Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Ld2cApUs83...5Z.exe

windows10-1703-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/03/2024, 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ld2cApUs83G31T7b5Z.exe

  • Size

    2.3MB

  • MD5

    0626c194fa8584f3b033a980526ec0b1

  • SHA1

    4d5b8fb988b4852eae5010d55a80d81fc724ef4d

  • SHA256

    d46aba68d9cbb257f7bfff462ea3f245c18b7ef31de3e1c0e2e23b87b17c6c88

  • SHA512

    a1dc0b7bf9a502f57b32b65768d7b44d76d08f1fac04d7a87ef8ff033a793ae55759ce2c4e18698486853197f017a6ec05ab1591099bb606aba9fcb192ce5db3

  • SSDEEP

    24576:TLBOB9Co0xbGaGHcA0Wdz+zmltRblMrygAhPX/jR4Q2MZyCV1ED/TmhnqU6pN6:TlOB9Co0xiamdzhsyg6/jWPz78n

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ld2cApUs83G31T7b5Z.exe
    "C:\Users\Admin\AppData\Local\Temp\Ld2cApUs83G31T7b5Z.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Users\Admin\AppData\Local\Temp\PdVTDdWFNlAXW3\K2xy1gNSbaQw3F.exe
      C:\Users\Admin\AppData\Local\Temp\\PdVTDdWFNlAXW3\K2xy1gNSbaQw3F.exe 123
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:32
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.0.713793522\206374843" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9865cc1-bd93-43ae-87e4-3e9abc6c9e55} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 1792 270cf1eee58 gpu
        3⤵
          PID:476
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.1.1003886589\318700229" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {734d5819-93a6-4723-89ea-3e7d0eb48324} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2148 270c4170158 socket
          3⤵
            PID:4308
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.2.1373602367\1517038534" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2940 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d613619-6a48-4e32-851d-64b54119fd7e} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2804 270d3495858 tab
            3⤵
              PID:1316
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.3.961846165\566245967" -childID 2 -isForBrowser -prefsHandle 3212 -prefMapHandle 3032 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {729c2f90-44d5-4ffb-8d71-0c909b10098e} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 3488 270c4160458 tab
              3⤵
                PID:2512
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.4.2136867752\1490338920" -childID 3 -isForBrowser -prefsHandle 3212 -prefMapHandle 3032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f633366b-70db-41f5-b25b-cd5b49fbc844} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 3808 270d4803558 tab
                3⤵
                  PID:1324
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.5.1043524599\1278555561" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bef3beb2-7733-4d16-bf3f-8745371d6ff2} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4776 270d4f8de58 tab
                  3⤵
                    PID:2256
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.6.2002701099\986960719" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74772aea-6e73-45e8-a456-2114b7baff4f} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4912 270d56d4a58 tab
                    3⤵
                      PID:268
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.7.1772991343\1070579803" -childID 6 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b9b9b5-d488-48f4-9bd7-ba40c2d97d4e} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 5100 270d56f0858 tab
                      3⤵
                        PID:4760
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.8.1807077105\889460715" -childID 7 -isForBrowser -prefsHandle 2520 -prefMapHandle 4580 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ca1889-1616-4ba5-ab85-97cd1f004b00} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4976 270d7356258 tab
                        3⤵
                          PID:1576

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\PdVTDdWFNlAXW3\K2xy1gNSbaQw3F.exe
                      Filesize

                      6.1MB

                      MD5

                      56d687ba36f0f91d23f0d8473fb2d3bf

                      SHA1

                      e21b88e90a882e75f1418d37d2904114d86a717f

                      SHA256

                      56f5a8e78ea755d71528ca3f1ab5d03f92387fb9ed75a27f3a4d97395bcbe738

                      SHA512

                      d71ea749544caf7b34e9763a52831371ec26b1c02420e5e72643cdb17cf434fb539e23c17273076ee90dfc0b47b5f5ef420ea4dee67ec9e7dcba666745334b3d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\PdVTDdWFNlAXW3\K2xy1gNSbaQw3F.exe
                      Filesize

