

                            SHA1

                            db658cde6bf1a1d7cbe7407fcb3f5fa395da2711

                            SHA256

                            707451a1d72900115851bd4159562d970cf5683b5f1ed00b815fe726e2409c02

                            SHA512

                            696acaa7d52e1be26d4fb016d435b0b7f6f8f0899d2991d83d255672bfb420be2d95def4891ed4e57372c8c8e44d54d600c41b5bef5a648df401f0bcad0eed22

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            2KB

                            MD5

                            6873497a0904ae52db7abe05456a5317

                            SHA1

                            163854516836f71e4d700f254901ad04b27fda3c

                            SHA256

                            6461dcfb1a02458209c6fcacee106d48ae840dcb6665c71bb068176160f9deeb

                            SHA512

                            4eb8beae31dd441109ac31e67b221902758c6496d39eaf8d859206a022bb467ce3f28bfdb4261727b94bc2bdeba5d4abd131831adfa6b8698cb3244228c0180a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            5KB

                            MD5

                            b0001a6dab637433d465283ba1e503d4

                            SHA1

                            4fbe46aa757ce71aba90f29a7896cd7aa6e20e35

                            SHA256

                            d2471c11b8378f8cdde720ea54c55290ff063d26c4510537bb58685c2feaa540

                            SHA512

                            14374cd6d5e0acb68b07a45beba85463e1b65734194babd7aac1a8bd023755df40228cc00f4cc4093ea2c62d43f1c607167c61eecde8b9d26e7a6a04d3cbfde1

                            Download Submit