Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/03/2023, 17:19
230302-vv9k4adh98 602/03/2023, 17:10
230302-vp7vbade4v 602/03/2023, 17:07
230302-vnbeqade3w 6Analysis
-
max time kernel
39s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
02/03/2023, 17:19
General
-
Target
https://drive.google.com/file/d/1h4mL-IQWi6fxy7Lbw1urXpi8N9L1P15m/view
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1h4mL-IQWi6fxy7Lbw1urXpi8N9L1P15m/view1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.0.17289273\2112154523" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ebe689d-a9bd-48df-8ad8-05944e60e256} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 1924 237f65eb258 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.1.850465961\182125445" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ccbf693-dd5f-4257-b7c3-c2b2a653cfd3} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 2316 237e9675558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.2.2102563094\1109730953" -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 20996 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8afda37d-2056-445d-aa76-5e33ff0859cf} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3092 237fa2da158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.3.962573251\2003866675" -childID 2 -isForBrowser -prefsHandle 2932 -prefMapHandle 3304 -prefsLen 21037 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caf2158d-6490-4d8a-9859-ff4ac2c70ba2} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3064 237f961f058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.4.1523891460\69098935" -childID 3 -isForBrowser -prefsHandle 3560 -prefMapHandle 3564 -prefsLen 21037 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db2b2b70-bed4-4b70-bfb5-dfade2627221} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3284 237f97e5f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.5.1344705485\1253375433" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 3776 -prefsLen 21037 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abf0d4c5-8c81-409e-9ff4-6595a771428b} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3636 237f9bcbe58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.6.1892191151\1542279339" -childID 5 -isForBrowser -prefsHandle 4808 -prefMapHandle 4804 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb086fdc-1f29-4a8c-a9e6-58f32c0cc588} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 4816 237fa2b3558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.7.562141211\158499602" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2e2c92-9646-4f52-92dc-1051a0cc7d2c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5300 237fad38d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.8.1608753921\1197935315" -childID 7 -isForBrowser -prefsHandle 5396 -prefMapHandle 5308 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6128bf0-24b9-49b7-8119-cd81ec190e4a} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5404 237fad3a558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.9.1629522664\257455181" -childID 8 -isForBrowser -prefsHandle 6012 -prefMapHandle 3468 -prefsLen 27093 -prefMapSize 232645 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd441a1d-f950-4e47-b824-4656d89f41cd} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 6020 237eb6b0158 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap24236:108:7zEvent176511⤵
-
C:\Users\Admin\Downloads\Areena Riverside Resort\advertising plan.scr"C:\Users\Admin\Downloads\Areena Riverside Resort\advertising plan.scr" /S1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Areena Riverside Resort\advertising plan.txt1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
1021B
MD5f958209a0ffb84803b57b90f80966133
SHA19d4c1e32b60e884287829e7722f608fe39b74453
SHA25635619add7e6aa245a763c8bdd65fbfc02bc3fbe450c5c833c6e81e768a6ad7e7
SHA512065022a445183ed83f61dea10bd39f75ddc5ff57216a4e92e22aa584a502853ffa02969569df4ed67868cd3b712be87162fa6fb974838666d1b4af37695dd69f
-
Filesize
70KB
MD57c5be8bd74fa69afcbf7d14bfa057a19
SHA1167cced15add6eaada7a1e677bde55208a1608d2
SHA2561cc44005ab735a11fccc1f38e4a6937a355a50ae0c7ab1e9bae9d9f7ca726c05
SHA512e979100027ad447422fbd9a707cb5072ef7fe523bf00159a0f48d6ad0b12a838591bdaf2cd64f3a25aab1d1afb288bf4908033ac64d67336b8e1867c9401dd13
