Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

7394dbd3e2...cbfbfc

windows10-1703-x64

1

Resubmissions

12/03/2023, 13:16

230312-qh9ywaga5v 1

12/03/2023, 13:14

230312-qg5b1aga4z 1

Analysis

  • max time kernel
    183s
  • max time network
    184s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/03/2023, 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7394dbd3e20ee5cc75d2d006dc9cf5e07885726480fb77b57db9d38f1bcbfbfc

  • Size

    164KB

  • MD5

    da3c6a31a7843e872d62b033b3fcf50a

  • SHA1

    5acd3cddcc921bca18c36a1cb4e16624d0355de8

  • SHA256

    7394dbd3e20ee5cc75d2d006dc9cf5e07885726480fb77b57db9d38f1bcbfbfc

  • SHA512

    b2ecddc772fa5d87ca792b3cff386bcd9c868cade19f3fc4ac9e77655bff7af056a2ce474e9ae4c8ee1054aaece4f2b1bde06136cd3179cca0535f72d7ecba56

  • SSDEEP

    3072:dhFioGIOOOBNpFNm3QQqR2wXv5Kp5UCvjdiEBRYoCXIRPei:Y5Kp5vjTfYoCXIRGi

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\7394dbd3e20ee5cc75d2d006dc9cf5e07885726480fb77b57db9d38f1bcbfbfc
    1⤵
      PID:3488
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2228
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7394dbd3e20ee5cc75d2d006dc9cf5e07885726480fb77b57db9d38f1bcbfbfc.js"
        1⤵
          PID:4300
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.0.1408003603\1472159317" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ea45625-9cd2-45c3-83fd-c29661ea7802} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 1732 1646a618c58 gpu
              3⤵
                PID:696
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.1.1794025596\1388665840" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7c7fd4-623d-41da-99ba-7a49e9c031e1} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2088 1645dd72b58 socket
                3⤵
                  PID:4768
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.2.227601747\1615668416" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2724 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8317a30b-e4f1-4dc2-b468-90a4eca5aafc} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2764 1646d3ec258 tab
                  3⤵
                    PID:4180
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.3.737072457\244127026" -childID 2 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b316d826-20ea-4844-8d4c-eefe67699ecc} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 3264 1645dd62b58 tab
                    3⤵
                      PID:1424
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.4.1997108391\383667545" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4200 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51a998ab-403c-4ecb-a410-d9bdca853222} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 4216 1646ee7dd58 tab
                      3⤵
                        PID:3812
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.5.1797533504\1950190205" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b38f71f5-8849-479c-9d98-6bd64931e698} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 4836 1646fa51658 tab
                        3⤵
                          PID:4080
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.7.1714899411\2098750876" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df827efc-d445-475d-8f3e-edff6707fac9} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 5248 1646fa52b58 tab
                          3⤵
                            PID:3524
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.6.36956149\593034393" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4972 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4c4a0f1-ec51-445b-ab64-b4af5ca978da} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 4832 1646fa4f858 tab
                            3⤵
                              PID:4968
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.8.643782724\865078480" -childID 7 -isForBrowser -prefsHandle 5232 -prefMapHandle 5196 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5f8c3c7-8eaa-49d2-bf6a-59ed77af5744} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 3012 1646d3ec558 tab
                              3⤵
                                PID:2444

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            149KB

                            MD5

                            c8a6f801b9b8d5dbaa2a02195bf4fcd5

                            SHA1

                            314a1e3c675c992372f12507eaf9314783dae2aa

                            SHA256

                            1edb72ed901d1de9173cfd11ee36ff46a81d21509ca16eb22fa4bbc7106321d2

                            SHA512

                            7c0ff33302c805f1fbbc97dff5e48d9068d783b26bf320ae849f76885af1ab5569d91eae884a0ee65688595dc69a3b2d2cde569c978128e78ac37af0dbdf21ff

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                            Filesize

                            442KB

                            MD5

                            85430baed3398695717b0263807cf97c

                            SHA1

                            fffbee923cea216f50fce5d54219a188a5100f41

                            SHA256

                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                            SHA512

                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                            Filesize

                            997KB

                            MD5

                            fe3355639648c417e8307c6d051e3e37

                            SHA1

                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                            SHA256

                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                            SHA512

                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                            Filesize

                            116B

                            MD5

                            3d33cdc0b3d281e67dd52e14435dd04f

                            SHA1

                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                            SHA256

                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                            SHA512

                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            cdb5a91b7898f75f98e448e80b41dba6

                            SHA1

                            c749651f98e32a2320d2e52fd467fd6217660535

                            SHA256

                            ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

                            SHA512

                            b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionCheckpoints.json.tmp
                            Filesize

                            193B

                            MD5

                            2ad4fe43dc84c6adbdfd90aaba12703f

                            SHA1

                            28a6c7eff625a2da72b932aa00a63c31234f0e7f

                            SHA256

                            ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

                            SHA512

                            2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            a568d3d5081983dd4978ce7e1d5beeb7

                            SHA1

                            e020ed7ee69d5b8b771adf7d810a468ca7bf6edd

                            SHA256

                            ac0b5a93a3b3069975509059ce07c5ff6dcb9a014ddd8ac59fccdc4927e8eeaf

                            SHA512

                            4729bdb9d8fe13562321a4881ec0324ea4eeaacdd2ca9c4a0c7a7957e38c019932d4a1040e8919e2822a91f87340149de367acdbe14293c1c5d2151b8be5a549

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            c09a9dcfd8ab21bdfbb5608513506ab3

                            SHA1

                            f1cca793a9f2c7261cfc85576f4e65b2e11b93a0

                            SHA256

                            5741ea14944da1ac3a5827198ec3e5a27eb206955bc202060ba5264b722adfd5

                            SHA512

                            d3496a93755f5b73b7e2d48d0a065e63334a7902be4644b7821827a54877c7a155b33f5053b7083d0690ffbdaf507cc596a641ac0bcff57e8f2f21e22daf783a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4
                            Filesize

                            1KB

                            MD5

                            d72a2dc963021f98beeaff2d46978d94

                            SHA1

                            22fd2abc33e93abb68fbca6368385d736f969b66

                            SHA256

                            7550f560dd42fec9ef0585a299a0cbff4d75afbd3d2c2319fd0dd09ff75349db

                            SHA512

                            9e6199f696fa6a089a82b587aef32dd3ec65a3f25601fc07cab1eb3afe0d8fa9061c0b85b4154e389eea2babca8670a7ff92f8bfe481fd4e2a2cf12944bc5203

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            9eaefb6eb726b079e0032089efffda4f

                            SHA1

                            85c6283dbee1329988f8831f170886fbfc823d0d

                            SHA256

                            62a69707bae623210f4d2dd34fcf4921bd62e1ea132609162805f5e6937efab5

                            SHA512

                            02d1d0c83e4c67cde41b047ea6cbcd0d12273a1bf6831ae2721e086acc90c0392d0a462fc69638f3d883d4724cc180f12c15250802d48da53ef20f19f5f9a4b9

                            Download Submit