Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://bedrapiona.c...

windows10-2004-x64

1

Resubmissions

17/05/2023, 10:57

230517-m2bnmsdg7t 1

17/05/2023, 10:53

230517-mzbkvsdg6s 1

Analysis

  • max time kernel
    84s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2023, 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bedrapiona.com/apu.php?oo=1&zoneid=1649945

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://bedrapiona.com/apu.php?oo=1&zoneid=1649945
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4460 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2424
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1096
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\apu.json
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:548
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3848
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.0.659952832\1292231329" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ab52be6-1a14-433b-aa11-d2b05294f7e3} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 1916 16bfd716858 gpu
          3⤵
            PID:4212
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.1.804126456\872405331" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f11d782-417a-4b5a-a87e-60924d49a903} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 2316 16bef772b58 socket
            3⤵
            • Checks processor information in registry
            PID:772
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.2.884673010\1858798364" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2808 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4db4e21-110f-46a6-8913-3ea1c6fe4e13} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 3168 16b81f0c858 tab
            3⤵
              PID:1908
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.3.1419175860\2129029459" -childID 2 -isForBrowser -prefsHandle 1192 -prefMapHandle 1180 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fc355fb-02c9-49a8-a30c-f53007a2f5a5} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 3372 16b808b9258 tab
              3⤵
                PID:556
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.4.239673479\418560427" -childID 3 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653acf87-5f2b-4e54-bb6a-08059e6fa7ca} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 3904 16b830d7858 tab
                3⤵
                  PID:2108
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.5.970687268\1909952736" -childID 4 -isForBrowser -prefsHandle 4948 -prefMapHandle 1648 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade2afc1-618f-4ce6-b999-080c3d33409f} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 4624 16b81d6e558 tab
                  3⤵
                    PID:4768
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.7.1925418636\60378269" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45134297-dfba-45d1-b76d-b89773b39142} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 5268 16b85397858 tab
                    3⤵
                      PID:4040
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.6.1359141662\1368608896" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4600 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e541682-8920-4412-92de-21ff99bdf650} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 4980 16b84a0d358 tab
                      3⤵
                        PID:1948
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3848.8.1122163020\1110481130" -childID 7 -isForBrowser -prefsHandle 5696 -prefMapHandle 5488 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aff4039d-5101-4678-927e-31aad1574f7a} 3848 "\\.\pipe\gecko-crash-server-pipe.3848" 5704 16b8604fe58 tab
                        3⤵
                          PID:1200

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\apu[1].json
                      Filesize

                      2KB

                      MD5

                      6f7dbf219b51df8e74d95dcbae62698a

                      SHA1

                      98ca397fa073523549ae0c6fe603eda8ebe3c703

                      SHA256

                      91825c49a01661d0cc64ba36beec777a45e1fca3c9c99ebccd366d7d8362d0b1

                      SHA512

                      22fc8dd4892d8031951d4f18e32a1e4fdc018b3322f981a6ff943636b2517063c40e65a544231674d80297f405b8ee2643fe275e0e7fbe556090b385845fbc86

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\suggestions[1].en-US
                      Filesize

                      17KB

                      MD5

                      5a34cb996293fde2cb7a4ac89587393a

                      SHA1

                      3c96c993500690d1a77873cd62bc639b3a10653f

                      SHA256

                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                      SHA512

                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      151KB

                      MD5

                      96ab9327a73d6b0e4c39a4b0f6c8e64a

                      SHA1

                      bfb65813bece15ba69c83ee6c956df56f16604c6

                      SHA256

                      4333cf6584c7b980131960ec96ebbab6ca8895c4e33b265ed47ad451620fedcb

                      SHA512

                      0163607f8a9c345dadf2a67002ce691a3491db5410480d8b5ec7b14afbf6cbebdf37a381eacf5655bda59f54fd4fb65fefb79214d22ed96627193bb02d8313b7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      8e799a641627be4dbafe21e2f9adb061

                      SHA1

                      dc0f1808ce3c3b4f63341bf16ce3ede3881bb6ef

                      SHA256

                      6fab642a8ebfb2c4e2358c2b4159806267b87da26ba64544477fb2d520f58531

                      SHA512

                      34f5545053e78f1f5f4d318505c529c6b7feafc769afc37ce8df9bdbda758bf724a510b8bb09ebe153f589af4a41b2e563207d87b7f5093f4c37e8a900ab1d18

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      03bed75a5759a8578b07bccf5a5b9047

                      SHA1

                      c8eaeaeada773705aa3ce4ab98fa30347214b8ef

                      SHA256

                      3fe309e06143044381cd2610a6231c89c4a4258a218e14181f6ff740896431e2

                      SHA512

                      7e1e7b4f341635903dfe27c1a2930352318a6a8966c71a3028ca184c5cf67e8c749ac82f96f78f9548639bb51e0d682323cc020f14620a6af9fbb3ff0549cc13

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      108b97b1ff7efbdb1aecce96d55ff2e5

                      SHA1

                      bb72b2e0c3d859fe5e821632307a32df331b55e1

                      SHA256

                      c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

                      SHA512

                      e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionCheckpoints.json.tmp
                      Filesize

                      259B

                      MD5

                      e6c20f53d6714067f2b49d0e9ba8030e

                      SHA1

                      f516dc1084cdd8302b3e7f7167b905e603b6f04f

                      SHA256

                      50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

                      SHA512

                      462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      c8fba5ee20ad1c8ebd99512a5454c82a

                      SHA1

                      aa5ed3507dc186ad07578c0018ca6a04d5c3ce00

                      SHA256

                      5c477ef54458564ffe9b7152b57d4d1f7209f5de42a44f899dd2188c92e1e4ce

                      SHA512

                      eaf65ab12c516ed04405d5e8922237cf18c1499be52229f8d5aeef641f759fa00b966b6e5b19f0eaa13219bb5a53bcba051aa43598469a6e3842ee6967624d0a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore.jsonlz4
                      Filesize

                      1KB

                      MD5

                      0b8147ebcd78219820d52776f26a68f2

                      SHA1

                      04306914c0a7571a808432263b0b74594d967c59

                      SHA256

                      3874b8090503155a0e10cdf9fbf6f52d690470b986a10d2b5a161d608f8cb460

                      SHA512

                      d829f9f692d6c62764d82e428f15620b047720eb5fe69db6f807a97c8e2e566a543fdebca8703d1c34674b107ea956d1402a3147ca5882a2fef294d2012f175b

                      Download Submit

                    • C:\Users\Admin\Downloads\apu.json.baio1rv.partial
                      Filesize

                      2KB

                      MD5

                      6f7dbf219b51df8e74d95dcbae62698a

                      SHA1

                      98ca397fa073523549ae0c6fe603eda8ebe3c703

                      SHA256

                      91825c49a01661d0cc64ba36beec777a45e1fca3c9c99ebccd366d7d8362d0b1

                      SHA512

                      22fc8dd4892d8031951d4f18e32a1e4fdc018b3322f981a6ff943636b2517063c40e65a544231674d80297f405b8ee2643fe275e0e7fbe556090b385845fbc86

                      Download Submit