Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
28/01/2024, 12:00
General
-
Target
RunWithAffinity.exe
-
Size
780KB
-
MD5
f90ef05cb27f8752beaf3880860298e7
-
SHA1
704aa6a28df00e0020bf77be72bf4847e5e51379
-
SHA256
c3404b4784d91d6a662b513ce9221ae87b8e0601a41dc75ab8a4c150d8102e47
-
SHA512
bd32eefb34e48bce3ec50f12575373ab6075dda4b29a2d57700847e757a3fe39f0307e69232e17ec5d2b3dc8b6b0fdfee9e4cc01f0e31df6d980aeb184596ad7
-
SSDEEP
12288:zBRAheUVwlPE9d0xu5UMToSOr4cKm7vDe4Yup1hRumH+gjY04xg9:zXAhvV0PFPfrtKmflXp1hRAHxg9
Malware Config
Signatures
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RunWithAffinity.exe"C:\Users\Admin\AppData\Local\Temp\RunWithAffinity.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.0.1572394837\1380626578" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6509462d-b5ba-42d8-9309-ad3737fc5f52} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 1780 21991eda658 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.1.1413460324\1336321380" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9270ab56-dc0b-4276-b199-ca44138d8cca} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 2136 21986e6eb58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.2.1035363088\512591860" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2884 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d9a4d1-b7c4-444b-939e-962b3763264d} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 2776 21991e65558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.3.20357049\728616597" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10249b5a-c3ef-4be5-a7d3-f41ac33deda9} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 3444 21996f22358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.4.1586256578\633334611" -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03c3cef6-7f25-4042-b327-4030182f176d} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 4192 21997f79258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.7.1752810553\1949977791" -childID 6 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2fc3223-6740-43b1-9f2e-efef46cabd76} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 5180 21998632b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.6.68105722\2023992642" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dc23f7d-1d48-4ab8-a1cd-516b0ce36bfe} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 4968 21998630158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.5.1181809620\1515889318" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de7cc7a0-c29c-4e9f-9f45-5fe88e01f790} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 4832 21997f7b058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4652.8.1911857736\726834339" -childID 7 -isForBrowser -prefsHandle 4252 -prefMapHandle 4260 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17389a73-57aa-45b8-bdaf-9ccfbb8f717d} 4652 "\\.\pipe\gecko-crash-server-pipe.4652" 4324 2199a5a2458 tab3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4141⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5010ffedb8e11e3907a2d6b011906537b
SHA14ec9090db05bec799350b134f2bfbdc6e0e0c2aa
SHA25680c9b4439664768c00b286b02d06185beca4315455536765a6091735f1ec089b
SHA5125214b47258f46d0315ecad93a8cbfbb62caaa0dd1faec79a2a4fccb0b2c04b2ad6b1fbad01bfcc59c06113abb34e2b970c1378a05a57fb9cd496073e11cf509b
-
Filesize
746B
MD513aa8db851f88bbe8e8df183fc9a88e0
SHA19c8fb23484e7dfc3a6a10b1bd90609e4b67e1878
SHA256ccbf78650f6a1efe1747b891088b56742cf618470048c04493d2670de139fdbf
SHA5123750bb5da79ed6d34bebce11034e0c78addd707245657c6bbec7009b929a2cdda96a23d3a84b50c4fa216c50251bbc7e3b8830116efc62cc2681523a1da3426c
-
Filesize
9KB
MD5428a6a2c4a65e779da5c0f4795973596
SHA12ae19110ba637e4ad646eee57986601126df2820
SHA25694ffaf30cf67bd5f77d1fec5aa1e8b97ff1ce8499257ff2786f7bf095c303d24
