Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://adfoc.us/ser...

windows10-2004-x64

6

Resubmissions

05/11/2023, 21:47

231105-1m9h1sdb6v 6

05/11/2023, 21:43

231105-1lb65adb3x 6

05/11/2023, 21:37

231105-1gy54aeg83 1

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://adfoc.us/serve/sitelinks/?id=271228&url=https://maven.minecraftforge.net/net/minecraftforge/forge/1.20.1-47.2.0/forge-1.20.1-47.2.0-installer.jar

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar https://adfoc.us/serve/sitelinks/?id=271228&url=https://maven.minecraftforge.net/net/minecraftforge/forge/1.20.1-47.2.0/forge-1.20.1-47.2.0-installer.jar
    1⤵
      PID:2960
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.0.103598834\1815143165" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1888 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff56ef97-e393-4914-a53e-3f5ab9bd6200} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1996 1ddf99c8058 gpu
          3⤵
            PID:3104
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.1.759438186\2111160024" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2376 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61945b1b-b0b4-455c-a011-d38c758cf41b} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 2396 1ddf9532958 socket
            3⤵
              PID:4428
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.2.1135073592\1972773672" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3324 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e385ea5-afbe-424a-b7ed-f0be64727d00} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3300 1ddfdcac358 tab
              3⤵
                PID:1564
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.3.1989727336\810127084" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {707c0179-ed66-4ae4-8c37-a966aebfe95d} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3596 1dded161f58 tab
                3⤵
                  PID:1360
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.4.1459589197\739563375" -childID 3 -isForBrowser -prefsHandle 3984 -prefMapHandle 3980 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c031f828-de1e-4106-b0d3-84bf05cec13d} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 3996 1ddfc72c758 tab
                  3⤵
                    PID:3540
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.5.36456264\1475652238" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5032 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb96d1b-52be-4df4-96cd-36ad095eb132} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5124 1ddffb49b58 tab
                    3⤵
                      PID:5276
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.6.807640261\1160102562" -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5340 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {add72837-1da6-4696-b2f0-6173ab1dcf09} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5364 1de0017c858 tab
                      3⤵
                        PID:5308
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.7.1694307283\700435910" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de198cf-0bba-479e-9ce5-650fa7430707} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5356 1de0017b358 tab
                        3⤵
                          PID:5332
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1288.8.972502385\199802909" -childID 7 -isForBrowser -prefsHandle 5392 -prefMapHandle 5340 -prefsLen 27057 -prefMapSize 232675 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f5cfec6-3afa-459a-8639-188733ca42f6} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 5656 1ddfc250b58 tab
                          3⤵
                            PID:5264

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        22KB

                        MD5

                        10109ea3fb531c814c7e6260f769a43e

                        SHA1

                        c2f5f75ee9804d2eb76f15a0091a426fa5b23b7c

                        SHA256

                        589b63f10f914bff9d221fdad0b94e5d6077096b8cd0815b12487d772fd421f6

                        SHA512

                        788b817ffa52c7fb6a9f47b0948b82ad4a18df360350793d50053d8627228da57700c65178764a983767b5f2fcdb3ba6eccfc519d67a421c9c733fd3338f969c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\thumbnails\a99da03408bfae5e87bc79f0d81d82a9.png
                        Filesize

                        12KB

                        MD5

                        1125dfbf5134a64d8d5e90f67ddbab6d

                        SHA1

                        9a9705096531e336b1d2ed507c7fcd821ba9213b

                        SHA256

                        5b4c770592c4b146b6835d14134248d6c7f73e989018088810da78525d7b1b6e

                        SHA512

                        6230985ae203440620d398cb72a2a70ab7d6df5b9a2d97bd2204cd00b0fee0a41def8f0703431219b1b646197ffeffa36ee8b53416060b29ae88df6690ae93be

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        821c89de155c9ab505fca55cbe83b08d

                        SHA1

                        68e66d5d1ef469adb3e4ad722ae551751e5fccff

                        SHA256

                        296fbd32ee9f461e3fba4df8ccd3cce065760428389ba0a97b5d792768f725d8

                        SHA512

                        8edf7ee0e30f26cb1a5f7dfe5e869eb7e36f2b3030ad42397d8867374b0b770566cc6943eb100c56d305dd1373b2b1dc3a6050ef9f9e37fcaa83a56e81f94791

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        a14ff548b60d964a3df4d1e810e0e224

                        SHA1

                        1d44e35863bc738ecde052b7e617d3ac33ec25fd

                        SHA256

                        45474a4097e8867fa8e907166a092476bdc0191ae83ffe41f82080122cb01003

                        SHA512

                        f3b53da73d199bf2c6fffbfe6a4167211c1bcdfef836bdeea3343929c3f94e0a50ef761918d3a76b3a4cd24fc2a0594271392e9474e1ab8b40a148e92b60e01d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        6ac223d4af8370698db4e6cf1c0ac3e1

                        SHA1

                        67ff227dc7493cf3a0f046c38d4146ba0418ae88

                        SHA256

                        fe2b8188288e52fb746296df0389fa636de09fc13cc7b29740fbfb2ea79f3134

                        SHA512

                        a943ed5d778a8545d8cd59862573b1913265ee462e0f37174ad2f2cac0eb32b7fbf618bb4ad83cf5e19cd20564656e10d6a741dbe8bec3e16c927e6a36b1b8af

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        56206b9fa6d5002bc84dd27495fb2059

                        SHA1

                        89dc1bf909a4f61cffe89c97efe8409e58d25a05

                        SHA256

                        138fbf684d224ccfbf9222981b7149b95ac619e5b421aafc090db1d314f0c6b1

                        SHA512

                        462e55611392250be1504f52d489c38245b04422c04510cb06dec5abd48d69261e04951edf51a3948b7ef8530b7f0adc465861a59c1821d0fe9b7c3083bbce16

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        169950f3f68817b2ef15b62e48466bd1

                        SHA1

                        c4acccf4f0b493cdfe477c6e9d360e44ccbd5a95

                        SHA256

                        5f0e76b90a9a2a25582c5aa55cbbda63f270ec49bd25162877c0bb90c1cebd3d

                        SHA512

                        66d64ed0a7fdf71c1b1222753fa56d4fa138ed6aac77d1e7ee8349d2c7c17b7d60dcf2d4400568a932b88db8b0cf6599ef562d7c98516698a97f31053bee3078

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        2KB

                        MD5

                        63690b81902b2d93f111a1bd500305e2

                        SHA1

                        b63a7ba337afb13d1c333bb43f5efcefd8bd6436

                        SHA256

                        178aa4eef3d10386aa1a975da28d3932be4a7f48f974a197ba17b62f76247b02

                        SHA512

                        db499b900b8afb2a5cca5cbe6210344f379c0aef271955a0aeb4796a561d3f15fa3c0d62766d13792e3021f163c38ead5af4ce923f61815c2cbb2f9a937978f3

                        Download Submit