Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

Word Art.png

windows10-1703-x64

3

Resubmissions

18/05/2023, 15:11

230518-sk226abf7v 4

18/05/2023, 15:08

230518-sh8rxscg35 8

18/05/2023, 15:05

230518-sgg8kscg28 3

18/05/2023, 15:02

230518-sewcescg22 6

18/05/2023, 14:59

230518-sc2fnabf4y 3

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18/05/2023, 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Word Art.png

  • Size

    285KB

  • MD5

    5e1e55ce7c0e73d9aa5c24576d2bee38

  • SHA1

    9998739431d728d3c53d6fc5d78a885a41a83cfd

  • SHA256

    2fc5195f1f3e184fa69ee23738987a33747bd904b5cfd1ebaccf0fce5cc0a031

  • SHA512

    95522315bc4511cfead41f34b80eb18e4b75c6ae842aed488d5b4b3fbdc5b6dfb5cf095c4b8b147f178f965269f50017b276c90df274dbaaa6c3a748570429e1

  • SSDEEP

    6144:Rz/OcxfSfMFUxMAOtdgVFn8tVcIFKtunpO2A9itU5FIXwibFOw3MpujR1ZT:VpxfS+fdtdyn8zcIhZhU5FIvvBB

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Word Art.png"
    1⤵
      PID:4092
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.0.295716768\778584111" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd6efd3-4ee3-4055-8c3e-45ac30cc5ab2} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 1732 1ed63a17d58 gpu
          3⤵
            PID:2500
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.1.490169719\423006217" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a2fd734-c67a-4a8e-b838-2b40487a0b7c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2088 1ed57272b58 socket
            3⤵
              PID:2848
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.2.1636529994\384510153" -childID 1 -isForBrowser -prefsHandle 2684 -prefMapHandle 2840 -prefsLen 21039 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7624c90e-5e82-4e47-9e7b-e52cc267037b} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2812 1ed66832858 tab
              3⤵
                PID:1780
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.3.1947929157\1993643655" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 1048 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffdeffa0-b7ef-42b9-b2af-4c421b11b6ab} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 3532 1ed57261f58 tab
                3⤵
                  PID:3788
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.4.364764281\269152664" -childID 3 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fd4d519-60e0-41f5-9c88-dfb667d316ff} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 3760 1ed67bf8058 tab
                  3⤵
                    PID:3772
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.7.255519477\1151233994" -childID 6 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea7e6179-af97-4747-84cd-827bbf849274} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4880 1ed68ade858 tab
                    3⤵
                      PID:1312
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.6.406431507\1595190530" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d202dee-83da-48b4-bbfc-644a60a0ab13} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4744 1ed68adf458 tab
                      3⤵
                        PID:1368
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.5.2114244985\1912328399" -childID 4 -isForBrowser -prefsHandle 4776 -prefMapHandle 4760 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46401087-4718-45e1-8489-68fb0342b670} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 4784 1ed68ade258 tab
                        3⤵
                          PID:1732
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.8.2031995984\949257217" -childID 7 -isForBrowser -prefsHandle 5408 -prefMapHandle 3212 -prefsLen 26825 -prefMapSize 232645 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c08d826c-ff61-47d1-a59f-1915ac84a219} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2860 1ed6843c558 tab
                          3⤵
                            PID:868

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        156KB

                        MD5

                        fd7e61b3204b7867ca88c3a8605810c4

                        SHA1

                        d89715e340f826c67ed178b44479f2de6478d597

                        SHA256

                        ef44d310c03b9e9467a133b5e162625f05a13f7c58de9a8f38ea946b37a69189

                        SHA512

                        be283aab07491fa5bcd72dffb438614b17407efa4e9a185342c50587be865b8deaab9ad5960ce062f0eb9b7cd09e15587391c457a05bb32ab3c4d512aab4fe82

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        cdb5a91b7898f75f98e448e80b41dba6

                        SHA1

                        c749651f98e32a2320d2e52fd467fd6217660535

                        SHA256

                        ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

                        SHA512

                        b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        f9ff54a6e08091402581cf4317e86e55

                        SHA1

                        258ed40e622ba6d7e9b34212212e85967254a763

                        SHA256

                        3270d4bb9b8030cb1f08c6a2a46777c8c9d1d7d2c843a9bf94666917e79ac4b1

                        SHA512

                        2eb01de49bc17d41c4db6ec13aec431c12407ad2874db8967b480eb6acf9724e2b40dbbd1862708d94b2fa72252949127d6abeb9a333ca829a0f28edca952329

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        ed1e9e92042d838bf2f500ef9df87339

                        SHA1

                        4064a391494630030f196f0a6730c200d9a76015

                        SHA256

                        98ce9466ed66a168a06e65e9f786fc118f1d16e5b32d7617bce727e0ebefb6e8

                        SHA512

                        e105996cc7e3b7f83aa8ed5173c9f2312d7da4c98596db51f85dbb8eedb37b866045f924f4b41646f2d2cd74e3acda64b71164d61be614a0d65199cd1ae57a97

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4
                        Filesize

                        1KB

                        MD5

                        a542d0062e1d6b07517acc8404735126

                        SHA1

                        c545b0d82037e8516c80fdf65d7ae1c737bbc828

                        SHA256

                        dabee5dc83c09fdebe60d84febf12f25f4b68ab7b52980e9a45164f41144bdb0

                        SHA512

                        0b57bc688a48ec67ed244e0b5019bc18c482397dacf1c8a0686239caabbff6db2cc1b987a02598f2e56eaafa6a8b2d2e7e1b77b36f7981f49c5267ed9b7107aa

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        bdeb075204e9fc219621b8de9e8d2a56

                        SHA1

                        88571b3073c9dbbceb4ecbb29a9600bfa264245d

                        SHA256

                        4ba399c68a3f9bfea37fa7d824050b31e0b6d1f44ba03486b5e828ba9e19fec0

                        SHA512

                        f1627bd89bd1b75323642586762c430655f9278700452b06a0ef81dd16a3325ed0ccb6b6a97bc02d8605caa1d02cd07bbef8752ae899f08a22fcec2a522f46cd

                        Download Submit