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
831B
MD5916c9bcccf19525ad9d3cd1514008746
SHA19ccce6978d2417927b5150ffaac22f907ff27b6e
SHA256358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50
SHA512b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00
-
Filesize
141KB
MD5718887c994c5546e394b76cd33c5b3b1
SHA13b3bc49bee4c955c4dfb83f41b88b5fe0a0866f7
SHA256ac02e2e4bf00ffe3f21f903dca4083fa754e18daac562d401d4e477ee70f6cd2
SHA512b21838dab9094a636a67b761d37d2a5f37ee2bb62b7f3793ddab5f74886f6e791e18f99185a7e310d78b3fedb61b52ef51a5a517caee6304013b0d4a47836747
-
Filesize
6KB
MD5837327b594eec3314d13bc0f2148f523
SHA146152177ab4d4c054add393e3c10526cc791b88b
SHA2568db8141584eb4c6017eb522540ffffea852bc10d7dcc247bc8a2025c4156ad87
SHA51204605ae32586c9d623f60a8cfb4924e5201afd9bfa8a6012ca4e2000f7c7f8a6a599d0cdfb99113f6f1a2ef8475b1ebe4bf9d7f7e053f30a51ff227589ca9b3e
-
Filesize
6KB
MD57fa67ef5fae1e1c4917a8797d31175a7
SHA1f23ad246fb00d7da4f76d3f97eea51489e1a9915
SHA2562af5451aa1e6ee86d581dfb8907170fd28d4a4313fa8cec602a02ffa9c1b7bbd
SHA51244b3fc6ffb44dccd67a51fbc72450867944a551d2f364c1fb29b256ed62e0401a6becf13ef9ccde75769fa386229be9a36db3469c54b01f12e4cae8b0b093b25
-
Filesize
6KB
MD577deb0f50b65ecc067feda24ec336822
SHA1b9c8f27279a112294722c32913a838deadf60aab
SHA256c81442a643e25edbc72d41c3952610c2b37070dd68fd29a1a7d3584f412378f4
SHA5128bceaa361b6fe2c30bb953155557149f6ba8af3364bfcde218c375f0399b14d3ca9191aad12b1526c16ed733e8a1c62f448ab71cfe064e070a848bff126f4325
-
Filesize
6KB
MD55dab4475e5c27df8ba14f3b41ff0dc59
SHA12633a2ee123c602e8d8e9583117c328eb267502e
SHA256518ec67194bcd20b42db5a065b35eb5e1b04b21f33c13f1cee9df082bba1bbea
SHA5128a2a2e1eec22fb7682cecec68bc8c17dfe55898180cbe464f57fd276ca6b0f9ec0f6b0fafcface2b4fc0886998546181c73c2313ff77dd52f12677009e8f059c
-
Filesize
6KB
MD59971fa8fa89a208685d3e30835832fb5
SHA15d9972a3bdbd4c18b3648597d2fd9f9fd6e30300
SHA25613417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084
SHA51202b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f
-
Filesize
1KB
MD52700eb370c7a67804e8d4c82ded38f5f
SHA17352e21a3c19a186ec526e8993d1141b8a5953b3
SHA256558ba85796bbb8c2ed5522a839ddfe20ecf30c4b11bdd2b33ca0f1cdc17832f9
SHA512aa1cfee00235b99a2f7179df3f10a481ebe3efac2f6baef5478d1d2afee4938fd2909435f003f053c5d87ddc4b04abc1e7b11e93ccdff0700bea2e20ce46098b
-
Filesize
1KB
MD56002ce82c10f4f760e7c65826f99b9e9
SHA193f34c6cb4e21ae46290f72f2272a3c329b6ac5c
SHA256158f60a1c2bcf4dcdede0add5d70feb0fdd9ff6f49ebc9857ecfe07c503b9285
SHA5121231a34f3c32cacd483c0e7ac377917f765476e4cd441a8ebf78802650720ad3adfbc4bf5d03ee93f5b975e03e5c329334aeeeb18a39a1183de090fb75ee8b6f
-
Filesize
38KB
MD589337791b6fc019098a41200e671fcca
SHA180f31de6cbdcc1883748be19f127a4b882714975
SHA25611c6e8b56af52d85c22f84e97662378344cee6ac69d83f6cad4803753102f1de
SHA512dd6051f75719b2f0cd239d6622c0e9aa638a6a94b8288d7f9c9fdaefe17fca0bad47dcaa49ebdcddc8603b6f37109b9f69b0537d5caf02c5bbef325c403f36e2
-
Filesize
4.5MB
MD58754ea8695bc5db00924af50b9306e2b
SHA1e5cf4c79e1378d09b68c767bf06b173b44df1134
SHA256fcb7a445c40ba527b888301826881c447ba9cce7360f282db8327fba558a451b
SHA512a77b4463571d5973edad0700375364fd57326fa145928d77ef105fda77d11dd3209e691bf36ed0a1ec4f3d00350e74dc63427b4903672d2dec46deb90025a81b
-
Filesize
4.5MB
MD58754ea8695bc5db00924af50b9306e2b
SHA1e5cf4c79e1378d09b68c767bf06b173b44df1134
SHA256fcb7a445c40ba527b888301826881c447ba9cce7360f282db8327fba558a451b
SHA512a77b4463571d5973edad0700375364fd57326fa145928d77ef105fda77d11dd3209e691bf36ed0a1ec4f3d00350e74dc63427b4903672d2dec46deb90025a81b
-
Filesize
455.3MB
MD582520419060bb249de424c437214c25c
SHA17e12cae458bc38efc8d9b4f18c7f218e775fce9c
SHA256f7cc4e66e94ab882729c6b78ac2746f7eb9e82c813a89f6e781ef177eba939a3
SHA512ea89839fbcd308429c228cc9b39019ed32ee7417de5ea4c33f9b5e9b336f978c02962f13022a0828108a6fa5b02893a2e9228f35cc9f26afe54437571726c170
-
Filesize
154.5MB
MD54717c2a342ebf5a5ec9a5da8ff363bce
SHA11313e2f7b66c69a74f75009c1fb2e4917a58ea21
SHA2564d80bbceb7e5678e6cfa6c0f46bcff4897e5f8d8f7e49db313f8d135787a9f00
SHA51255b0f0de2104b45e2e1cb3e9ac5b1885bc03dfc6180fd8fa3d73747df8f03d00bcf320db166fb537930aae2b910270b1e5280fb51654e052b2d9cce7548d5df1
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
280KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
4KB
