Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

URLScan

urlscan

https://github.com/S...

windows7-x64

1

https://github.com/S...

windows10-2004-x64

7

Analysis

  • max time kernel
    85s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ScriptTestAdvanced/STA-Chat-Bypass/releases/tag/v1.0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.0.571515096\1211215526" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {300a9e40-0069-412d-89c9-d65af9866706} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 1944 1a4eb3d3d58 gpu
        3⤵
          PID:4420
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.1.1177430403\1334714463" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f1425dd-d642-4c47-89d7-6b7b994410ae} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 2416 1a4d7772358 socket
          3⤵
          • Checks processor information in registry
          PID:3584
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.2.494551326\734970075" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3164 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1be33fb-3b9b-4c93-ad0a-4ee8889ac0eb} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 1672 1a4ef529258 tab
          3⤵
            PID:3440
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.3.1053338027\386545482" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e616c44-0039-4fe2-953a-74aa24b0039e} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 3676 1a4d7762f58 tab
            3⤵
              PID:316
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.4.216978715\274390449" -childID 3 -isForBrowser -prefsHandle 5004 -prefMapHandle 5024 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0abe62b6-7d7d-4eb7-8964-8c2040b27736} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5000 1a4f1e79258 tab
              3⤵
                PID:4312
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.5.1755560635\524888556" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34561871-5e36-476b-b3d5-630b7a12ba4f} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5240 1a4f1efde58 tab
                3⤵
                  PID:4260
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.6.1638858047\168475409" -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84ce9cc9-3879-46fd-9e26-cf5991f16eb9} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 5368 1a4f1fe1a58 tab
                  3⤵
                    PID:3456
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3496.7.1896681639\2018901060" -childID 6 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17c42910-f949-41c8-b41b-f6bd376b506a} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" 4768 1a4ee3d6d58 tab
                    3⤵
                      PID:5320
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:5836
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\STA.Chat.Bypass\" -ad -an -ai#7zMap16765:92:7zEvent32089
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:5940
                  • C:\Users\Admin\Downloads\STA.Chat.Bypass\STA Chat Bypass\Script Test Bypass (Chat Bypass).exe
                    "C:\Users\Admin\Downloads\STA.Chat.Bypass\STA Chat Bypass\Script Test Bypass (Chat Bypass).exe"
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5436

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    940b8194c2034df86f9ded9d9fbd9634

                    SHA1

                    ae99ceca8771ee9fd904faa19292a3f80d78117c

                    SHA256

                    79a1e04e739f66b1d0fb665d5785944b9ca8597500fff11e437cab9ab05ded54

                    SHA512

                    56df61f0868511ca2b1ac48cf80369d7a1b95c61cafc26111fdce980e5db41682d6fb5612beded0e61d1b9fc976bb97237e48cb69ac84bdc8c0a816a2b43f25d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\94af4358-0077-4ef9-bb90-8280e282d953
                    Filesize

                    12KB

                    MD5

                    91e89a8bd40bfe3a7c056adfe2d0a657

                    SHA1

                    63420ec034e5f22c5a92f90ba03dceeab1829a22

                    SHA256

                    d4d7141051d6fde465ad6b20a5d3f03c2dfa4fe83633f10af539e758f02a3237

                    SHA512

                    7139d42b2a8cdc9ff0e536e8949aab449749fe5b3137ce6280a73a8372129b3e9036a3421eabe4859b3c62231c471f5d04d2b42feac1f2bb64b8d970f6857cfc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\a65b9724-5b58-4875-9e9a-136668960702
                    Filesize

                    746B

                    MD5

                    e6f1224d11a77a3a6ea3c9ec6c15fbc4

                    SHA1

                    8bbf52f39e1513705339de0cb540f528dd8ac458

                    SHA256

                    4ea149b73f34c8f86c56696cfb4b85ca4dc4f03949a237e942a6df2575e51b6a

                    SHA512

                    98e3d1076edc86e204ee39c360c97e2ad7bc37008c03abcdb3d456f4577cfdab3ebf1175dfebc658da31e073fe4c890f74f0d52df6ed8684c247876eaff19560

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    0ef2814707ac8247a3f03027123dbf0d

                    SHA1

                    2728722763237f7fb8642ca7ea86bb4a205bb328

                    SHA256

                    b2910f7eb5645a272379c7c2ed3d7bcea54e38b1a0447bc4029e3a1765094c6c

                    SHA512

                    12a34d4a0ce3e80ae9a83275d7d648eb15d1f5b209b7615ae76c8d164c79da582f45c9b92d6661e90517261351ac5a27032be9cac5ef295f65690bcefc96dec1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    4296f037007bf15f1252e1726cfca0d3

                    SHA1

                    6286f131a0ce30e46d37dea6fc603e64cd10782c

                    SHA256

                    2e8f6ea3948bd8f654e886534af9aa27db42da3c04cf788d565401a6127b4e18

                    SHA512

                    9ae518522405866800c905be0510bd99b66b0e5481b334d3d5d2f209246c5ab842b7cbadf17b78d2222529b973934c09bf656d9e3b3c846b992d3def969ae13b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    5a88608ef171de6573216803548e2980

