Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

RFSL_6617.html

windows7-x64

8

RFSL_6617.html

windows10-2004-x64

8

Analysis

  • max time kernel
    280s
  • max time network
    306s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2022, 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFSL_6617.html

  • Size

    952KB

  • MD5

    82f42fb8a5089ec93b62bbd6f6ce01c9

  • SHA1

    25808c912e26461e234dd786f345525cb8914134

  • SHA256

    b0729f86a27d429bbd1d10ce633b43ca2c60de8f0a59ed9f48517caab1d7a080

  • SHA512

    3c1a65b96c895c896afc68a3175d318e593bc18bf78d9edff7b9a2dc1e96d78169cb677010b4f63931c5da9e71213d020563b3091407b490f92a2d6ecdafc54b

  • SSDEEP

    12288:Yva4lvoWCJju7lEAd55XjTuwYyo0OR3MkrQ6zIzkVAY/gH34LEp4NKWIhN:x4loORBd55XvCSOukBzVVAYC4R4XD

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\RFSL_6617.html
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\RFSL_6617.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1928.0.59840206\1745075707" -parentBuildID 20200403170909 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1928 "\\.\pipe\gecko-crash-server-pipe.1928" 1284 gpu
        3⤵
          PID:836
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1928.3.147666309\778506035" -childID 1 -isForBrowser -prefsHandle 1712 -prefMapHandle 1736 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1928 "\\.\pipe\gecko-crash-server-pipe.1928" 1780 tab
          3⤵
            PID:1904
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1928.13.1395749770\1554816753" -childID 2 -isForBrowser -prefsHandle 2360 -prefMapHandle 2352 -prefsLen 941 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1928 "\\.\pipe\gecko-crash-server-pipe.1928" 2432 tab
            3⤵
              PID:1948
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1928.20.530360019\104882677" -childID 3 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 7643 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1928 "\\.\pipe\gecko-crash-server-pipe.1928" 2908 tab
              3⤵
                PID:764
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\" -spe -an -ai#7zMap17691:82:7zEvent3087
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2752
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x454
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\attachment\RFSL#6278\" -spe -an -ai#7zMap25168:102:7zEvent18192
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2912
          • C:\Windows\System32\isoburn.exe
            "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Downloads\attachment\RFSL#6278.iso"
            1⤵
              PID:584
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\attachment\RFSL#6278\japonica\disfiguration.dat
              1⤵
              • Modifies registry class
              PID:1984
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\Downloads\attachment\RFSL#6278\japonica\obstructiveness.cmd" "
              1⤵
              • Loads dropped DLL
              PID:2448
              • C:\Users\Admin\AppData\Local\Temp\win.com
                C:\Users\Admin\AppData\Local\Temp\win.com japonica\disfiguration.dat
                2⤵
                • Executes dropped EXE
                PID:2396

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\win.com
              Filesize

              19KB

              MD5

              59bce9f07985f8a4204f4d6554cff708

              SHA1

              645c424974fbe5fe7a04cac73f1c23c96e1570b8

              SHA256

              ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

              SHA512

              3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

              Download Submit

            • C:\Users\Admin\Downloads\attachment.zip
              Filesize

              464KB

              MD5

              c8b142ad218b3171b573c62101421f24

              SHA1

              81f37397697363eadf9381897642c17ba9350198

              SHA256

              f6d8b8d91b63cda9a208f6469d119364c2759440092abced8367a0a1bbdcf305

              SHA512

              cd262781801d9b21e073e9862d6cce3a9da80e565102e7dd01329f165411abc37c8ba2b394659cdfe4d9b0ae69c7be1c5c2ac49bdc069b2998c886ceb0279a98

              Download Submit

            • C:\Users\Admin\Downloads\attachment\RFSL#6278.iso
              Filesize

              1006KB

              MD5

              857770d5d6923a48ef2480e97dd759d5

              SHA1

              ef3b4dd7aa5b848981a5c965f7b70aae05cdee97

              SHA256

              5863df411680d0a70476ca533455b5b89f6c7f4701549ff4f55256fa3774b47a

              SHA512

              e4cd3e56822a205b8fc6a7d5ece4c620989e27ef243e29a9e3829b5dd6059e09fc43d218c0e831407eab13f1d1e4cc42acbdf02b619d289a81556b7012b125c3

              Download Submit

            • C:\Users\Admin\Downloads\attachment\RFSL#6278\japonica\obstructiveness.cmd
              Filesize

              302B

              MD5

              5ee7f52c044174f597fedd6ba809011d

              SHA1

              ff10430328192e6f2d5e15928b543b8336f27dcd

              SHA256

              698c74eae553cf270815c5b0fa596c1d1e1446afd40a9ffbff2b6a65b0948e6a

              SHA512

              99fef418f42119e7e8502dab692cd9fa96da2b594ca7d69f7db1b05cf2b81d894a53d359313eae03dadd9cc6d2adb68c22d5f6f9dd7e4c4a5c855544d43cce4b

              Download Submit

            • \Users\Admin\AppData\Local\Temp\win.com
              Filesize

              19KB

              MD5

              59bce9f07985f8a4204f4d6554cff708

              SHA1

              645c424974fbe5fe7a04cac73f1c23c96e1570b8

              SHA256

              ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

              SHA512

              3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

              Download Submit

            • memory/2752-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

              Filesize

              8KB

              Download