Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-es -
resource tags
arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
03/05/2023, 18:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://a.academia-assets.com/images/emails/inky/Academia.Logo.Shadow.png
Resource
win10-20230220-es
Behavioral task
behavioral2
Sample
http://a.academia-assets.com/images/emails/inky/Academia.Logo.Shadow.png
Resource
win10v2004-20230220-es
General
-
Target
http://a.academia-assets.com/images/emails/inky/Academia.Logo.Shadow.png
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2020 firefox.exe Token: SeDebugPrivilege 2020 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2020 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 4812 wrote to memory of 2020 4812 firefox.exe 84 PID 2020 wrote to memory of 3368 2020 firefox.exe 85 PID 2020 wrote to memory of 3368 2020 firefox.exe 85 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1680 2020 firefox.exe 86 PID 2020 wrote to memory of 1476 2020 firefox.exe 87 PID 2020 wrote to memory of 1476 2020 firefox.exe 87 PID 2020 wrote to memory of 1476 2020 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://a.academia-assets.com/images/emails/inky/Academia.Logo.Shadow.png1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://a.academia-assets.com/images/emails/inky/Academia.Logo.Shadow.png2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.0.1780629644\270088040" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1792 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4638279b-7819-4b9a-9e62-11581bf9cb20} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 1916 201ee118958 gpu3⤵PID:3368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.1.1706207540\1314364353" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f980e047-5705-4f3b-87b1-3c5be954c89d} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 2424 201e0171158 socket3⤵PID:1680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.2.609898119\1335052274" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 2988 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec74838c-38a6-41d5-a077-b5309a5a964f} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 3000 201f0ede558 tab3⤵PID:1476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.3.1419447701\1335570211" -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe3a878-18f2-4f53-84b4-549cff013b34} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 4116 201f1fbd558 tab3⤵PID:1504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.4.200194647\1116653427" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cdec4f4-ab74-486b-bcb7-b5c71b42686d} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 4848 201e0169a58 tab3⤵PID:2940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.5.1169278951\1607312052" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26a50bdc-e127-49ee-851e-5c186f53cdf2} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 4776 201f36b2258 tab3⤵PID:4468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.6.1749122304\773472588" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcb67f4a-1504-4bd5-b20c-c57111916204} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 5160 201f36b1c58 tab3⤵PID:2532
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp
Filesize151KB
MD50423df14458e9a8e17a497c75494b5d3
SHA1e98fbadee8d91c61a1cd1e40f961a9874bb90d73
SHA256b9f752bc1f5c00d7b7df3e54ddb6d96cadb728ed42dfb4e9eb249f9c225326aa
SHA512e21ae320d78e08783dc8169031beeddc6a54049859ae8172fb7790cb29fe91111b0b87c9ff4261d72fb649945dde1cfc49ca6037032c4ea2372a2ac44cfebe5a
-
Filesize
6KB
MD55c6b809a71b632eea95d92d4089544c5
SHA1388d2c9b94b4ee54b512d799693d548e82c874a0
SHA2563933b2d06f9dd778e9a87a1d5d8fc3f9d03559a0ac2564356d0def2eedc089f9
SHA5125e35491e43f1816b8b9eaff084e9721ff0f3c8376432fd516d575471bbee40a1edf8d13916b0b382c438d01f06e0edbc21dfce0758b8a96413cb874c801a8ad1
-
Filesize
6KB
MD56f20c2418ab4bc9d0fddcf6b21e98438
SHA162e4dd931928ecb980e7c3b04b057fd870ddeb15
SHA256813bfd022e6d6e4bd15478ae27a16ec5d15ed3cbdf7f798acad8b905f6746443
SHA512ae9873d69e3d066e95fdebe28742d26d6ffb1a3508c3a97506038239e4ed6e149e63c51ad49cb1387a82dd0a6d4800a37c6427991cba277391885606ec42f2c6
-
Filesize
6KB
MD5feb8a52858c8167a58f36caa1b37f116
SHA17ae7f9d2721ae3c579f9e18e4fea679e8c848158
SHA256adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a
SHA512109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16