Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

bee movie script

windows10-1703-x64

6

bee movie script

android-11-x64

Resubmissions

16/05/2023, 23:26

230516-3e3rlscb3s 1

16/05/2023, 23:26

230516-3ethyada47 1

16/05/2023, 23:18

230516-3aeh8ada35 5

16/05/2023, 23:15

230516-28vgnada28 10

16/05/2023, 23:13

230516-27wnbsca81 1

16/05/2023, 23:10

230516-257mtaca8x 6

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/05/2023, 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bee movie script

  • Size

    48KB

  • MD5

    82efebf8c7b591240c3fc56307a121a2

  • SHA1

    93ae3d6436613af8a6957db81e1701fbc50de7a8

  • SHA256

    27052339536a08543f16b5fa0deb4ce554a70b697b27ee0143302d7e6ec4fe2f

  • SHA512

    26a776d2c6bbf6c401c0970a04ef7ec83ca3931c2a74e6b19d0d8bb1e84276b5a1c37d0fe00bf0022568e9ad311adffced95dbc50b0c0b0aa6e16a9bde891066

  • SSDEEP

    1536:ijaPW66ps+TjnDPZJ8Gr6JFDhCrXWqfuz0m/+7:imPEs+TjnVJ8hDh6X/2zn+7

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\bee movie script"
    1⤵
      PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Windows\system32\systeminfo.exe
        "C:\Windows\system32\systeminfo.exe"
        2⤵
        • Gathers system information
        PID:2244
    • C:\Windows\system32\osk.exe
      "C:\Windows\system32\osk.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4996
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0xf8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:316
    • C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
      "C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe" -Embedding
      1⤵
        PID:3884
      • C:\Windows\system32\msinfo32.exe
        "C:\Windows\system32\msinfo32.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        PID:3584
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.0.757242587\1564968252" -parentBuildID 20221007134813 -prefsHandle 1636 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {019c03b1-b6f0-4a39-9926-7fd53fe19da8} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 1716 24b64fa6158 gpu
            3⤵
              PID:944
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.1.1583831149\1564470916" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b246174-7103-49a8-a589-3f76a08e9275} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 2072 24b58672258 socket
              3⤵
                PID:4968
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.2.1362067440\260897343" -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2800 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0ca900d-ef76-4ee8-a542-81f000f984e5} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 2776 24b67c4d658 tab
                3⤵
                  PID:2152
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.3.2121980509\1696952531" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e1033b3-2c8e-4048-8077-d901cf7684c7} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 3444 24b58662b58 tab
                  3⤵
                    PID:196
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.4.1811070932\1888143717" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3660 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80d0a9b7-3c0e-4d45-a487-4f40560c81a8} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 3868 24b68d3df58 tab
                    3⤵
                      PID:4036
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.5.1835464478\1404052741" -childID 4 -isForBrowser -prefsHandle 4644 -prefMapHandle 4640 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5065eea5-5ed6-469d-be0f-8fe8634589f4} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 4652 24b6795d258 tab
                      3⤵
                        PID:3744
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.6.766027257\1169374824" -childID 5 -isForBrowser -prefsHandle 4796 -prefMapHandle 4800 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e3a5eb2-0a26-4ca7-9f91-939c4f7b6bac} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 4788 24b6795d558 tab
                        3⤵
                          PID:4892
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.7.1097209203\709661045" -childID 6 -isForBrowser -prefsHandle 4996 -prefMapHandle 4780 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb90296-283f-4a27-8f04-01a5afdd1053} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 4984 24b6795e158 tab
                          3⤵
                            PID:432
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4876.8.1462824628\482970800" -childID 7 -isForBrowser -prefsHandle 2928 -prefMapHandle 4236 -prefsLen 26956 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0b1bf8c-d216-4cd2-a1c5-d4668d06957a} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" 2564 24b6bc46858 tab
                            3⤵
                              PID:5020
                        • C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
                          "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
                          1⤵
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:3964

