Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

URLScan

urlscan

1

https://web1.zixmail...

windows10-2004-x64

1

Resubmissions

23/10/2023, 16:30

231023-tz1nbaad4v 8

Analysis

  • max time kernel
    47s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2023, 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://web1.zixmail.net/s/e?b=waupaca&m=ABANyPDIE5WmrOtAA3MYHqsp&c=ABBGDmy0SmHuT60ht0QGcnmB&em=chems%40dot%2ewi%2egov

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://web1.zixmail.net/s/e?b=waupaca&m=ABANyPDIE5WmrOtAA3MYHqsp&c=ABBGDmy0SmHuT60ht0QGcnmB&em=chems%40dot%2ewi%2egov"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://web1.zixmail.net/s/e?b=waupaca&m=ABANyPDIE5WmrOtAA3MYHqsp&c=ABBGDmy0SmHuT60ht0QGcnmB&em=chems%40dot%2ewi%2egov
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.0.205253359\227726869" -parentBuildID 20221007134813 -prefsHandle 1944 -prefMapHandle 1648 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e71866-63e1-4116-8cae-a0c76e467eab} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2024 1d9974cf758 gpu
        3⤵
          PID:1764
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.1.209909196\277026727" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ed4164-1018-417e-84e1-db9e8fd75213} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2448 1d996fe6558 socket
          3⤵
          • Checks processor information in registry
          PID:2676
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.2.350442034\449862878" -childID 1 -isForBrowser -prefsHandle 1616 -prefMapHandle 2832 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1164 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75dce256-98d5-4ace-88d1-85618ba68668} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 1428 1d99aee4c58 tab
          3⤵
            PID:832
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.3.1149438404\1423166594" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1164 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8acd0886-b442-4009-845b-f954bf67d324} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 3652 1d999ce9758 tab
            3⤵
              PID:3888
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.6.177304590\1564215878" -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1164 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b156687-89d8-4878-8097-7de3b607bf14} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5148 1d99d58d358 tab
              3⤵
                PID:1960
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.5.1857505276\110436631" -childID 4 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1164 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d4ce239-baaf-41a2-8f0f-be76cf3ce5eb} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5040 1d99d58be58 tab
                3⤵
                  PID:1608
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.4.1917637519\351643994" -childID 3 -isForBrowser -prefsHandle 4824 -prefMapHandle 4792 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1164 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de44e52b-1dda-4df3-be4d-0554e01df106} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4832 1d99d58cd58 tab
                  3⤵
                    PID:1780

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                23KB

                MD5

                e6e206243e20df1474df9b22c017284a

                SHA1

                55250d339a8ea65430177c895a6c08e9acd031cb

                SHA256

                e8d9609391cb839bd4bdb9bc94789cc99711a4b2619a2a631030b366558325df

                SHA512

                a25bb7e50d4c550c1b4c900382833c72d1f812bf4491f1c15593c98d052339bac4c607496e80e12d041d7edbae0b119ee742e6a97393e04695fd7cad02dc518a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                Filesize

                7KB

                MD5

                dce99d609bde25595c60ceea988083e1

                SHA1

                eec8889b42703073fdc2cbea3a466fdf1118ba0a

                SHA256

                fbd28ed9c94946079084ee708954c0d567e709ea2347a905a42d2cd5c48e8b28

                SHA512

                9df80b77ab192db40a8bc6d5ecf0cebce76f004e6a77806defbbbc6f344bfa88f325bcbf34a0fd9123d871571206e8075c6114e74fb581580d3bce71834a0e19

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                187c32f667599e4dde937414c63c41e2

                SHA1

                202036134a09641973c38058840c853915daacc3

                SHA256

                9f4a99fae35e7e9554e7dc69ee525e35c8b125ca5b8af51efeec0e83b32d84fe

                SHA512

                4570ededb27f55b301e6ceb492bcf35164944fbf32b648c7b05315b564be7f4511eee97556a82ac3b7aa3f8f3a8f0c32f0a87215b69c413322b5322fd5337054

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4
                Filesize

                1KB

                MD5

                cca61b453df18acbcc532d072b1a890e

                SHA1

                17ebad571db8c176fddba4e1d660ce6d11a21ae1

                SHA256

                067d5631a809b568e75df7613e8ee4d94b5c6a9c59fbdf539e09f865e72d7dea

                SHA512

                9c47052972dd36c9982af52438b3ab5386b4a1941cb0c789d9b0e1d02227c76ff9e78c1e9e2a6577afc8c827a1d0bd2fc0e20ce80b911e890a7058d4a03c0d6c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore.jsonlz4
                Filesize

                2KB

                MD5

                56d36bbca628bc4e6601a20f8257f579

                SHA1

                0324c6bb73b66711495a919f70e008e1261adda6

                SHA256

                a5c29d0160ec038ccf476ddea19949158a2bca816b722679e5db7e428f709167

                SHA512

                bb37d10663a052b25726591725f1f18ed463c0b904806f147cb647bf06caf0ad8d286d714750fa2c8ca391c0b9b722f3faa8cf3e14cd5b925b9ee0101b163793

                Download Submit