Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

Wells_Farg...s.html

windows10-1703-x64

1

Resubmissions

20/11/2023, 11:58

231120-n5dg3sgf8z 1

20/11/2023, 11:57

231120-n4j88sfg37 1

Analysis

  • max time kernel
    59s
  • max time network
    68s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/11/2023, 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wells_Fargo_verifymyidentity_process.html

  • Size

    971KB

  • MD5

    50cbda2670eed929e84f5ec44b67d878

  • SHA1

    8d0ab99756acef1736f31cef062a66cacbd5061d

  • SHA256

    1e3791543b30587241c65779dea7faff66f70e84a0bf343dcdb8250bdc120744

  • SHA512

    51e03cbaeeb357606de807feaf7019842df56cf383c69efed84f682504e55342adbbce70273452fbac169a7cce67bfd437330a957dc7bc5cbde7ed24f88d0ea2

  • SSDEEP

    12288:Hduw/xBVcqwSelOgU5YnCcNEv2uI/SRb3suUrXZbOU4wuTJ2075FSa761S2hKx3j:9uMVcvlQBYnCBmuUrd34lJPj7R2hQj

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Wells_Fargo_verifymyidentity_process.html"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Wells_Fargo_verifymyidentity_process.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.0.1428073947\719379185" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1668 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a040236-2563-4a47-9105-d3dc6520d302} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 1760 218bb809a58 gpu
        3⤵
          PID:2204
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.1.67278457\1157177164" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bd2e91d-8332-45c3-a390-8cc85837597d} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 2136 218ba5f9558 socket
          3⤵
            PID:2540
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.2.203990278\1329366603" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 21900 -prefMapSize 232675 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06aa66f3-3dc9-4e52-969d-bbcc0cbf7622} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 2504 218be5ec758 tab
            3⤵
              PID:4668
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.3.846256552\747002587" -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 1008 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8443cc06-9eaa-4f99-b3af-fffc5b6198ea} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 3348 218bf64c458 tab
              3⤵
                PID:4724
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.6.154225564\1840206695" -childID 5 -isForBrowser -prefsHandle 4744 -prefMapHandle 4896 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b532a4b-a696-418b-a903-6ec54f08bb3a} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 5108 218c1d7de58 tab
                3⤵
                  PID:944
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.5.1639152652\5203224" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04e8c95e-441c-41fc-8326-dacd612cc125} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 4924 218c1842258 tab
                  3⤵
                    PID:3552
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.4.1263912298\2045629434" -childID 3 -isForBrowser -prefsHandle 4760 -prefMapHandle 4776 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8818cf-bc69-4a50-bc72-4e210510b10f} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 4744 218c16feb58 tab
                    3⤵
                      PID:2156

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  21KB

                  MD5

                  fb9e8a53ee983dcecf49448b58296ce7

                  SHA1

                  8c2f96f95e5038b78cca1b1c2303c661792de904

                  SHA256

                  189bf8cd8187d1c5d1a5a401c1ca93b5baa6049f7209fea7bd1113e52437a89b

                  SHA512

                  fea0933bdd23e25550fc0bd10a58240db007c2200ec24778b97076b2c9416b3c03cfe171a61be246450c0c2913c74e3b0fda30fca22ad6c98f18787cee833b73

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  a337f5bf7e0d19d8c9bd69d565a05232

                  SHA1

                  9700a8ccd4af685bc8bf9ac048b198076f726ad3

                  SHA256

                  8d5ec5068f135197e2b2e960e281518a1d61c6580e1ebece1053dbbe6583dddd

                  SHA512

                  8dcaaaca4c51fd16b0f85a365d3e17aac412118c901d221d82f179c7daf41f68cda4ff0dbfcfd20790fd6b0af75a3afdd228125be4eea579ee57fefcdd1d9adf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  42896fe760d5e180efd9683b3d531789

                  SHA1

                  3ab6e33d02df5cda4c774adf6097a804c6d95a3d

                  SHA256

                  f0f31ffb7855cef1fa54cdf1d58f87885f342daaa577db426572890dccc88ca8

                  SHA512

                  9bd5cdba1249db3d1948df6b0552e65968160409750a6831ce3754cd2495c9f22c0ab1ece2e4a4c1654f0d6ddb02ea1f572fdbfd02873af56bf678b477a1c8da

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  c20748f76aad7d9a67d88f4f019960d9

                  SHA1

                  efbfc8e29dc6612d6a7c123ed106c8d9b05af5ee

                  SHA256

                  e694dd9a7da9295ede95b81d51d29a5a0bdae02c741bfd00131e07266f25d0bd

                  SHA512

                  4993aef3ae0f54c7687c8d0e44110e39ff5d49e6df7fe89a768ad7524e0dfb4b5f116eaad52786cac92a444cb5f73fe654cc1cc7ca15f50c86d86fcd9a0b5a16

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  ca32bbc1e64cc89e88fcba8466a1999b

                  SHA1

                  8f0d9ee5db54d47d45289d3c1092cc9b0eaf3123

                  SHA256

                  4f98b10f0d5f834b555191636e092030b7c4810c6817af77c4c82f186ebe69e3

                  SHA512

                  ef34453bb6ad6dc7060e48658f5619d7214367e6e2e4650989a174372aafb80fcf0d69648ead8c1cf8e32ba20318249c889e308cdc4515f7846cae767e86a631

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  105538551cfd070a639d54968e100dba

                  SHA1

                  b8070fb4f5fc022a16bc6e8424a22151839b3bd3

                  SHA256

                  b9edbf2021446147610237481830a8c38ef9ff688484f5183defb300fbd8a0ea

                  SHA512

                  8a16923cc3f87f4864eec9967582ea6cd4c2ae682cc3d4d71af8818d9931fe3d80b7bf6db81590a70ee6500be761d50df5e20ad7143aebf905dc28f03abb418d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  176KB

                  MD5

                  e540b4ba056dc849b62401d849c9110c

                  SHA1

                  e317f21395f50a4e8558d373fdb5cff3e7b9fb8a

                  SHA256

                  7b8f511529030bd604d3d45cff3106bd45c2deb4a2086bf21236075d2d57fb1f

                  SHA512

                  88d6adb62652482b4fb234265bc1c36338f8eebc2b864bb25b35b5928b083bfec1d6c19d79636542114ddc0e5dc0411fffb28c9a21eb1d607d999ec409ceab7a

                  Download Submit