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          151KB

                          MD5

                          7162c9b99da805dfce500112b271a088

                          SHA1

                          ef5acfba6aded676ab18d66faa52c31d60637885

                          SHA256

                          671700d71927357541ffe099b43bdced04316f26b453e7a32e6306e1eec6ad29

                          SHA512

                          d57230ebf180dab71ae678e4e006333381416524ededac7d53e051acf64f7dbd8f5f7d9860bf67841687e26d5fe05bdf8cea16758c6297d6e0e205f0aa469e61

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi00fcoy.ehp.ps1
                          Filesize

                          1B

                          MD5

                          c4ca4238a0b923820dcc509a6f75849b

                          SHA1

                          356a192b7913b04c54574d18c28d46e6395428ab

                          SHA256

                          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                          SHA512

                          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_E3A38113465E4A008617622A96DE2558.dat
                          Filesize

                          940B

                          MD5

                          05803475399dbcc2c547a209621fb5f3

                          SHA1

                          ec6aef7b860d6e27b8ac17a623a9883e37e36858

                          SHA256

                          2dbdb8d8e44a8cb783bbc7b7321000d2f82b56280997fc7b68838111d8d46e9d

                          SHA512

                          9f831e49e27f4c7eee4c4e31b1107dfeb2769f68df50e4ee9d63bb8e8f8fa5c9b677fa019bbfa1531b886f982c61d966ec5c4716a9e8bb5e0abb3381defd9399

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          fc03769491e92557713bff75b3dcae44

                          SHA1

                          a4f4687575dba8a950a014c93d8f9f086a2b68d6

                          SHA256

                          3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

                          SHA512

                          8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          5051d0ab35fe3c48ad8fde389311aeb0

                          SHA1

                          df8ae313f2181bfd758fdfdf0fb8852f877d7c98

                          SHA256

                          a3f2b6bdd76d96aa961c0ac4fa15f7667e56b496805374130586506e642d61b4

                          SHA512

                          8cc320c610f59b8c33b2c896f22094648c230aafd1737e4547007551c1886a2a07658218870afcc6829fe4dfc3f587d269653ae21967bb4df5c4e3527ab3649c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          5210fae8bd558da5bd459417f8221aff

                          SHA1

                          fe53d76b45b20562b9ce875a06db5c5ad9d52ef6

                          SHA256

                          d157cc99d1e9927449884b467521fc5238ba93f01902f5f3101907f356aed94e

                          SHA512

                          7a9392cd3ce44602eef4448694ad36e9609ba4f94a1a44226b535028fcda49b11c7a50688db07712ac7ab30c7459156a196e4cc9b92d9c7d46689ae1ab0c289f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          2868ade33b3fc157edc3d0e6b6b88d96

                          SHA1

                          2fbc5d21e4b5b51b85aa242c5f1094b78b42f06f

                          SHA256

                          463716a72dce3b7c34a12818ca051fc044627890946b4437b6998bcc24a20534

                          SHA512

                          0756622f5ab9deb31b5cb909c570b236b58fd594d9ff52b92a670761f1b447a1f15f9032a50dce0bbd9b176a761fe7a5f2095938c1642bfe04b93ba83147ee0d

                          Download Submit

                        • memory/3884-192-0x0000025222A10000-0x0000025222A24000-memory.dmp

                          Filesize

                          80KB

                          Download

                        • memory/3964-433-0x00007FFD2E820000-0x00007FFD2E830000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3964-434-0x00007FFD2E820000-0x00007FFD2E830000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3964-435-0x00007FFD2E820000-0x00007FFD2E830000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3964-436-0x00007FFD2E820000-0x00007FFD2E830000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3964-453-0x00007FFD2B920000-0x00007FFD2B930000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3964-458-0x00007FFD2B920000-0x00007FFD2B930000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4820-172-0x000001E07F370000-0x000001E07F380000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4820-173-0x000001E07F370000-0x000001E07F380000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4820-167-0x000001E07F370000-0x000001E07F380000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4820-166-0x000001E07F370000-0x000001E07F380000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4820-165-0x000001E07F9F0000-0x000001E07FA66000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/4820-154-0x000001E07F380000-0x000001E07F3BC000-memory.dmp

                          Filesize

                          240KB

                          Download

                        • memory/4820-127-0x000001E07F300000-0x000001E07F322000-memory.dmp

                          Filesize

                          136KB

                          Download