Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

URLScan

urlscan

1

http://151.139.71.44...

windows10-2004-x64

8

Resubmissions

12/10/2023, 07:22

231012-h7gdvsdf5t 8

12/10/2023, 07:16

231012-h3rn2add4v 8

Analysis

  • max time kernel
    203s
  • max time network
    230s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-de
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-delocale:de-deos:windows10-2004-x64systemwindows
  • submitted
    12/10/2023, 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://151.139.71.44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe?cacheHostOrigin=11.au.download.windowsupdate.com

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://151.139.71.44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe?cacheHostOrigin=11.au.download.windowsupdate.com"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://151.139.71.44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe?cacheHostOrigin=11.au.download.windowsupdate.com
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.0.1773813206\259981900" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ece7564-361d-40c5-8c88-4c81c6db713f} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 1980 1d1aeed1a58 gpu
        3⤵
          PID:4840
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.1.1393157937\792936061" -parentBuildID 20221007134813 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e7908e-d4f2-472e-979f-01f5f5e273c2} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 2400 1d1a2675b58 socket
          3⤵
            PID:2328
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.2.1501526784\1625354165" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1188 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b05c4cf-e5ae-46ab-b834-922a2f2995cc} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 3044 1d1b3095a58 tab
            3⤵
              PID:4012
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.3.459699144\57770478" -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26372 -prefMapSize 232675 -jsInitHandle 1188 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {276c1f4e-4614-4d30-97f6-2c4c4b0d8cc0} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 3840 1d1b08b9358 tab
              3⤵
                PID:2556
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.4.1355973276\480454462" -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5220 -prefsLen 26976 -prefMapSize 232675 -jsInitHandle 1188 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b0f579-dd61-47f8-868f-1e8341fe2e75} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 5172 1d1a2670858 tab
                3⤵
                  PID:2776
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.6.2101518530\1827595892" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26976 -prefMapSize 232675 -jsInitHandle 1188 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5047884a-252b-47f2-80aa-7f26bbe64b26} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 5424 1d1aedefc58 tab
                  3⤵
                    PID:560
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5048.5.1732418611\1209638845" -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26976 -prefMapSize 232675 -jsInitHandle 1188 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f820b15-1e08-4673-af7d-253da505839f} 5048 "\\.\pipe\gecko-crash-server-pipe.5048" 5408 1d1b3008258 tab
                    3⤵
                      PID:2268
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:4596

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k16kyoly.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    22KB

                    MD5

                    10172f24d116437d92490242a8d2c4b3

                    SHA1

                    46a6375b481bd4d8aca9cd88881a4176f34cd7bc

                    SHA256

                    b0168130819dd607f6084d9a88cff1f04f303b177ff0a453b15ca06fcc68e1fc

                    SHA512

                    76cd226624e35568610a5d2f370794a1b58a43e0b9cb256ca40de493f98d076c3f86ebd4e5955cc14c94872b322429c7ef38977d2b2f89a4e237f9d29dad3491

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    3241bc6b7f0099f2d072c49522380a06

                    SHA1

                    23de657da37ed6dcf9cc17d7901ebb6cf7b13a49

                    SHA256

                    0ee41612d33df08364f464e09f77450272a63f2fbac5bedc853bcd4fa7ac2f95

                    SHA512

                    307ae57080f71a6e59499a7ceae0b37cc31389871bed098d611b38897be007b601c52f33a8765535f450205cbc67fee5a722129ca709e74847aa3cd44125f809

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    16538e03c0be01f8b54bb3702d686689

                    SHA1

                    82aa614a7267b763e4b6d477a6954d00acd41a6a

                    SHA256

                    fc8ced5595cb0de7bf63ab516ca9261de108b7cfe70afa69c30f65e550be2794

                    SHA512

                    e524a543c456fa05ce902f04601fee432e0fee75d2f8a9c14065efcf9a0889cb2ec563b915befd12b2f866400ed7b1a42c0c38968229f69ca4336c0fdd7c2fd3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1001B

                    MD5

                    8ebbf30cd58be39113214ac069377dac

                    SHA1

                    b438c6984e75795d763e3df91b08c6b5469e909d

                    SHA256

                    df0b89639075756e9c181566c91c35eee89707eb27f4b42ba8110e568fe20b62

                    SHA512

                    b4106aed3578fb385c761f0e2557f3ae15b19cb47b2e5fe16c68326b861ef6afe629e00f7901b2ebabfef417db665a5fba1f54bbf1eefa79e0aa77b375115d6e

                    Download Submit

                  • C:\Users\Admin\Downloads\am_delta_patch_1.IBlbBPcZ.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe.part
                    Filesize

                    363KB

                    MD5

                    e34cb9e9c8bcedc47e73948bcc7bc14f

                    SHA1

                    bc746d8c18f068d6d86621f340010900055a8737

                    SHA256

                    b322f9e944fe1e883cfc822d938f2f557581cfb693d2def6c3834680a02c4b9a

                    SHA512

                    c79b722c348b8f30fcb4c1fad5f23ec2a83424b2c4ba14e9152a3cf2f2b7478014dfa8ec60baa5323cfdf8d078d5aa064eac4237c4f6dd6efe6c11716f589601

                    Download Submit