Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

notmyfault.exe

windows11-21h2-x64

8

notmyfault64.exe

windows11-21h2-x64

8

notmyfault64a.exe

windows11-21h2-x64

notmyfaultc.exe

windows11-21h2-x64

1

notmyfaultc64.exe

windows11-21h2-x64

1

notmyfaultc64a.exe

windows11-21h2-x64

Resubmissions

27/04/2024, 16:20

240427-ttf2qach54 8

27/04/2024, 16:19

240427-tsz37sch49 1

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/04/2024, 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    notmyfault64.exe

  • Size

    339KB

  • MD5

    c338b6fd5b568411039d8a46394133cf

  • SHA1

    06a684c8e8ec66396db2685c0419c8bfb78b1220

  • SHA256

    817cd2e8846c5d90782017a7f29daf7915e5e38e6dd165fb81cdd4642e90f218

  • SHA512

    161f6746bb526a9a1af8d581ccec796119ea0f2d6d7608a12248c698ec9fc1803afd79f162cdc59357a75a3744ad9363c9ba92ed73dc7c04b14523d54a584b18

  • SSDEEP

    6144:M0tmWXSbO1mP1xqDxcW2JjusYmCjO0fNgl:M0tmNb+mLceu9ml

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\notmyfault64.exe
    "C:\Users\Admin\AppData\Local\Temp\notmyfault64.exe"
    1⤵
    • Drops file in Drivers directory
    PID:2628
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4744
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1908 -prefsLen 25455 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8bd38aa-5803-407b-8a09-5d49b9d6a905} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" gpu
          3⤵
            PID:4280
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 25491 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {052f025c-1c39-4f90-a57f-a354f6f95e86} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" socket
            3⤵
              PID:1320
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 25632 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {063ed1ce-2899-4dd0-af98-7b3a65b636d0} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
              3⤵
                PID:2404
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3236 -prefsLen 30865 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6838f25-2d2a-4109-b32e-c9a90764f915} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
                3⤵
                  PID:948
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4304 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4244 -prefMapHandle 4324 -prefsLen 30865 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fdbe4ea-3b77-4fcd-b3f4-745c4f5dfc70} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" utility
                  3⤵
                  • Checks processor information in registry
                  PID:4808
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5232 -prefMapHandle 5324 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7be7858-0d0c-46e3-8603-e507a96449ef} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
                  3⤵
                    PID:1404
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed5ff0ec-7767-406f-aac8-f4cf5634f487} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
                    3⤵
                      PID:1472
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {434290e8-8178-44ae-ba3a-68a3b17517ae} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
                      3⤵
                        PID:1904
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 6 -isForBrowser -prefsHandle 2764 -prefMapHandle 2748 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5d62ca-f8bc-41d6-86a7-f6f9e666cc16} 1348 "\\.\pipe\gecko-crash-server-pipe.1348" tab
                        3⤵
                          PID:1452

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgyglpox.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      27KB

                      MD5

                      fcea974871770574474065dc10e16782

                      SHA1

                      f7f249edf2631051bea495ed4bd131dbd7f9c223

                      SHA256

                      334ba3f328078dab96148595e58003a061f17fc5239fc97ad3a5a30308da8b43

                      SHA512

                      2e3e45056e1a6638fbb68a32bab14679adce57cfaf2ba4ab6e26e49bf4489d8fb8f234b326a6736516a3366e9870d04a1741a7c6e4c03a426fcf0c8b149e2cbc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      26KB

                      MD5

                      b52f744a37efc1c362cb537055f5a359

                      SHA1

                      3a292e8dbc40bf4925a7a5a02a5fa69f74746aa2

                      SHA256

                      bded37d3560f8c6a90e9b33bdf19b0a5b044d513006b9c6790a0dca7e51e786d

                      SHA512

                      561fa9ceb60f6400e3208ea180c7e00681bec8f3ef4bc4b536f43127ce91e1ce2474b5f884635bf41a93f15d7d5f3d929c44b6114bbf082272d02516ac065979

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      7d2eba2048193af20920a73c77e2e8dc

                      SHA1

                      c7aef925cbf8e1c60cb510e8dc8c1a7f7ffc6bf3

                      SHA256

                      93f8cc325687d7bd10869783727ccadf6320767804698cb7edfcd36ec6ec90db

                      SHA512

                      2b7439f9ea3b78ff13973f1b04f7ca662cc228590203d686e0127cfa31a2e88009a7c25721203cb4fd537f287216d1b3519cdaf2f1a347ff65eb68e610564521

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      26KB

                      MD5

                      9873c6329df991db69c013a81faaa78d

                      SHA1

                      6716b7d02f42c130350ef9a89cb8b75e1df8ee10

                      SHA256

                      ff0c251d5ba0997be81599dcab535bf96c10409a34316df8797e9dccbea94594

                      SHA512

                      59a2f75b91fc2c45824de3db415a2cb2ed6bdb08de1d366a1338dc051c08c8a86434083b7ea3710c58ca907179a6d5535fa93304a8a6d4c12f74df95c6372563

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\pending_pings\06e964a4-4a86-4b0c-822c-58dca3b274d4
                      Filesize

                      671B

                      MD5

                      fe71bab458a2b28c272b654a8c86afec

                      SHA1

                      7b1bec54a72389870ed652cc5f416938d1db961c

                      SHA256

                      6537d36c16b530919f9d53897dad838a572bf67298392dc9817215631855e1cd

                      SHA512

                      4aae82161d50866a1d8ebd8788e7d66f1129130dde49b89b14120a34a7e56a3d10111f92cf74f2254e4e7c9cd462cd2fdc306e6f848ec45b4d6476dbc91bb6c5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\pending_pings\4c686186-590f-4a34-acc9-7303cf7b4bab
                      Filesize

                      982B

                      MD5

                      0d69d8254f082a5bbc669b6c981f0bd8

                      SHA1

                      3524337821509f601733647a4072cce6fcca43ad

                      SHA256

                      67dcc68efb1230bd0439e96fb290d5db29ff76801d8a7a2ef3bf0b04f97fe11c

                      SHA512

                      138d9aa173c2816c195cdede86849bbc5e88c40da6046f54568685cd7300e7dc8f6571149b26afb7e40122852996cab01229a2d1171f876e069e0623e6a139cd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\datareporting\glean\pending_pings\acd9ba1e-f63a-4fe5-8934-7cfee9c54455
                      Filesize

                      25KB

                      MD5

                      7ab5d57c40bf106f72b146f95ad834f0

                      SHA1

                      0c40fe21ec163d9e35fe07b1fe751b5800eca386

                      SHA256

                      ebf059abb5c756853bd07c073c93c22e9223d4b08d399de34806633a53735ef5

                      SHA512

                      e8d7e6dab16f0705311933c62ebf176dfeef055413e6e1ddaa84ea7bb9d8c8efb90c2c763a2a9c32a8f7788a86954bd4a3cbf84ccf1a0900298761ad9ec31194

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgyglpox.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      1KB

                      MD5

                      b3a13a44f627939505a42184bd40ceff

                      SHA1

                      ddddc44d0982d7e57658d60ee3588ad0af214ea2

                      SHA256

                      7848853427807b316ed2fa8a3d7a45ac1a4e49447af40c3fccbeef76d8d63534

                      SHA512

                      f8f0e3d4c299fa441788e86ea442b6801ebf5e93e9d6b6c5c06e2b5e2bfb88cf27b10fa9f771ababea0bc4c5be669d69d7ee60e547211fe6996729679d01f433

                      Download Submit