hxxp://aegis[.]adp[.]com/assets/public/filesharedownloadlink[.]html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba[.]com%2Ftip%2Fh63p44%2

Resubmissions

18-07-2023 16:59

230718-vhmwkadd2s 1

18-07-2023 16:57

230718-vf983sdc51 1

18-07-2023 16:48

230718-vbld6adb8w 1

Analysis

max time kernel
58s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	firefox.exe
Token: SeDebugPrivilege	4012	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4012	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 1532 wrote to memory of 4012	1532	firefox.exe	71
PID 4012 wrote to memory of 2872	4012	firefox.exe	85
PID 4012 wrote to memory of 2872	4012	firefox.exe	85
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 4796	4012	firefox.exe	86
PID 4012 wrote to memory of 1752	4012	firefox.exe	87
PID 4012 wrote to memory of 1752	4012	firefox.exe	87
PID 4012 wrote to memory of 1752	4012	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://aegis.adp.com/assets/public/filesharedownloadlink.html?emailId=98650167-34bf-47bf-ac49-db45423bef48&fileshareredirecturl=https%3a%2f%2flifewithabba.com%2Ftip%2Fh63p44%2
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.0.733749207\2086988480" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0305e61-2a3c-44c3-babe-19fc92dfba74} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 1980 158a55b7b58 gpu
    3⤵
    PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.1.1620744969\679004272" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 21676 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {171be220-c08b-45b8-9640-1e0617d873c5} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 2404 158a5146758 socket
    3⤵
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.2.629827248\397017899" -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3044 -prefsLen 21779 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {214bfcf3-cd03-4ed4-9c8f-88919441e53b} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 2972 158a94f6c58 tab
    3⤵
    PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.3.165971411\2026857783" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b73105-82cf-40ba-af7e-e6a7839acdc1} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 3636 158aa3a9458 tab
    3⤵
    PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.4.436835323\391313961" -childID 3 -isForBrowser -prefsHandle 4848 -prefMapHandle 4840 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e3e8ea-f5e3-4723-b343-f40190b89178} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 4828 158ab7f8b58 tab
    3⤵
    PID:1592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.6.1939710078\1164585857" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b4c47f5-08e3-4385-9a55-caedfa20f232} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5068 158abd36858 tab
    3⤵
    PID:4508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.5.1890045733\1284501371" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d68fd7-902b-48ad-b5a8-bced392dd98e} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5064 158abd36258 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.7.1531391781\1096728024" -childID 6 -isForBrowser -prefsHandle 3068 -prefMapHandle 3076 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ddefa77-b905-46bb-802d-7a427f083610} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5520 158a99e3b58 tab
    3⤵
    PID:5012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.8.355782927\1105118412" -childID 7 -isForBrowser -prefsHandle 5220 -prefMapHandle 5248 -prefsLen 26593 -prefMapSize 232645 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89cd1004-2b20-47c7-a827-fee5e5bc74a8} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 5840 158abefb558 tab
    3⤵
    PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
136KB

MD5
01f90699973c7f3ce51f01c1d2892233

SHA1
a24a5277c7ddb11757ef40213c253b625d12fa99

SHA256
f9e37e545534e51884097a5797c120df0c5a300260dfacd291c091bba7b04b2e

SHA512
f034066d6573c8f9c0b56f116fdfaf7594e9a417a5cc8a834edcc9ce8e1a6faa602f35d75400e1771b063181e987bfaf61903f83540dc25e9f10571cfbc52bb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
2ab36a15664855944d52801f2a66a9d5

SHA1
a15c52dbd3b32076365acfece0899cf81679c873

SHA256
89764ec97544d930dd6985f5b5b0c3b488d131f5ae58fddf0ac860851e047a4c

SHA512
eabf42992af710846346fca813f5afb6d5f389f7a3a8491503fc848a37f3b1193ef17aeac48765b2245782d0cdd4f2336041d1765a3503d829a9206d937d4e91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

Filesize
6KB

MD5
800fe9ee03dc51865119a7108e6e0a9a

SHA1
a3772f3f1b93bb39a0fe8e31a48474c5dc77ac28

SHA256
1e4747b8f2323b15b5809fc6843e531d63b803de629c017cb6c49cbb820a8143

SHA512
857c2231989113c1f7fac1f7371f592b473f38f4a001c4bbd44d29910089fae573f9318bd7245f9d5b646a44f8c786418b5fca8860dab440989749e9d0b958ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7d44e2d07cb5dda67ed5b4407189b9e8

SHA1
12f9ce7bf317701d928881c65cfebc1c68ae02a4

SHA256
53c5a985953fa4ddb11820fcef1b4fa1083eeafc4ee1929e9ca8a9fd5ddaf2bd

SHA512
fb4b88497df41f5f985ada77e31e8d24fd54bad3a9be8d0fc06f7efc0fa6ce989d6d4733bea1eabc2848e1b6764d433551fc7e1e0cb735cef17a34f2500325db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a2980cce990dc90ea0dac420e72d560a

SHA1
922d44ba052fdfe3e8a9410e8193334346a1cbab

SHA256
788d2d4775485f3e40c1f705a0c89b1ae85995b6cbfb811cdc42709c096946d3

SHA512
600f8f14bfb96a4d0b5e58a4c7492a9d9eb453b5d61a6e761c8148c8ae283b5da892a51db114e86424d2bc6ecb04a7e71ef947da16c6e8a12215bab7ccec2faf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
abe6a8214b13cfa6eab8aa0671d1fd47

SHA1
00e3b3e0e671cdc356366993ba3ccf3814f7722d

SHA256
b5f07f503f53df409f2e979cff82c72378b595fd26b7b87f1ca59d776f9e75ed

SHA512
46bae2754d7ae28bf71cb9ce5d31fc3e93143ec33a1ab5c841677d05a2e9a5bebe871ae8181af981c9c663e6dd21586e7f46fbdf3c4c635ac59af73c6142ac3c

Download Submit