Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

empyrean-m...ld.bat

windows7-x64

1

empyrean-m...ld.bat

windows10-2004-x64

1

empyrean-m...der.py

windows7-x64

3

empyrean-m...der.py

windows10-2004-x64

3

empyrean-m...on.bat

windows7-x64

1

empyrean-m...on.bat

windows10-2004-x64

8

empyrean-m...bug.py

windows7-x64

3

empyrean-m...bug.py

windows10-2004-x64

3

empyrean-m...ers.py

windows7-x64

3

empyrean-m...ers.py

windows10-2004-x64

3

empyrean-m...ken.py

windows7-x64

3

empyrean-m...ken.py

windows10-2004-x64

3

empyrean-m...ion.py

windows7-x64

3

empyrean-m...ion.py

windows10-2004-x64

3

empyrean-m...tup.py

windows7-x64

3

empyrean-m...tup.py

windows10-2004-x64

3

empyrean-m...nfo.py

windows7-x64

3

empyrean-m...nfo.py

windows10-2004-x64

3

empyrean-m...fig.py

windows7-x64

3

empyrean-m...fig.py

windows10-2004-x64

3

empyrean-m...ain.py

windows7-x64

3

empyrean-m...ain.py

windows10-2004-x64

3

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2023, 23:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    empyrean-main/build.bat

  • Size

    664B

  • MD5

    85857405eca41f5e898322bf94400313

  • SHA1

    f5d0e3170eea75ca0d19e237a9c9becd6e7988a2

  • SHA256

    d26347df3e03141a940477d79848e5322bbdb2a71dc6c603f2d980c862421ab3

  • SHA512

    16f4c957d1d4c07292e3bb0ed75874b7ecad7716bcb134d29a07bfcc96531c6775869996631eb74910d4e32c9513f54345e79fdb65534b2925ff82fefeca36c5

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-main\build.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      2⤵
        PID:3076
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:212
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.0.1755687603\558733100" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {602d57c2-7fbc-4c30-931e-d886cfd6730d} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 1900 20348392558 gpu
            3⤵
              PID:3656
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.1.1901108138\2072820914" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {324e81c6-a5bc-4e2a-96ea-6e60be7ef200} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 2300 2033a172e58 socket
              3⤵
              • Checks processor information in registry
              PID:4516
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.2.613611450\177848529" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3012 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4a37ba-1f98-4643-abcb-0d1671bb302b} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3260 2034afe4258 tab
              3⤵
                PID:3660
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.3.849108132\2014231170" -childID 2 -isForBrowser -prefsHandle 1228 -prefMapHandle 3548 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48b6ea2b-d875-4028-adae-cec2266b7957} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3032 2033a15b858 tab
                3⤵
                  PID:4460
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.4.634200\1398811391" -childID 3 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ded4dad-b8a6-4d0e-aae0-8ae417008723} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 3968 2033a161c58 tab
                  3⤵
                    PID:4628
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.5.1266471637\532957439" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 5008 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8372ee80-12ea-401a-b1c3-49d288efbff6} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 5112 2034d0d5e58 tab
                    3⤵
                      PID:396
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.7.742838000\1010677271" -childID 6 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c124de-4346-4a49-95b1-e58bc8c97337} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 5432 2034d5f9658 tab
                      3⤵
                        PID:3852
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2064.6.1949411133\1809220983" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb084a3-2f32-46ba-853b-fd0e1996369a} 2064 "\\.\pipe\gecko-crash-server-pipe.2064" 5240 2034d5f7558 tab
                        3⤵
                          PID:3412

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      146KB

                      MD5

                      3c1aaee69c8f8276ce9ce197f68f6ae0

                      SHA1

                      440a6260a38892ce1739a6a02e461d742e7d4737

                      SHA256

                      9ddebeb702e487e9d7d433391b5805b308531f600ace729e92bdff8594ab0f04

                      SHA512

                      57dc228e432523519621814b95643d649ea48cc09f3f82c2a7db9a7b9f1e9be2721f0e24a9a9073180f253a90a2ee14cbe489745d44e8e2912709c28b34456e2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      103debe47cbeed38d1f804e69c987834

                      SHA1

                      31ce9832fce928d8e9d712f612f56013ac33b905

                      SHA256

                      b41ae3180832c3e70f13b9d1e595ed740a7d52bc0e1d3bc5f72bf90334d82e80

                      SHA512

                      32f3196d3b795f03a2413d04faa43a93637c54f23676f7fd38ab57929aa5aa1bab763b73d66ae9c6cabf8b5d257c95feb011aec9680c9431f5ab3384dc1d8cb7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      dbfc37aa81261ddb5dd7c28803e3628b

                      SHA1

                      887619d329ab0fd3f55559c7e39f11e90b34248e

                      SHA256

                      04c0fb3b1dacf3a7dda6f8fb26f0c233a6368863cb6ffc240eea9e4fe7af2e3f

                      SHA512

                      c939ede4f9d9bfa2fa8ffe4cbf25db6fd710477d737e0f13788f423f83ebd1c0d0b5265099f74c3d5e4c7107bb38af689e0b85d008da6fe51500ac71458e59ba

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      1984b45f201f1fd79d2154406648433b

                      SHA1

                      42f082dc6d4d43333688690bf4dfa7c7f8b618ab

                      SHA256

                      000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

                      SHA512

                      e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      f84fcebd36f7bd2efcbd51b111fc90ee

                      SHA1

                      bcfc6c4da7e526b5e155a23a318b53e01a59ca8b

                      SHA256

                      0fee103f57532c09fd1c1c0312c291d8a0c76a80b7803c86dc693942bf07e0a8

                      SHA512

                      bedc2da8112155c0f083e9c40ad2f33e858ca40e8cd28ab7fca21b17ac54a7e5a67b1563fcf2309731ff0ce29e0b2265a8c0dceaf866ba82b7aadc37fc0d221a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore.jsonlz4
                      Filesize

                      889B

                      MD5

                      70f6f2694bcf0aee155238f12c62e20e

                      SHA1

                      d144e88e5c09e5e4856cb77e3d8d8f1bebfb456d

                      SHA256

                      4226969adb7dd610b16bc1b7911a653e3ff6c7dc663e4ff75774bfc8a93eafa9

                      SHA512

                      64d449fc1f4a5607c0c47a79b61226ba02232ee848e07514ae711ca72ea766c4fb7f82df5ffd5ae21bc4095e8e9701a39ee96a2166d6214edadb47965f52ecb2

                      Download Submit