Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

libglib-2.0-0.dll

windows7-x64

1

libglib-2.0-0.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    32s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2023, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    libglib-2.0-0.dll

  • Size

    1.5MB

  • MD5

    8ab556a999061144bd9b806dc4d89e6f

  • SHA1

    001829a524b7da3e76145e200d01a7a395d3d3a3

  • SHA256

    7ffe6a688ced7b887d76039632d56bba34e8c27f0700b51092f73da38d889c6f

  • SHA512

    8345b3e9f3bb9219666e40639b85778a384875ce83a1c104e2fb0ad3d786d7f9f27969cb1df07afc4f641ceb7b30536cc2a6a4cb3bf6b2ccf7686562a24e0e19

  • SSDEEP

    49152:S9WyA383FUtatgxYh26WdRhBCvBqZAS5tvA:GFUtKh26ihBuBvn

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2192 -s 152
      2⤵
        PID:2416
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.40563868\1556804107" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1228 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a820d3fb-bb5a-46f7-bd9f-ffb7a4e563e6} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1372 10bd1b58 gpu
          3⤵
            PID:2680
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.1.944091604\537830542" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21019 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea232f1-2346-4a77-a314-3335f100f726} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1548 e71058 socket
            3⤵
            • Checks processor information in registry
            PID:2500
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.2.1695824732\711381358" -childID 1 -isForBrowser -prefsHandle 2236 -prefMapHandle 2000 -prefsLen 21057 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d339c3fd-f223-42f1-a27d-5d4c190a6d76} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2276 1a84d558 tab
            3⤵
              PID:320
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.3.272125469\390450316" -childID 2 -isForBrowser -prefsHandle 2292 -prefMapHandle 668 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dd8784d-5860-4db9-9900-fad7963c9b9c} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2436 e62e58 tab
              3⤵
                PID:2708
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.4.23768346\1228630678" -childID 3 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26622 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e409b23-f1cf-4477-a73e-2b2c7ee17299} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3700 19b68558 tab
                3⤵
                  PID:2888

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\167nfkxe.default-release\activity-stream.discovery_stream.json.tmp
              Filesize

              21KB

              MD5

              a93fcdecd00fdb630b584c5ee20d6240

              SHA1

              2566c74d6af3f68b562e0852e734efaed5f64dbb

              SHA256

              4760d860f2c529bd52054a7706c25b2b24d248c232905deeac5c2bd83c85d8ac

              SHA512

              51f6e16592826f71f2bc0e2e376997bae11a1dfcedbeb3adfad0e9b5e356573bdf1134bf26e5c9ad6c0b0df4dff09a27d4a975488fcf2913e4bd841a4d257e72

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\167nfkxe.default-release\prefs-1.js
              Filesize

              6KB

              MD5

              8023326457265be33f1266f5378b6f02

              SHA1

              81d50c8003a022735537c9f00751bf7a8fae4ca2

              SHA256

              37508e5e10965f81b588c61a2d2f3e5a4a65a1b6703ffe95906bc6c1f22a4591

              SHA512

              bf0d1624725858019e6403ff96fe9d3103df1aad1acaeaca28383d8bf1d73084869fc8f13b1e1456910e1ed4535fac795f7266c33d6cee1c67352f3040e7fce1

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\167nfkxe.default-release\sessionstore.jsonlz4
              Filesize

              391B

              MD5

              48bff7febcb2110acf3ae04f3d2f7ff1

              SHA1

              9f87734cb4db3ca2e4b5b0c4efd8d2a212ae9a9e

              SHA256

              69696c90d80a239f67d98556dac457a60368bde5995f6d7fe80dbbd88e723081

              SHA512

              04208f4d9e158557cac55e6293cc27b7df37f203f1c1d38cf0d2d2a61b34ff38b022012b7c3611f1eb5fe929417c48dd093c50b3f55a5d9b92c7b46ec54c3917

              Download Submit