Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

Lucifer_21.zip

windows10-1703-x64

1

Resubmissions

13/02/2024, 03:28

240213-d1bskshe72 7

13/02/2024, 03:26

240213-dzfp5shd54 7

Analysis

  • max time kernel
    161s
  • max time network
    170s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/02/2024, 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lucifer_21.zip

  • Size

    20.7MB

  • MD5

    bc5a64e94d9ae6a90d1e3e5527aef946

  • SHA1

    537c3fc0c54a8bb3dc8e8651c645dae30662fb17

  • SHA256

    07548b3bd8978a673ba74f5949d438685b8e569e092d057d04f305655714494b

  • SHA512

    ec301b266fdae6a87ed439ac274803ed9f549cd3f880403a55e1a803f3c1ee758dd48fb1f98a1cbc85cd9f2ce9bc82dac936ef5884a19674602e8cca8a6fdc3f

  • SSDEEP

    393216:78VilnYOjCeWHx3j8iAAUgBZZaMWqOqzZCeMlqmE9ESt3inwnqiSWh5ohxvvhxj3:78IGOjKHZ9AAUg8VqOqVhErE9v3iPWQp

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Lucifer_21.zip
    1⤵
      PID:3540
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4180
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.0.1907317996\2074454910" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f26d1418-ef6d-4bb9-9e37-a4a68ee45636} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 1800 25fea6d7558 gpu
            3⤵
              PID:4912
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.1.1448321568\838762396" -parentBuildID 20221007134813 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db624e0-f0fc-40b0-b5f4-578cfad77ce1} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 2152 25fdf570758 socket
              3⤵
                PID:5056
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.2.1244820793\1770683211" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c99a48ed-7eb3-43dc-8a1a-bee908acfece} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 3100 25fee6cd458 tab
                3⤵
                  PID:3080
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.3.1898378729\1213280803" -childID 2 -isForBrowser -prefsHandle 2748 -prefMapHandle 2696 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42cd289b-b30d-4861-9524-7ca5461fa4c2} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 3348 25fdf562258 tab
                  3⤵
                    PID:2808
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.4.1862050962\27113330" -childID 3 -isForBrowser -prefsHandle 4628 -prefMapHandle 4624 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cad01c33-488e-4efa-ba97-50b2ac2cb90c} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 4632 25ff0ba3a58 tab
                    3⤵
                      PID:2944
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.5.371608502\1222888171" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 4836 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df70fd6c-e5a9-40f0-a222-dc04a0ec079c} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 4808 25ff101a458 tab
                      3⤵
                        PID:4140
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.6.82442673\878380751" -childID 5 -isForBrowser -prefsHandle 4820 -prefMapHandle 2604 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {def92a46-6b60-4d4f-b2ab-90259ab771d9} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 3972 25ff101aa58 tab
                        3⤵
                          PID:3008
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4616.7.822434124\781574871" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b80a700f-a433-4fc9-a580-04d7362ead91} 4616 "\\.\pipe\gecko-crash-server-pipe.4616" 4880 25ff101b358 tab
                          3⤵
                            PID:3028

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybbdryvc.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD
                        Filesize

                        13KB

                        MD5

                        f89de52db07030fd07aac0c619914495

                        SHA1

                        646eefa5f9c5e9769e9dcf3435b7c12942cb94cd

                        SHA256

                        abdbacc36ec24e4ab44a73909ebaa90f62360dee12907c6c8a835becf79ef04f

                        SHA512

                        ac665b10d9261e39c7a6611359cc638f44d44640fa8237685a00f833088eec7395be26b14dd83e3f7a0d866a8c773c1337e6defc5b95ecad54094a8a1f74b736

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                        Filesize

                        442KB

                        MD5

                        85430baed3398695717b0263807cf97c

                        SHA1

                        fffbee923cea216f50fce5d54219a188a5100f41

                        SHA256

                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                        SHA512

                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                        Filesize

                        2.2MB

                        MD5

                        2ec793668f26f5d940cd59abb72a97cf

                        SHA1

                        14aeef82e84050e4b8da1b21317777d5a46780d2

                        SHA256

                        5fa96b9398ee223ac8f9a110e410fb6420e27de70f02d22ea91d932b37cb3816

                        SHA512

                        a8a751cb07bd63e81a72e856961cca23c214e301f414654464a2ebde5f575a9b012d35fff9ebdbbd2aa9fa3b4326031edb0311d134e836860733b2ad9717b0e6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        9KB

                        MD5

                        4112bfb707912c65b02bad6001c696a6

                        SHA1

                        ee1aff25df48b291363de9c77e5213a4c3fbb829

                        SHA256

                        f9c6424cb5d3939fca39bcf3e9d8f62988be95beb3462f2a0818c31ce50422b6

                        SHA512

                        ec03fe31463955ccc0aa1c3b26b6ea803b92d711e6e286da1b14dbb973caa888ab95d84dca31f5720285d98774c699db694cbfa3b6068298fdf3d781564e5854

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\datareporting\glean\tmp\e0bc0bc4-e777-4db6-9cad-f06d3eed6beb
                        Filesize

                        734B

                        MD5

                        8cf9ba4b184cc09467f088bb6ee58f4c

                        SHA1

                        96d1a642d8e8ccfcea784bc9bfd2702a83a5f181

                        SHA256

                        49d124dfc84a7f9f694c6a376d67bdf92a75159caec60da934d03b8a7b2c2eb3

                        SHA512

                        1ecf2a0aa107c19f0f79feb0d5c1f199cb03f7b9f6fc342149b646df0ed6a6197ea982646f00b030dcc8351452f3dfb40cae89bc85514050be838ce8824e12a3

