Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/02/2024, 16:36
240203-t4h9tsdff5 10Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
03/02/2024, 16:36
General
-
Target
zbxl.zip
-
Size
43.8MB
-
MD5
da596c5fa1bfe53dc6ef777e810c2e7d
-
SHA1
dc756fddd264eaadcc0c8e8576d11259bbe1c150
-
SHA256
eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744
-
SHA512
bb7a10c4d9decee9687dfba5987939d1f55c3966bd80d06103d4bde6f61df3957d89392ac185b96ac668bc794193319dad33e34dde199df91eb2981e7e5f9fc3
-
SSDEEP
196608:rAA/coo9ZmMOfGI0QIdgCUlo1JKq5LJ2q82M/nSk827:rAHX9DQGI0Q321tr82MPl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\zbxl.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.0.1138806835\56311797" -parentBuildID 20221007134813 -prefsHandle 1740 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b666f56-ae98-46b8-9c92-85ddab6e5631} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 1824 2ba405f9258 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.1.1494789780\1003574989" -parentBuildID 20221007134813 -prefsHandle 2168 -prefMapHandle 2164 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {798dfe00-82e0-416e-8881-8ea590f5bcc3} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 2180 2ba351e6958 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.2.210486873\1487016198" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3144 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3978823-1c95-4de3-9606-e76e1639c597} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 2980 2ba443a0a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.3.693371779\1568435757" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6d105cc-bca6-4aea-87a3-22b89d02f1e7} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 3500 2ba35162558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.4.947131393\1330665428" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 4160 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bc98d2d-0910-4142-b9b1-6057628f570b} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 4176 2ba461dff58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.5.1032675789\405379227" -childID 4 -isForBrowser -prefsHandle 4768 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f690caf-dd15-4468-86e2-e3b634f119cd} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 4760 2ba35160a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.7.1433872136\137872985" -childID 6 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30c1ca15-b698-49ad-bca9-f36b34f2dac0} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 5068 2ba468b1658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.6.829516534\578815396" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32afb01a-cd6b-4e7c-8717-77e32ff01bd3} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 4884 2ba4663f158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.8.1744144042\552169412" -childID 7 -isForBrowser -prefsHandle 1600 -prefMapHandle 1560 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc3be0e-f238-4136-9e13-e45e6a033700} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 4352 2ba429bee58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.9.276833357\961512725" -childID 8 -isForBrowser -prefsHandle 4812 -prefMapHandle 4828 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0993286-615c-406e-b207-4d5ad35399f7} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 4800 2ba46186558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4116.10.619549797\630551509" -childID 9 -isForBrowser -prefsHandle 4736 -prefMapHandle 4172 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a7c8a09-dc48-4d25-b84d-a3847b2abeba} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 5636 2ba48386158 tab3⤵
-
-
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{5629FE01-4F6B-4C4C-A975-37586C987F21} {EC02996C-70DE-4561-A58D-DABA857ECBAD} 26282⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aec055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
