Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml
Resource
win10v2004-20221111-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml
-
Size
506KB
-
MD5
79d1f34e89466ea020de7701038b1235
-
SHA1
37442643cb290c354fda0c7abb4edbbeb68ea844
-
SHA256
38848e4c271c75bcdea254774e94a5e0806104235fe85920c4b160c510780ce6
-
SHA512
8de63fc5b68163159638add687698b239054477e4bf39d94566f26edcaf5bef21415c6b52a15ed75a6b7c183530df0b6a94840617d00f4eba3ea85e6adb7be7c
-
SSDEEP
6144:kyFP2/eReiIvwyJQusiqJ2OJVEy6fMRiVHXKvk2yKoS3CmlPT5j2Td7a45:+e1IvW2JMGXQIKosCqATx5
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml:OECustomProperty cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4724 OpenWith.exe 4688 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe -
Suspicious use of SetWindowsHookEx 44 IoCs
pid Process 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe 4688 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4928 4724 OpenWith.exe 90 PID 4724 wrote to memory of 4928 4724 OpenWith.exe 90 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4928 wrote to memory of 4540 4928 firefox.exe 92 PID 4540 wrote to memory of 1860 4540 firefox.exe 93 PID 4540 wrote to memory of 1860 4540 firefox.exe 93 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 3984 4540 firefox.exe 94 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96 PID 4540 wrote to memory of 1356 4540 firefox.exe 96
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml"1⤵
- Modifies registry class
- NTFS ADS
PID:3920
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml"2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -url "C:\Users\Admin\AppData\Local\Temp\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.0.760369522\1775547516" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 1 -prefMapSize 219944 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 1784 gpu4⤵PID:1860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.3.1731499059\1746198738" -childID 1 -isForBrowser -prefsHandle 1476 -prefMapHandle 2472 -prefsLen 112 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2476 tab4⤵PID:3984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.13.1242151463\645739756" -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3772 -prefsLen 1602 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 3856 tab4⤵PID:1356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.20.1419494547\498966275" -childID 3 -isForBrowser -prefsHandle 4108 -prefMapHandle 4116 -prefsLen 7599 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4124 tab4⤵PID:4088
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2252
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4688 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml2⤵PID:1200
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml
Filesize506KB
MD579d1f34e89466ea020de7701038b1235
SHA137442643cb290c354fda0c7abb4edbbeb68ea844
SHA25638848e4c271c75bcdea254774e94a5e0806104235fe85920c4b160c510780ce6
SHA5128de63fc5b68163159638add687698b239054477e4bf39d94566f26edcaf5bef21415c6b52a15ed75a6b7c183530df0b6a94840617d00f4eba3ea85e6adb7be7c
-
C:\Users\Admin\Downloads\Fwd- [Nexdigm] Payment - Invoice #IM33-1753-S3-1 Pay Remittance for 2023-02-01, 04-53.eml
Filesize506KB
MD579d1f34e89466ea020de7701038b1235
SHA137442643cb290c354fda0c7abb4edbbeb68ea844
SHA25638848e4c271c75bcdea254774e94a5e0806104235fe85920c4b160c510780ce6
SHA5128de63fc5b68163159638add687698b239054477e4bf39d94566f26edcaf5bef21415c6b52a15ed75a6b7c183530df0b6a94840617d00f4eba3ea85e6adb7be7c