Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

GizmoHelpe...ol.dll

windows7-x64

1

GizmoHelpe...ol.dll

windows10-2004-x64

1

GizmoHelpe...ol.pdb

windows7-x64

3

GizmoHelpe...ol.pdb

windows10-2004-x64

3

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GizmoHelper-UE_5.4/Binaries/Win64/UnrealEditor-GizmoHelperTool.dll

  • Size

    297KB

  • MD5

    e3a4973841b5f73b84e437aca76a326d

  • SHA1

    4e7bf4691beb412582ce0f19249a33399da6bd92

  • SHA256

    96d01070b5836c5bfe48bc1b099d1cf5e6957603d1cdfc7bf905e2e2e18676e1

  • SHA512

    62f2c300bb81b4d75b4012c1a88c7425d6ac1c6854b37ca46d25aa9eb532144c1bc41e38aedf37b50085353687fecd9da89fb98b49488f321091e0b906c775ef

  • SSDEEP

    3072:TnDWQLHZzhgdiWra8Wx+TIOwmp6rGDosaARJCVZig9KFQppw+3BXRc5Faa9ByAeF:TnD5LRh4La8O+UOPp6wo8e0SYfMD9z

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\GizmoHelper-UE_5.4\Binaries\Win64\UnrealEditor-GizmoHelperTool.dll,#1
    1⤵
      PID:1728
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MoveSet.mpeg2"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.0.1123983672\609738496" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b723f9fa-cec2-45f1-989f-a87f482836f7} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 1844 19bb9824b58 gpu
          3⤵
            PID:4220
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.1.283863562\1772771278" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {588a12d9-cf98-4d9b-9835-a80cc491895c} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 2416 19baca88a58 socket
            3⤵
            • Checks processor information in registry
            PID:3328
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.2.1735635950\1465452340" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 2804 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aba90bc8-fc39-4825-bad8-c7214950cb1d} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 3000 19bbc606258 tab
            3⤵
              PID:3936
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.3.2135321083\806825692" -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc426359-1817-4639-9153-25f1baad92ae} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 3984 19bbe485858 tab
              3⤵
                PID:1880
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.4.1840932338\1496002297" -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5156 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51514831-f93b-44f5-8e8b-8a8f31dfa8ef} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5244 19bbf1c6b58 tab
                3⤵
                  PID:3644
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.5.371805491\244531062" -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b50dcd4-13fa-47eb-922a-f229fc4cdafc} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5472 19bc1287c58 tab
                  3⤵
                    PID:4368
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4708.6.1090596748\733116196" -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1320 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc78e3df-395f-4675-8c6e-31e80dca525e} 4708 "\\.\pipe\gecko-crash-server-pipe.4708" 5608 19bc1285558 tab
                    3⤵
                      PID:5024

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json
                  Filesize

                  26KB

                  MD5

                  5d7c8e9ebd80c43b8d7f94e235052e27

                  SHA1

                  6ffd5016a8e1df601a790f5a4e362234ca4c6b0e

                  SHA256

                  a793a537f27c3cbe934582739eddfe5350d260689c6e10e97e788b54f451c6b7

                  SHA512

                  9826e0f1f5618cb15527db5c9d28ff85b4a6aef18907740d60ebfc5c236ff3c013e8ce7c38f7beab584123d04dbaed527c9fe8e812ab8d59bbb33e8d319521e5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  3c582c97318fd87a9c518e997148665a

                  SHA1

                  c3699cdc885f02ead6fc2d045cb94b73af29161a

                  SHA256

                  dc6979279d5a43abffb3af9ad69169db0cdd142b080e1e2028af06e305919670

                  SHA512

                  08e2d5ec958524d049e8f82fbd0804c5b9edd50480b047e460b4cff84a2ee86446eda3d6b8000d06e4dfa3bd10c53639f462dcc476d2e77f8fb62db3ef080a3e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  6c6181257cb28296c8864935bdcce9ae

                  SHA1

                  d2c8521ebbe6c713aceca7dd82d98735dc66e455

                  SHA256

                  9fba475d7c8da016a77135f3ee60c10cee4098c0bb0c4f312aa4e66fdc1e5ee6

                  SHA512

                  a1021677bcd6171e595ca2eddccc00e3fd9b3e5864036f9a1a6b83fb0c06809f8383906a134dfe6362eee13ba4436d880f19e247346d99206c8009111c526c2f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  f6a6dc49fe521fbc697e84f21a6fee3f

                  SHA1

                  4cd5d2fefd98631290f3ccebb8f8ce7c2e9b871e

                  SHA256

                  47ee7a553f7590a7b9a5e95bf4eafc2e7a3be5e7ecf3a7acfdbfcc52a7e1dd9d

                  SHA512

                  978d33c4d2df71f1f05b503bc9e2bb14dfb7d49232286dc456459e816b329274411ce5f5aa01469c3682ec29028cfd4e704cd8078ae2425b34a695a3c4554736

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore.jsonlz4
                  Filesize

                  905B

                  MD5

                  6c2ffb16754a731065508b3c7ee5a425

                  SHA1

                  5f48933f708d3c8e5601596030a6afd68fe06686

                  SHA256

                  8c4940822db79d6cbe3d395925f86024de053769260bea0dbfeb32afe0a17bc3

                  SHA512

                  7a6245d6c6627ded33b983bc0fecd3db8a1af7c9c26bb10a1abba577ce2181f846810f429ffc683f31f846debba1c000df2607b8b644f526688018359f62b65a

                  Download Submit

                • memory/3524-8-0x00007FF8F54D0000-0x00007FF8F5504000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/3524-7-0x00007FF6BFE20000-0x00007FF6BFF18000-memory.dmp

                  Filesize

                  992KB

                  Download

                • memory/3524-9-0x00007FF8E4D90000-0x00007FF8E5046000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3524-10-0x00007FF8E3370000-0x00007FF8E4420000-memory.dmp

                  Filesize

                  16.7MB

                  Download