                      5.2MB

                      MD5

                      a46f8ff53bdfcc4b37c77d9e7cc4d62f

                      SHA1

                      7399bde1b5341cb077997f3dfc35ce320694b68e

                      SHA256

                      b1f5abc8b24b875c911b1652b7b900f51d12e1ff9b959290bddbee424b7f928a

                      SHA512

                      8686eb51301fb749c4c06e54abd069ccf59ec9ffb720fab7655cfcf63bc7d993f2b3dc29f9c49d7a4a5f5c036e97e44347d93295e8a8c2e4591090cb501e0a6c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      fcaa8520c84a4396649c56addf942b3e

                      SHA1

                      ca5ca04d9f1ae994fea353d46337a6f52f0627f5

                      SHA256

                      bcf3b56c607991f72ad4a6728a3263f352056664a67b085af53440d6b1988cfa

                      SHA512

                      69402f2d5b1b9c1d33f5ca5e94a4e25da3f88b291c4d069475b3c53161204455a6004b6ffde024f5ecf0a5daa8ee0131066051717caf6191078f10f10255fbac

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\3dc13dec-1428-4670-ba19-ada58ea10293
                      Filesize

                      746B

                      MD5

                      3f48db71e1b1d99e6f6511097ebdcabb

                      SHA1

                      c792509848b4b2b9301a2bf2e257c0807066d93b

                      SHA256

                      adc600e5e580022325b370055a6337816444dbaf891d06e6728fa40506163acc

                      SHA512

                      23cc55e1a0c11b304d32c1cefcca0057d7520f8e9256430ab35df464d088559213c617bf8c5e041aa4e7628b52475ca3d7bac68689b2428ecd74019701965b34

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\datareporting\glean\pending_pings\df06a1d2-e1dc-4310-ab59-f3b88f8e8bc9
                      Filesize

                      9KB

                      MD5

                      07c00d84479c409f8fa4ca3e12067d97

                      SHA1

                      edf37f0165d3d266749a0a5bef46768e859d62ee

                      SHA256

                      c3a3581f13fbdd5864ee06b004404a7c9ecca5334923c0fdddc33751d4d90c1a

                      SHA512

                      08e6f5b42e02ada695cb2585a10af46f0f5cf71ac749ffaceaf83fd4beacf262b3caf29e75138b613803f4f224b8ba5aa38657d1b4ce29367047f11d8b7ba405

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      c9091979a164eaeb1ceec3527447c1d7

                      SHA1

                      9f83bd8720d1f88ba11c780f0129a5e0de524b9e

                      SHA256

                      ba730f5ea024a0a610a1156af3bce097e40c74b214ea0084d8e119acb57e4fdc

                      SHA512

                      775c4a38e12cc38a455fbafc00015585dcac33d241c641c509582b4b37379317cdc070518642f58fdc069b5ed30b2253c05d46997f53b87ec560787544588ecc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0htfzopy.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      7fff9bc43e64a8f413b36bc26f951c41

                      SHA1

                      79fe19118f447e95d3b2691573cf139e301ba7d0

                      SHA256

                      ff43093178ac2250d85cfff4e37fa550b22286e3669cb2108f7e1a54ff7b20e5

                      SHA512

                      e60f8c801031975d253865660169790834cecc463fe886f82877769120ee65955f1cfa2dbbca09926587958bfc1beb9bcbca2d48209d8b15492dfff391a9fd8a

                      Download Submit

                    • memory/32-6-0x0000000140000000-0x0000000140FCF000-memory.dmp

                      Filesize

                      15.8MB

                      Download

                    • memory/32-12-0x0000000140000000-0x0000000140FCF000-memory.dmp

                      Filesize

                      15.8MB

                      Download

                    • memory/32-11-0x0000000140000000-0x0000000140FCF000-memory.dmp

                      Filesize

                      15.8MB

                      Download

                    • memory/32-7-0x0000000140000000-0x0000000140FCF000-memory.dmp

                      Filesize

                      15.8MB

                      Download

                    • memory/32-5-0x00007FFBFF6B0000-0x00007FFBFF6B2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/32-4-0x00007FFBFF6A0000-0x00007FFBFF6A2000-memory.dmp

                      Filesize

                      8KB

                      Download