Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

FW Lydia S...20.eml

windows10-1703-x64

3

OutlookEmo...b2.png

windows10-1703-x64

3

OutlookEmo...99.png

windows10-1703-x64

3

email-html-2.html

windows10-1703-x64

1

email-plain-1.txt

windows10-1703-x64

1

Analysis

  • max time kernel
    360s
  • max time network
    362s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/03/2023, 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FW Lydia Signed Your Document Copy.pdf - Ref 820.eml

  • Size

    56KB

  • MD5

    5989d79de15ce32b48b7bed1b9c17a83

  • SHA1

    e2b299b224bf2428d183655330ff5bb3c10de4dc

  • SHA256

    24b57e77a5882d5fed62413c233cdd01533b29e0eaa4c27f91d99bd13543c65a

  • SHA512

    68f7902961518114d7442f2e28705bc991d0cf996f94b78d3ec00dde74bdbce140ddbac7eca978ecfc37296565379da512cbe0d24668910daaaba779ed662f29

  • SSDEEP

    1536:5SfjTE1eeeeeeee0eeeeeeeee9D3ho3+3DGgi0lnyEtuNQK5HzkJ1mpwP/G8g:5U4K3+3DGgiqnBAtOu+g

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FW Lydia Signed Your Document Copy.pdf - Ref 820.eml"
    1⤵
    • Modifies registry class
    PID:5044
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\FW Lydia Signed Your Document Copy.pdf - Ref 820.eml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\FW Lydia Signed Your Document Copy.pdf - Ref 820.eml"
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.0.1627062527\2031630577" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7dd656d-710f-485e-a3d4-4d8aa4847327} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 1732 16c39b18f58 gpu
          4⤵
            PID:1140
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.1.327776567\152812484" -parentBuildID 20221007134813 -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3b5076-53d7-4915-a804-b96bf836e890} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 2108 16c2d374f58 socket
            4⤵
              PID:3380
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.2.613978878\1517702913" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2716 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a948e6da-ad3a-431f-9f5a-98d9b4210a79} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 2828 16c3c7e0958 tab
              4⤵
                PID:3336
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.3.1812866729\1766244100" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5d3295-4408-45ee-837e-bd3c2175cfe8} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 3784 16c3dba5558 tab
                4⤵
                  PID:4916
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.4.1881962932\2059887540" -childID 3 -isForBrowser -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 26967 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a44045c1-8807-4a9b-a2c7-23e012fdfc05} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 4612 16c3c135c58 tab
                  4⤵
                    PID:1764
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.5.2041284325\74949333" -childID 4 -isForBrowser -prefsHandle 2884 -prefMapHandle 4672 -prefsLen 27142 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29233c7f-11fa-4920-9177-b395d494acd3} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 2676 16c3c136e58 tab
                    4⤵
                      PID:612
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1160.6.1755087715\853815634" -childID 5 -isForBrowser -prefsHandle 4700 -prefMapHandle 4696 -prefsLen 27142 -prefMapSize 232675 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86bde722-bd56-4011-94fb-8acb31461f5a} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 4708 16c3e569558 tab
                      4⤵
                        PID:4260
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\FW Lydia Signed Your Document Copy.pdf - Ref 820.eml"
                  1⤵
                    PID:3980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\FW Lydia Signed Your Document Copy.pdf - Ref 820.eml"
                      2⤵
                      • Checks processor information in registry
                      PID:3764

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    156KB

                    MD5

                    383cef58241323ff40188a3bf48b8bad

                    SHA1

                    cf90f13918061c60eb88615c8e8ba80b45061c24

                    SHA256

                    a5b5b4e6b797ce90770d334e739c75ae86c986ae869d3162b3b1da09071a4ca4

                    SHA512

                    dd13c38ea084e413355cfe300fdaa180ed5c741e4e0623f37540da2953aabcaf6bde358f4456cddb741fbf3a7431eca6bbdb795e3cae676de29fc21faa4b958a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\cache2\doomed\30876
                    Filesize