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                        Filesize

                        997KB

                        MD5

                        fe3355639648c417e8307c6d051e3e37

                        SHA1

                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                        SHA256

                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                        SHA512

                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                        Filesize

                        116B

                        MD5

                        3d33cdc0b3d281e67dd52e14435dd04f

                        SHA1

                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                        SHA256

                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                        SHA512

                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                        Filesize

                        479B

                        MD5

                        49ddb419d96dceb9069018535fb2e2fc

                        SHA1

                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                        SHA256

                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                        SHA512

                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                        Filesize

                        372B

                        MD5

                        8be33af717bb1b67fbd61c3f4b807e9e

                        SHA1

                        7cf17656d174d951957ff36810e874a134dd49e0

                        SHA256

                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                        SHA512

                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                        Filesize

                        1.7MB

                        MD5

                        8c5f842cd590f049da11432f42c07130

                        SHA1

                        493dfbcc0c823d1bbd274ce3f752ec1488e10878

                        SHA256

                        136b322b454b2a5a0993a2902e3fd5a42e08d8718f162b4e67f6df2df83ebdcd

                        SHA512

                        74b39412f8aef2d2879b8efe1640a2fc9da93c52ae7a574836bd9a89ff6fdceebb635a8405e4b6efd600d4e4ad9c0ffaa2fdb09e8a15a7b8f42350954778e584

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                        Filesize

                        1KB

                        MD5

                        688bed3676d2104e7f17ae1cd2c59404

                        SHA1

                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                        SHA256

                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                        SHA512

                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                        Filesize

                        1KB

                        MD5

                        937326fead5fd401f6cca9118bd9ade9

                        SHA1

                        4526a57d4ae14ed29b37632c72aef3c408189d91

                        SHA256

                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                        SHA512

                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        d1f93aae91019fd15a0e36eac0d48074

                        SHA1

                        d3f2255f457bc6d2dd37626fa1e85377da7ec3e7

                        SHA256

                        81eade28127fba1d17cd5960c377780a2e4b25888dfc22767ab8735965fc029c

                        SHA512

                        686088bb8a57017769221cbb68e511d35ec32ca7e7456efa7c7c72939e498de6ae804d745cf43eddc22ef47f871adec689fe90caae45f96bf7bf84e80fd7792b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        50c57edb73a0bfa83598f1ef6b65bf38

                        SHA1

                        4ccf734526f0d6019dd78803d67a43ce9492acbb

                        SHA256

                        fbff188e30fda0d1d320991b0e1e9bdd3b586fde3635e2281add3e100859b540

                        SHA512

                        286231fcfc3d4ef841cd884becc42daf66871f1e3de83fb20c315312528266cfd5fc28cc5e5fcc9ad9cacf501cfc4d8abdaa3c4cb4a932c326778f2998e68d11

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        bb3685f60ea3d78122d42315e46fde78

                        SHA1

                        3a0ff3a8331a7023d67edba4d95a6896856dad37

                        SHA256

                        64c49dce2cba1636940ffdb43d3bc8afef0b822a7e5517e13584717ee8ff59f2

                        SHA512

                        7fa2eef6954a5e9f91e93ddd44de008093d5fcc169f1df668e2401b9989b252b8032fbd9467c7e214e145f86801faab2a9c4e1b89c784d6205d85caa5abc4111

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        da7d6d1a7223a6d7fd55a75c12fcb1b1

                        SHA1

                        c102d12db83bc7d5102cbe5644e629aa877d7371

                        SHA256

                        8e5a43403abb8c9dbc6a316e2683bb8aec232e8d472b1bfd0918bee3e777b4d6

                        SHA512

                        5ef85f6e63d86b2ba14edd34020939bae0954ad0f58f86f5643818471d7634765137e42a211041d6ed48c2f6ef8b45cab87e9db072c427b40f895e9622d0e2af

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        ab124a5dc66ea38ada13b0bf62af26a5

                        SHA1

                        3f224954f54c503e968b6ab5f45228f047f22ccd

                        SHA256

                        6d5febcf3f9f0ce15afe47a2d6c2aadecf09757133d9b09168b8a08ae9bca330

                        SHA512

                        03dcb0c17123b2d7126958e357916f0af27d08e8a1530d2a4b6f6ec03ddb3c0b7726fe973237ca6035f005e3cd1f0532fd427baa569d4794fa983af0eae9f687

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        1.3MB

                        MD5

                        773c8bfd9aaa5a00cc3520ac1315eb95

                        SHA1

                        14fc8eb686591eb769dfd6e789849820dfac5c94

                        SHA256

                        d6c4cb14c0b419d13ebaa7dfa15065d8aca625150d6a2793042f23d9ba2ef0ed

                        SHA512

                        1b835afb9e8602e653ac4b994fca8a108d57734d3ac6c8b2cf32f0705a7024f6ffeb9bf786fc396fe89301fbe21441f7a11591b20e3785cd9ffcb83417fc8080

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        5f60b1bfd123c7a4d0b08e789398913b

                        SHA1

                        94cfa3d3a809e734b41b790926b3cd5599ff098f

                        SHA256

                        b340adccfe5fc90dc4cce44e21bb54e2a375b786240b2dd8e33779be9a9ccc22

                        SHA512

                        465eac2f35298674f0ebf9b65cf682459f72b5fba1d920a5bb43aac819450ba437c3350003241d7cea032547fb1d77d80c4d5b05c16727ef9af4b2c5242c9a6d

                        Download Submit