Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

emailclick

windows7-x64

1

emailclick

windows10-2004-x64

1

Resubmissions

01/06/2023, 12:53

230601-p4ybjaec78 1

01/06/2023, 12:40

230601-pwjs6sec53 1

Analysis

  • max time kernel
    137s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2023, 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emailclick

  • Size

    4B

  • MD5

    37a6259cc0c1dae299a7866489dff0bd

  • SHA1

    2be88ca4242c76e8253ac62474851065032d6833

  • SHA256

    74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b

  • SHA512

    04f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\emailclick
    1⤵
      PID:4104
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.0.241891645\1126828348" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a187888e-7adc-4c40-92b9-029e6ca16bee} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 1940 1fa7d9ef258 gpu
          3⤵
            PID:3652
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.1.1719770245\713184693" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54e299a-de04-4c35-a8ee-22dc20507ca8} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 2332 1fa70a72258 socket
            3⤵
            • Checks processor information in registry
            PID:4200
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.2.2088621566\794314228" -childID 1 -isForBrowser -prefsHandle 3440 -prefMapHandle 2888 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e601153-7a3a-4017-9910-73b6b3dbecca} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3416 1fa7d969758 tab
            3⤵
              PID:4680
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.3.1820881713\1322298096" -childID 2 -isForBrowser -prefsHandle 2368 -prefMapHandle 1456 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f79ac4d1-de14-48de-a101-4254aa7dfe78} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3296 1fa009e1058 tab
              3⤵
                PID:3724
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.4.828821941\950242547" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c514908-23c1-4839-a2ba-525d385a0d11} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 4220 1fa70a5f558 tab
                3⤵
                  PID:2268
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.5.1588661843\115821918" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5100 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b31505d9-6098-4302-840c-d99cc701b67c} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5092 1fa70a60d58 tab
                  3⤵
                    PID:5060
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.7.1474114593\1586128752" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ddcfe4d-541f-4380-abfb-c0420de06726} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5312 1fa04f4f858 tab
                    3⤵
                      PID:3324
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.6.2006467381\2027041802" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d1fe976-00e2-4697-9330-ce03a4f59dea} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5080 1fa04f4f558 tab
                      3⤵
                        PID:4204

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    147KB

                    MD5

                    af75177291ca1d769c39cc67f6013ee9

                    SHA1

                    28110a9e865d0dec1f884cc07aea4215ed675cc8

                    SHA256

                    6c0bbb359d0b18604906fe8a68c100e03a5d630fd3d647ef14d214e4ee278337

                    SHA512

                    ec0efa131abd1ad4981f4d354914001447c1b202de8ecf2e7d1c6352bf256c11dc041af9cdcdfda1f859c4b404acece02c7bcc4d769f3aecb756a86a3c859d25

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    6d4efc9cf7169bf5156ee568c465e2fa

                    SHA1

                    74914e18e6b229b79ad8a9d9219e3bcefc730f81

                    SHA256

                    e024507af1ddd2df3b05cd2a58d4b0228555d1ea5e2f26329c6427582dbf8341

                    SHA512

                    90a346c19941c7ab13750f6ef406162f081293b98cafed7d11bdca27af6bece67a03f6ebedc28f1d97cf2fa8262422e6491576eaf872e72151758981067999de

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    1ec7e1208acf922a81fb994b3e9f0829

                    SHA1

                    2484877a572f4936711b56b66970e0e1672714b7

                    SHA256

                    1bca479dfbc3e892d42ba132f64e7155b7b70f4bff9653d66fd58587c2f035e8

                    SHA512

                    bf58d0212375cf53131d06681d4691ab20de74564784b3ad53302a63c9eea8c68505758d5d3c6dc80c06a1a4fedf73eb35cd75ba4b7b3f4076358e990e857ccd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    f73e52d124620d05267ba934f3b312d3

                    SHA1

                    34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

                    SHA256

                    fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

                    SHA512

                    4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4
                    Filesize

                    884B

                    MD5

                    7d9b4c1087a6a1c1c7a0606856e32ec2

                    SHA1

                    ec9d6f99bcfe06a7c970a0a8eef8dde0bd76c905

                    SHA256

                    eb594bcfb76142d319550b254d8a9c20807b041b2ffb13ab7d30be4f532beab1

                    SHA512

                    7b07df5f3aa571dbfede38c037b1a851ca8fba0aa5f5e5956ab491f218506c33449c340397df08d8cd904a53a96fc375ec556b8e5e9d74aa1ee5be6bc293035d

                    Download Submit