Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/04/2023, 14:20
230412-rnx2yaec6v 112/04/2023, 14:19
230412-rm37kaec5z 112/04/2023, 14:16
230412-rk6vnsec41 3Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
12/04/2023, 14:16
General
-
Target
images.jpg
-
Size
6KB
-
MD5
65eaff44047483ac2f7088541f6b29bc
-
SHA1
854559285bd6a67dbddf006d1c4a8b6d7546f53f
-
SHA256
94f4c2a69612f93a48c6cf3d2cb8560fe4dc34ed73112cfa9f7db0f37c219000
-
SHA512
031914645467b069cfff51b4dfefbedf94d4f0f7b70054e99630d33038cf57700f2d767fd223c17a7506ac7d334e4a6990c22c29699cdd24a275e0fc6fb41728
-
SSDEEP
96:oAV+ClYYYYYW7JQ42VD2iyG3ZLVdo987Ivqq34Q7lRgcGbpWEZTBgMAGi19OI:oWBlYYYYYo2Q9G7HBq3TL6btAGiV
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\images.jpg1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.0.640974032\1319331156" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1664 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35661ccc-ae47-4738-80cd-48468e4c30f1} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 1752 20279719858 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.1.1651882351\204693267" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84ad5889-40c8-4cd2-869a-32d9765af37f} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 2104 2026ce6fb58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.2.1357357330\1020857738" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2724 -prefsLen 21039 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc826632-5562-47dd-b36b-ef64dde9a8c3} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 2924 2027c52a158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.3.1121630505\90528715" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5baeeb82-6ea3-44cb-bf9c-5e405da42135} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3276 2026ce62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.4.1578296793\141955669" -childID 3 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b53c95f1-6369-46f4-b330-b63dc4e9d81f} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 3944 2027d836358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.7.1252060334\1354745424" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {343bd010-08d4-432e-80c0-c7c3d867d427} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 4996 2027e433b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.6.1310113002\380637893" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fa71968-3982-4d68-9d22-8478d6221988} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 4976 2027e433558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.5.240307233\985999375" -childID 4 -isForBrowser -prefsHandle 4744 -prefMapHandle 4684 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {921fb6c3-f61c-4878-8018-d646d368c711} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 4756 2027e430b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.8.599717302\890415050" -childID 7 -isForBrowser -prefsHandle 3320 -prefMapHandle 2884 -prefsLen 26639 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1c1df7d-04ca-4288-b006-0f5b3db22d7f} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 2588 2027f196858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1388.9.1647995400\1248521534" -childID 8 -isForBrowser -prefsHandle 3192 -prefMapHandle 5584 -prefsLen 27324 -prefMapSize 232645 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8d43dae-ef83-45b0-99c8-fe7548ab44bd} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" 4600 2027d317858 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54272ec033968d91f80bdcbe34012c1f6
SHA183d82d38eb31414ea9b94d2453b7b661e1f8339f
SHA256e1a03ea092eea694fa255d02ff6aa56440e398852c4a94accf2d46ab2482b004
SHA5127e15ca0dfe8fbe9538318e6b1e95a7ae27f470c37eb53ed396d116975e90b6db1946c7694ab2bd6fd801ba866ca0876d150c15f87dec4de88f05838c5c4e0359
-
Filesize
6KB
MD5cdb5a91b7898f75f98e448e80b41dba6
SHA1c749651f98e32a2320d2e52fd467fd6217660535
SHA256ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc
SHA512b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b
-
Filesize
193B
MD52ad4fe43dc84c6adbdfd90aaba12703f
SHA128a6c7eff625a2da72b932aa00a63c31234f0e7f
SHA256ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933
SHA5122ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc
-
Filesize
1KB
MD56baae4649c39fb729d30ed23abcc3d8c
SHA186df12bb2e7f2abc654f6d893b43fd28b4c52067
SHA256ce0e586d64158d283d9de8ba9f4b903d081074b47a09eb29744c95294f1652ea
SHA5125e0c859b5550fc45203b83d81e4f9f7f3eb56a09cf6606e95239c56c01ad8e375ca677dca5a907979b6b521df318e5b516da23fe96c32b1638af8a60007a3f32
-
Filesize
1KB
MD590d9ff5e6da6415de5925ff26ad73af2
SHA1dc274d5d5ae4c4ac339bd5f1f32f1b281e3efa3b
SHA256243cfc6742c80eda387bacac12dfc03b8602dbeadbbaf7cc887914911a35bae5
SHA512cd551e8fca32955d231c7f28e036faa671971fe3d500e818b69816674d9c1c15985160c51c14ed23ffbbd373118670239ac6077c3a2840bcf0c365317159699b
-
Filesize
1KB
MD5c75301a2b0e451670c2562b8e9daa1c3
SHA10c8e531b0667be28ef4bba0011c52fa4f07a2a81
SHA2564a24d85b2dd6f9ccae1f1b01ec47e0bb873ce55851ce50918a51c484db9f8afe
SHA512dd1d02e56eeb9598e2549a917ce957944e7936985c341265b8460f22a0f778c7ff27b5d07df851c795dcbae9d518f63418b3bfc5262c0c4c76b7e8952049ce9c
-
Filesize
184KB
MD58a215aba3d43e7100b0ff697a3a8c40c
SHA1c54a51f38b92550332357563d0dd706c1bc9e728
SHA256b72651db3e0dbfef27456367403b2ae1b0d4e2f21fd4e65ff1306e66842b97c5
SHA512c5073ec9287044393c80f2ef6fe96088994f234e6d8c55ff1b9b6285aeb4cd0966ef8658d7f06386905f97cb28361614ccb4c16ae386ed4b77022fb7615c90ef