Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

URLScan

urlscan

1

https://forestacocin...

windows10-2004-x64

5

Analysis

  • max time kernel
    96s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2023, 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://forestacocinas.com/on/1td63n

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 8 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://forestacocinas.com/on/1td63n
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1488
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.0.1541531869\400011165" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00e813ca-e52b-45ab-8985-d4b68a99af5a} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 1932 1e29b018658 gpu
        3⤵
          PID:4068
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.1.27466936\603349620" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78d3efb1-9fec-4276-a727-f67653cd6085} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 2332 1e28d06f858 socket
          3⤵
            PID:1292
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.2.1038924375\1244003033" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2860 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19650034-2249-49e2-aa22-9495527d6672} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 3176 1e29dc07958 tab
            3⤵
              PID:3180
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.3.1072479945\1290866656" -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 1624 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35415af0-1ccd-44d4-a1e5-966fdb817f5b} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 2364 1e28d071c58 tab
              3⤵
                PID:3980
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.4.1262781227\1196216035" -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d505d6d-1a4d-4911-a414-96e0a78b7463} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 4192 1e29ed9d658 tab
                3⤵
                  PID:4460
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.7.144946065\1108882570" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e398af19-c456-4845-8d3e-81d0fdfa24ed} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5312 1e2a04cca58 tab
                  3⤵
                    PID:4016
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.6.1269506589\274222529" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c671a0-0ad5-4cab-abbc-915171e2ebff} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5108 1e2a04cc158 tab
                    3⤵
                      PID:1192
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.5.82372822\766246352" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f790d4d-2bc8-4fca-a0b4-1a542f41ec9b} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5044 1e2a04cbe58 tab
                      3⤵
                        PID:2448
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.8.1800614444\273178241" -childID 7 -isForBrowser -prefsHandle 5296 -prefMapHandle 4748 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95500890-6dbf-474c-9f03-e105baefdec2} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5376 1e2a1743b58 tab
                        3⤵
                          PID:5308
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.9.129878577\1433464199" -childID 8 -isForBrowser -prefsHandle 5904 -prefMapHandle 5964 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fddcfaf2-66bd-4bd3-963d-72a3d67e2263} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5956 1e28d02f658 tab
                          3⤵
                            PID:5444
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.10.1142180223\13335600" -childID 9 -isForBrowser -prefsHandle 5204 -prefMapHandle 2760 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {873f76f1-33d5-4a5a-9268-3bb9f94f86b3} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5288 1e28d061358 tab
                            3⤵
                              PID:6116
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2260.11.817692186\1955723427" -childID 10 -isForBrowser -prefsHandle 5428 -prefMapHandle 5444 -prefsLen 27331 -prefMapSize 232675 -jsInitHandle 1480 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8b9b0c-1ff3-4fe9-8e49-d1772eda4d0d} 2260 "\\.\pipe\gecko-crash-server-pipe.2260" 5416 1e2a04b0958 tab
                              3⤵
                                PID:6076
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p
                            1⤵
                            • Drops file in System32 directory
                            PID:6024

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yndo74ei.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            159KB

                            MD5

                            abecfa6822e4d392032504f683885ea3

                            SHA1

                            fb0d018f81afa86f79e85ee22fdb5fe2f85da387

                            SHA256

                            cb14af5aeed5f7f336a1da081ba9a947511fd34f2ea7049223b13bb2f96b0929

                            SHA512

                            ba01cc403c3ad8ae5e28e1259021a1916262776bc8d348567f5a03ecf342e253380ec0f1c5706923d4303ead8d5aaeee986b90befc6865c58ca40817e57efe34

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\~DF5CD7F77F3B8EF460.TMP
                            Filesize

                            16KB

                            MD5

                            fae87beee1f34809dbd7a7380bca6cac

                            SHA1

                            8b59db59d7538a70fe25a5e8e0c24c686c7e09fa

                            SHA256

                            2266f08e04a60c4ddb1d7b7255ec7eae36975085a659e546e3b8ea86cc337528

                            SHA512

                            70f3a0afb1c7af579dc8d84ab65ef9a885c7b36bbf963b10104700928e254a9ce1154fdef54febec74588d05aec29d304639a64628b4225fd3e0d009c33c48e0

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            745660ec5db8712e57d55d5012323174

                            SHA1

                            efb0c0b09c927df2782668ae163a7d738bcd0303

                            SHA256

                            ed6c6f85dfcab00699fcc8785cdd02908c210eb2d44fce00f45577bcf6e4092d

                            SHA512

                            1815ac7624d1ad76f2f9df2aa73288fb19ec3078eded351fd8b8583a26c9bb8b6553fdac13391c5457e5126324d4c97f90f5ca98e08a92a62ecf0e1bfaf948ef

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            beb82ca2c62d169202f992425269f29b

                            SHA1

                            b796b790290ce3888a93ba5cb407a116027aac6b

                            SHA256

                            a2f20ba91877c620772a582a1ea63811b10e95a1b722b2ea5ab482ddfd58b3d3

                            SHA512

                            9f0d6d20eef573917bc0b27a9a6b1f2ad45edb838a39e6b16c7eda00a22451bdca881d9ce4f3587fa3cb872ea9fe069ec15924091cb574fef5206d368208b9e8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            c1d543b9b61b6e650226e47232c6124c

                            SHA1

                            211dbb44e84516d0295a149517a1e02ace7483cd

                            SHA256

                            f342d0df343f7e393d4e9f9b833c0c28de6d365c7b553d4cdeb7e04170093a1c

                            SHA512

                            bdfb95b000eb9e82548308cc3c4b060ea9f00d47d30ae43e9e98416b7706e61ef5cc018ca0bb314e9be56d9a8e9e1f4658686d2b0c1e30b4f8a9fc420e247695

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            b81b511b8e80e71961ef6fed30948f2f

                            SHA1

                            982bc62a3c4769ce13456d096037f29169efbcca

                            SHA256

                            0a921c968cdaec6e1e1da36235a84bcb026ef9145b4f5a6590a4208efec78da1

                            SHA512

                            831b9c80f22bcd0400431f576ea5f08e38fb65c0ecae58351959ce0e065a8772ec2efe559ee6392ccfcf00d3491b94e0beb8b14be9335551f2f59963703536e5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            2a32b90ac890181d82fe8178f46c3857

                            SHA1

                            6c00c77960a3b992597a021881427ab40b9b090b

                            SHA256

                            fc536734b484b2fd297277a78cdf2c123699cfaad30f6d998591a607c2bab93d

                            SHA512

                            267fe5d1e4ee3e26ba921bcd8c4441c9dffe557c8ba9ad33f72f2984df77b411492a0a8e6b956b41c501ed70a1c0ce2d8d5af029ebcbb83f60dfbde6eb24fdc7

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yndo74ei.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            e00218d81b16eeff499b28dc5ab308fc

                            SHA1

                            a7478f13d39df9eed929810904b26da392b45b54

                            SHA256

                            d6239ccb1979d02e9d5694f9165f782922dd1d52a5f47c1bcda8a225773f2f14

                            SHA512

                            504c7aa0391e796a762a2d315f5c97ce0aaeb1dccd024bc687b06c476905fc5f0b74fa478d07edd3893a5e416e1d72c08e3f88eb81b85040d266d21b3e5dc8a0

                            Download Submit