Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

dont run.exe

windows7-x64

1

dont run.exe

windows10-2004-x64

1

Resubmissions

22/04/2023, 00:12

230422-ahh76aba63 4

22/04/2023, 00:06

230422-ad5klaba37 1

22/04/2023, 00:00

230422-aafgasch3w 1

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2023, 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dont run.exe

  • Size

    14.3MB

  • MD5

    6fd1a07f5f710341d9e1d4e18b68cdaf

  • SHA1

    43c0d8cac5e2b83af79aadea42d7202fa78ddd9b

  • SHA256

    0ecb876346cbf85ff36f4983bed844f1939c395e6453b6cfed28faa3e796d345

  • SHA512

    d1b8fc83eb09fd14df78bf3463659f3b29e956acaa70eb54c2ac6d5698467e411e51af0c79cc793193b3d40cec9893b9163fe10de1e5bfa4a42b603a5c5f5006

  • SSDEEP

    393216:lvPJzIS+3WFGw+cBZWOpq9bwJsv6tWKFdu9Ceuqa:lHJL+3WF/+c4uqa

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dont run.exe
    "C:\Users\Admin\AppData\Local\Temp\dont run.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1980
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4dc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4584
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4928
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.0.1425762147\230726265" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb34d49-5500-444e-a617-28d7a1af4989} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 1900 1e6c3092658 gpu
          3⤵
            PID:4592
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.1.665549428\1181411228" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7c0c59e-045e-42db-87ed-4540a9917fd9} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 2300 1e6b5072e58 socket
            3⤵
              PID:404
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.2.391137984\793279982" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 3148 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {923ada8e-e38c-445a-9887-93418911b661} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 2856 1e6c5ce5858 tab
              3⤵
                PID:3404
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.3.1668665437\1993857736" -childID 2 -isForBrowser -prefsHandle 2344 -prefMapHandle 1452 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09b2c5d6-2305-496d-ae61-ddde3492a065} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 3532 1e6b505e558 tab
                3⤵
                  PID:4560
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.4.444689529\1344728744" -childID 3 -isForBrowser -prefsHandle 4072 -prefMapHandle 4064 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf1e783b-a6fd-4d39-a8ab-94372616df4d} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 4084 1e6b505df58 tab
                  3⤵
                    PID:940
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.5.781182113\1443343575" -childID 4 -isForBrowser -prefsHandle 4828 -prefMapHandle 4780 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b10a72-6598-4d89-9f24-b34a455c3b09} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 2712 1e6c8026058 tab
                    3⤵
                      PID:3212
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.7.597888702\918864609" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd6ebbcd-8838-4f64-9162-48f37cf37939} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 5408 1e6c80a0258 tab
                      3⤵
                        PID:5088
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2372.6.945688334\1669735837" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8379cae3-eb06-44f2-95b3-a79e63b1f271} 2372 "\\.\pipe\gecko-crash-server-pipe.2372" 5220 1e6c8026358 tab
                        3⤵
                          PID:2340

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      145KB

                      MD5

                      11bf571ba68231cbd525422782a5b7f8

                      SHA1

                      d42a07ae87628dc58cc92b40834fd1d75fb96ec0

                      SHA256

                      a2e33a4b67455e8d88410236e821157f3cd414cce79a82ae59e4ff56398d7b44

                      SHA512

                      2bb16b804480f8d2bab551c315ca448876d9bf7e5b034966780eaad9fdb8e1c75ef94bd8d6adddf224a2113dbcabb95395150eb592db4bfa7ab4479cf895dc62

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      51fb9cba4aaaae80e95e2d498f848f00

                      SHA1

                      708948d0c33e2024d383b619c2957a6e8fcf009c

                      SHA256

                      e4349cc4cdf41a2c4f50064087b4c79c1490a83d3d2e9224e0e3b1089ad1bbc8

                      SHA512

                      982da6e68d3396219428d67744857d1d59be89e7d1e0463d70142dc7d3d80b95cc3016fe30a67543c1dfdf8159f73bd284aa9a125ccbee6dbe4f7e41002d0876

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      1984b45f201f1fd79d2154406648433b

                      SHA1

                      42f082dc6d4d43333688690bf4dfa7c7f8b618ab

                      SHA256

                      000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

                      SHA512

                      e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

                      Download Submit