2KB
MD5ffeeb629edf1066cdb110d199e3a1e59
SHA10aca56e6119399c4036cae969111d4c763b1e637
SHA2566f10f482e6c0566b3cb96580c9fa101203e271226b10e691bbbd7c6dccccbb94
SHA512e7fd8b0e1db35c449b1135e254a13f4d936dfddd8fde34b104349baebdf6c482f31255c89ce5416542b351bb8c4cd723c79bb8a1fafc58b11821f80a29f0035a
-
Filesize
11KB
MD53f6b7774a6229156e7eb713d479cfc69
SHA1e1a5d53f8fa121dd51c573251a74cf0dff8d48cb
SHA25690b7c2b65563cd63f5c931883ad5159553374ac9abe248a2ac0be03c881ccd27
SHA512bf7cd2d80a75e35bce8b476f59401b07dc431ba6847c2ffa37cec2124924214e1285260a4097f9972d3a9bb2c47fadbc571e845ae1e8c27b4fc4c79d67076e0f
-
Filesize
746B
MD5d7cd08941e7d7763fc8174cc249099a0
SHA1f8b0c39aa2c6dc1ef77a060c3286e7870a1116ab
SHA25623e300d7eee935317e37582047a5cf3b5e7da5719150c40cbcbf45201c31ceb0
SHA5128af8346c62f2552e1a3426247ccc5ae2da6ca93905abf7d8919cc9cebaecf7e0b8c2762cbce1af54f2f95d5903e11c0b1d37cd75be266fac4b9605492f3f10df
-
Filesize
6KB
MD5605b2d2fb131a74ce64d3c2b014691bf
SHA1d0ba9f73abc40d2b3a7fe439b2a9f0f6717d434d
SHA25658ab6b1b42580c22a1fe6e18d5e19cee54afa65272a0653726a2539d8c3e0a6c
SHA51252ea87a63309bb58d3bae8690f4a2ca1d56e89efbbdd6eab9942d8ba3b436c952c4899cd2a42a14f03984e1bbe765697880bf681eb7baf7fd1e1c6ba0922ee64
-
Filesize
6KB
MD51a9f43897f4342af64be87a8171ebddb
SHA15087cb932f49485129f44ec1644135e2ae76dc28
SHA256b6f13d5707fed98f847c99f743d106a899b843b313c4fc4a6a72c6b31c20e6cc
SHA51225ef0911bed9f5ff7df234f94ff4655f340c092d040bc44a6706e3c3045f06d34603449bfe8554c6a29ac33688bf8964d1f92ab2abb27c4a0c180b557cf8f70f
-
Filesize
259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
Filesize
6KB
MD5b575b432387e65b801e692e0f0558259
SHA15b53b775f7146ac35a19f889a100642d4cad9fb5
SHA2569f07a4c4906d346a5e0c8a62e4b56735db6fbfc1ecc6239ea3faab441752c9f0
SHA51210a95e55f728e528d344c7e3b2d62d7b05d6edd23c9cc6aa6d6715163fd3286dfa55f91f805439b960d3f7d0a705c19cfd3dfeb458924d72d290bdb54c23fe9e
-
Filesize
3KB
MD580167ef6c676b2ca22eb28e1efcdd284
SHA1904b3a5e61aaef98f2967b18a2a2ddbb64e68538
SHA2566a7fe109d5628f76ed338b55b3b841679e7685bf080e080b05b7076528c586ef
SHA512246b6a5fadc970b06afb9d5a373b5245a91b2181835736ba76b71979fd02c65be66df2e36d7970eb96fa4455979dd748b5d77cded1be01f3f0cab77528be2e23
-
Filesize
4KB
MD59cdedd5feadcabf042ce74fc2d636ee8
SHA15d7b54f4f0ef610b7a49432608ea0c739920d336
SHA2568c33870ed03098881183e8289ec3374c8b3c736fa85a7e476a9550ca02d42206
SHA5125f0121558282c1b10b748b32b4842213059f5bf8f7cf66ca61b66c9041214f4ce9a76df1439d2fdbbe3afd87b1f0a056fb0ac9f911551e572009213d7f2ebe8a
-
Filesize
4KB
MD55b6092504a018e5c514d2afc2228087f
SHA15bceb8fad92c2dcf65b55513c7e92aa96c1ec336
SHA2562fc3313b841ee36920c966d959072b8594fcc438bde33708d0b28bbcc27d482d
SHA51231ad258bde31d11a1448b91a7071209b939962a91269b7094496156f37ad385102c276b114f76ec6d73c9b34665dfb28d2321464b4c637615da4cdb088883f97
-
Filesize
6KB
MD56e4b073fb23606e52da0d091a027c06b
SHA106bb4bd9a6199cca94774839185c87200d8d17f1
SHA256d6f9c299b0108abe2f91c0cddabefee550a75d1f86f8550a01cc491f52a18cd5
SHA5121943a10e2236ec3d924d926ee758bfb3a4877c378a4a24de47fde735af22ddf765770201c37d6879beedf82aeb21fb8b030511a198ab2542adcea0f134264465
-
Filesize
184KB
MD54dadbf0e793d2ea4ded39dcd1e32da54
SHA16cb0d2faac06fcf62b1101c2d46b2431853c942f
SHA256342fe3e336e427c1b05160221d1914fea2f98a8d534d2b914b66215fc1fe4e6d
SHA5120d57aa57172cfa10f3c60e12750e58a4c7b28261e3a556819f22e33b818c49a6414c0eca1be0929f0f28d2284ad66af5ea745dff505805611d1ebb27b889cb27
-
Filesize
61KB
MD59e649a93e4e1cdf2d98d6b6df1e0006f
SHA13de6790c2558af40c96c0fd2f4051b4da473dd23
SHA25688a27117ae172a81775eb3a348b5aa8ef70d5c50312b0e55672999fc50c09027
SHA512141d5b451e04cb87f794d654f1c6645a6556990a5b9f3df687ed2ba35cc285ad08e2e63ce7f8a8d53c52a2319f7bed61afd9c507f1677eba6461597743267e9a
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
Filesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