                    9KB

                    MD5

                    9962ef5acd9712830087fff9385b1245

                    SHA1

                    9ae2720e751e3615da97c026d7b01e2a4732b141

                    SHA256

                    0382c7ace8aaa45af85b502bb4c8b8cb30d99d864f59a84535e1d11439cb8da5

                    SHA512

                    19d4341204fb5c46effde5c0c61a9c2affda75342cc364e8b9118264ef36847734fa263f255770a53b780faddcb163c9ee4f82ad12d99906e10d307dd09f32d6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                    Filesize

                    5KB

                    MD5

                    fe68f8f2224b9afe435a8f37bbd571c8

                    SHA1

                    53254c39d0a6c2be0612868bbc13d9259692dd3e

                    SHA256

                    48b8872fec8c815d672209f3af6acdf20c37a712d07d34691eb3a2f25fe3c694

                    SHA512

                    0f3bf726d836ef3dfa2d1e34897cd058e3b3eef4958b25a9b1a959d1fb64bc9c41b38138379cf4f896c3beebf91e41c596925e1da3394c4bda41182293ac8ceb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    f843fc3b858888d342076c7199266348

                    SHA1

                    97dea7b7d8486f03cc085ef488fda80fe53515a0

                    SHA256

                    19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

                    SHA512

                    9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    f5d6835327b010e4a1abf258f875ff86

                    SHA1

                    713e998e9e5f370d1ae5ad893293208458b3dd62

                    SHA256

                    2eba132271d9f990395cc7254bdb71587f5d6b579573d20771bd50be57e54d5d

                    SHA512

                    160240adb0efbf2d2bfdc6f069260226c78b3d4722c7134ec95a67d9ec12a1ad1f2c7377ff6dd0a8a81088896613d2b47f7b8e311f346b86ce60ac90f1183a72

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    c4e07985c3b11efae496d62bce8654ce

                    SHA1

                    a077e4a235f3bc24ea764aac310e0dee8f6da40e

                    SHA256

                    4e02e0c693699b3a7c26d4e44235ada20b42a7149f0065b92a6be7e8a6385024

                    SHA512

                    851680f0fbd043c8d100dd9b0378bb4ef79184f8c7cd4eccda082f9456850c27ecd7c3701bc11ba8ebd0e020177686bbb2ed0cbcfd68399dfaab6ddedb39a03f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    493d5c96e6b31ec2920692031e457744

                    SHA1

                    d28f4c553be67c548f803c91f9c53d9ce1697562

                    SHA256

                    4635717277b409d3020d1b503dff491e09512ea89299b9a9d08a4a95aeafb777

                    SHA512

                    7aa4390e08d097a2b5814c42aa9f4b97b3edef51646ed7da8595bacca887224d3117e62b357fea75c3e3a33fb56ba09d85c3d946b6342cbb8c944b5fd72c7d96

                    Download Submit

                  • C:\Users\Admin\Downloads\fl7YrE3T.eml.part
                    Filesize

                    56KB

                    MD5

                    5989d79de15ce32b48b7bed1b9c17a83

                    SHA1

                    e2b299b224bf2428d183655330ff5bb3c10de4dc

                    SHA256

                    24b57e77a5882d5fed62413c233cdd01533b29e0eaa4c27f91d99bd13543c65a

                    SHA512

                    68f7902961518114d7442f2e28705bc991d0cf996f94b78d3ec00dde74bdbce140ddbac7eca978ecfc37296565379da512cbe0d24668910daaaba779ed662f29

                    Download Submit

                  • memory/3380-374-0x00007FFDBBD30000-0x00007FFDBBD31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3380-373-0x00007FFDBBE20000-0x00007FFDBBE21000-memory.dmp

                    Filesize

                    4KB

                    Download