                    SHA1

                    0068065b1b12ce62e49587d8075a8a0dab974639

                    SHA256

                    302211b90604f151b217691cd55d5543335f3e9dcc586d9fe979e1138327d0f0

                    SHA512

                    f44d39508cc40f119be8901be04bf91719a24e19f428b0ff05470487b09ed804a9728791218df685e8e730100f2bc77f979741b73f2c514daf296d1e970af23b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    bf5bf005e4d84ebd162cfcb458f39aee

                    SHA1

                    4ffa8a9877fca3fd4383ec7de01a951e0a5d8bcf

                    SHA256

                    fc27bc1f8edea0cd07acd20c6740805d89ed21c49b31c8a90b75e3ea9fe29217

                    SHA512

                    4a63e4fb5fc1ff2adf17aa4d6ec565b29979e0d955064952dc2f88551ff5037e504aed639ae4e99ba902beef2c569310489a7972bf5947c37c77356fc332dc0f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    8125f7374d074c12af2c33ca8eeafb37

                    SHA1

                    bac24ea4f7847c84723d46f8296b5944a8fcb4e0

                    SHA256

                    e298e878c7b314a11de84b4f81e1c683428a64739620c3a88647a177021afa93

                    SHA512

                    32859bff09139d6a7e3fae57c8872d1890e6907288140fa48f617af3bd262a49641f9814e8cbcbadb98a6693c2b3115786c3b1c0b434ddf5b627ef32f5790a2d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    ebad4e6f49897b832c76903a3be78bad

                    SHA1

                    a38d68ac42f1cbf9dc0d7fc473bd9c8466fa0107

                    SHA256

                    c29802d22b75f259f3f7eaceb1e890b4d3a77ac3a8eff18250aa7e5f14593b22

                    SHA512

                    e1ed05afe4429159a78edc05eff6eaa94d368bab4703a1b78582f235ae0304f933b1ee0f32e182ed5cbb456f785f089681b66b626c1b09308ae82a9d9096fc29

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore.jsonlz4
                    Filesize

                    3KB

                    MD5

                    c9fa3c29bd86ac1e390324b852d07b75

                    SHA1

                    7141bb4c69a02568b00b040e477447b343169f1c

                    SHA256

                    d5a9ed0e3f6532cf7d2ad7f2d8fdb11a7773cf6bab57b3a546e66340560fc1c0

                    SHA512

                    20fef73dbe273d4476c1205e15c687e529252b3d7dc63a69c554e34d78c17673de629a9f048108f1c311e7e1cb2e08038cc565dfd800427520c0a358820c2aa9

                    Download Submit

                  • C:\Users\Admin\Downloads\FUMZO9MX.rar.part
                    Filesize

                    5KB

                    MD5

                    c29f4ea77f0b455f7afaa7de575129f5

                    SHA1

                    e949f448bdc5a54574bb995d62e25fb7985f496e

                    SHA256

                    d011cf04a465856bfb56285e520a5f2cf70ccd7edb5623db168b432913dbe92f

                    SHA512

                    990260640c0695ca515111c851522a80674835d568f516262a8c4e385cbe0d32bfc1f81512581e6e483e55b8bc6754395a0d1fe0acd1859b7156733605e4e554

                    Download Submit

                  • C:\Users\Admin\Downloads\STA.Chat.Bypass\STA Chat Bypass\Script Test Bypass (Chat Bypass).exe
                    Filesize

                    14KB

                    MD5

                    474a3ce61836306e165346b553e3e2df

                    SHA1

                    39e955e7f9a0f42cb82d3519ac6e2aab8a10fca9

                    SHA256

                    8f860e0898f8be71c432112029ee6b3a9c6311bcff11ddbf6e215a1a33a0d1e4

                    SHA512

                    ca30037d11fea9b825a0ca73269f2bd593d48a46d1df7ae9ee840254d7f9e659b572038aa572fe53fdf5cb185a83e44fbb010131bdfe620044b32ab13b89f9e5

                    Download Submit

                  • memory/5436-242-0x00000000054D0000-0x0000000005A74000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/5436-252-0x0000000005030000-0x0000000005040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5436-260-0x0000000006240000-0x000000000624A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/5436-261-0x0000000005030000-0x0000000005040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5436-243-0x0000000004E60000-0x0000000004EF2000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/5436-274-0x0000000075000000-0x00000000757B0000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/5436-279-0x0000000005030000-0x0000000005040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5436-280-0x0000000005030000-0x0000000005040000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5436-241-0x0000000000430000-0x000000000043A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/5436-294-0x0000000075000000-0x00000000757B0000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/5436-240-0x0000000075000000-0x00000000757B0000-memory.dmp

                    Filesize

                    7.7MB

                    Download