SHA5120b452bc62d3954080015f1135d08a1a4026995a1f426f5a29394d0211ef9b0f86463acbac448f43303506cabee11daf2ad434f4981431e69072e9f55098eac1f
-
Filesize
6KB
MD5f81556536602caa248f475653c9039f9
SHA14c76439c4d16c8fe1358479b055e9bacbe15fb6f
SHA2566c485a4c0bf0389b38e110243b0b4dd95d42ad056bdfe213add2f184d7cfe755
SHA51255b5cbf91fd076092b779aa588fbcf2b5217e60ed5f498d2cd8a57e336c2f3d21ffbe8365b5bb57c37f23f979e15bdd519842634ef142f653880b3f3922e79e1
-
Filesize
6KB
MD5ffade29444e7031ea1c047c0652b3b1d
SHA1a05c91cc03aba017625c891b07f51f369e61d40b
SHA256576b68bc3940e9b4c1ade1fa87be539cf2ed620a53dd3fc9faa6eadd928a5c79
SHA51240ee6d6ef516022ba8dd861a4d27808c8cdc9ba797c39af67825ed6f88c3ebae71de8b5f97e10ccbb91d7b85e647bb66e3aacb9ad9281b0955729f86b21a7975
-
Filesize
23KB
MD5e70dfe6a1d5260cd3922359d4c333b4f
SHA19dab81930b26b05679e70f3cc8249416756bbf18
SHA256f57b7c4c3b7638ad0fc31aa57ae0542394a3989bf10aeb0286526ee9a79caab8
SHA512ced29e15e549c55988dc434eca34aaab1cbdb1a4028c18c3cc0ceb359a8c165af4afc899930cf2f676612c41fd7c0971147a9fbcb5c1bf8ba0a2d6c66cf68798
-
Filesize
23KB
MD508bb3a0156084c50ebd055647691feb2
SHA13329fa8d80d487f7930b67fb93eb5f0151c5153b
SHA2565dd780f7f60abdbe033fd6c7f8cae48d3d5c224c8b1f695733a9aa4c4f3f2638
SHA512f6142f1e7fa71f24679d937cf1328057caf6176110d0e12310cec3934a60de8f70d9ed5720cfb7340fde66459313796a06bd68f2123ea55ab5afee97393ee0fd
-
Filesize
23KB
MD5fc96594607e250a57f5e96bd99b38fe0
SHA1b80f61d89928b6f0055e8c6458ee7960e1164009
SHA256e0132321dde692e5c217d42f003d92515a3afd96edd70f4e1d6cfde7788a3758
SHA512860ffb7fce60a3ec1d8ec706e39ebaedee795e7e5119533effd37a35d79cd484cdb42db87c68183346b43597bb91675b2d03ac449330451f191f4c4449581248
-
Filesize
23KB
MD56a9cea50bd9cc898eb4e22f21fd315b7
SHA13fb3147759beddfe53f33fe0dc7bedfbb73204d7
SHA2560e78cb095a555c1e337bd6bccc645251fc86cfda53ba2639ceded8c238df15a3
SHA512b91509ec6518c3880368ab3ec2b885a5ca1ec0c34bb8c5f48d9d4319df8e8ed6af320a449883de99520f086ee72bfecc956c5d36b621603de20401748fc81496
-
Filesize
1KB
MD5fba71bf321df54d706b714377fe90828
SHA1a1de19157f121a6d53ae2c2ba71db7bddeb99fbe
SHA256f28d3805cf63364142caf3c6f106f9ae33f2f07c5a95e6189eb596d8fd2566e6
SHA5127ee0548a5d6562437066de19d02928e019d1551035264bc0a905db68954613bf3421481c204cd81a88da328e569f1afd5aefe238d4856cb5cef1f2cff7f375f2
-
Filesize
1KB
MD523b79c6f8bff48c5d07115a6dd1279ac
SHA1bc5ebc659d6603388034836ccabcbf42da7aa1cf
SHA256cb97a522e618cdd37cbb02be742aa08df01dbcf608d0258387f2599342d6126c
SHA512940e76e9a36f1fc9c60996bb1857908d5427092c14fd9570d46f0530f4b22847598320ea689d8d025ec3c882351db30f191d9e988cc595824a93bd1c32a59cf7
-
Filesize
22KB
MD506b035e5db027d6602b7afbd2cd2a7bf
SHA14c6030281ac96169ad0f409721a78f8b3d3cfb0c
SHA256f7a954ae238b67ca7e352ba142f29a630c8e3f370af5d592fe4a6333af5c44c8
SHA51216d72350ac88e03ce0ca178726cdc45b5204031b6bdcf087fbc0d65ab257518fa43dd626300b3e583a39a8d76b8dad50ee3da58d0456379a85948b4500dcf7df
-
Filesize
23KB
MD5b054cbdf43610ded64da8c050183b7cd
SHA1a548b18d156d6a2f4cc3ba0e15022ee702faa3bd
SHA256c4d6f75dc39bfbc332469102e92932fca91c98f651e4d8157fce0ec3cd8e327b
SHA512fe46d0eb3bc35afdd86fd9fb2c35c55f3d2c881aa9b4e9fa35a98e75e29a4157fe3d8dc51906e61ebd0317f8454542cce969eb3350d78cbeef50ac66b800d554
-
Filesize
23KB
MD5a0d645e1db102b762a4dd26c83e83602
SHA141f6ca5eb5ead893a27bf0ae1502fcaed739ec7f
SHA256a6a2e668322e6e52b11af9f23d26db966a274eb54759fecd87e519c736f7110d
SHA512f37cd9107a1868cf5bbf7beb8ec73c4bd75f17fba36f67fde6922778bed28752e144c12d3e2d7a8b92ac265dbafbe40126e98f64953e2bca714820faa0e0dbb3
-
Filesize
184KB
MD52a47098d39a545749fd7b10c63c8fed3
SHA1c6cd31b7e3d069981f96b7a3be0dc5daa1a64056
SHA2569f6ee6840be48f8e55088a45c92056715fd34c021cfd5840757e4eec9138b2d4
SHA5129ed035dfa7eca9b4f55f2c613d3d0fb2176f9353a87ce8dcb157ee503ca9782a49914516b724980c05819281528877f052b59f91fafc49538b4615da2754af4c
-
Filesize
1.5MB
-
Filesize
1.5MB