Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27/05/2024, 09:20
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.0.1963577426\2054131459" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72f1f83a-956f-4ee6-bbdf-156ff72605f1} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 1892 1e79e125358 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.1.230708891\1198546757" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8552ec82-92e2-4bc9-b3c0-acdf695364cf} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 2488 1e79138a258 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.2.1245723286\2008317320" -childID 1 -isForBrowser -prefsHandle 1516 -prefMapHandle 2992 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce085ef3-f4c1-4161-8fb9-de4b2a39ee8d} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 2984 1e7a1143058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.3.29420374\1979959099" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16379cea-6e63-4322-b6ed-31cada551ec6} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 3640 1e7a2ced858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.4.1007570141\1795322133" -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46eb79fb-5868-4e59-970c-23f3b7ba2bf4} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 5300 1e7a55a1558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.5.85769321\1969971845" -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5372 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0df72689-fbdb-4b40-ada0-80438724946f} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 5356 1e7a55a0c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.6.1313085191\1458693731" -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74cb4492-e6ba-4820-a1ed-91c5c362de8e} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 5592 1e7a55a1e58 tab3⤵
-
-
C:\Users\Admin\Downloads\000.exe"C:\Users\Admin\Downloads\000.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 05⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 44324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 43804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5472 -ip 54721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5472 -ip 54721⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3959055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD58bbe48f1180d1685bbad147c3536fe50
SHA1a6c8fa161230da42e3196f64a7d55449bc504536
SHA256908c395d6afb1d1bd25718eb2fc8c0a0937cb9d60f1f365c8c1f863f026f659a
SHA51250f7850c5bd4262c71e0f753b8497338185cbf9954ef48f72d12f9f5bc0cd2aad2b5d6ec1cd7f4235de066b180b1abe37180ceda14c9d57838fb16ad89045053
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
26KB
MD549601d81b9f85c01bb89e11802a2a05f
SHA1dbf75b57254bd2f19bd956bf383143fbcd522307
SHA256e4b9f68ac20a535773e451370ddd61a89b1203bb406ff9e5be3bbe7c4eb6a723
SHA512187d81fc554c957a63900ffa366176e5314091d76d372e69e9f3f97ce693d2c51d76183ee546802b399a7d296021cc9905d37f268ad506814cf3eee274c29045
-
Filesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
Filesize
6KB
MD5f61f86125bafe0529f6deff79a610796
SHA10822fdce5ed600c9cbb6672d4cd0bb220633ef7b
SHA25664b996b1ab0ebac420f079c1569c8b8e8204c257a1fa6ee6ccbaac8b33ff0a44
SHA5128cd830909979574f12a3d45820ba0e33422a0babfad7b65c643d3f3bc35b4b58d57aad1617007cc1935fdaaf400d3d95e3cd4306da8535f99e17b6383c2f62e2
-
Filesize
7KB
MD5362ae228b212255d23149975b23c583a
SHA1516394738b07e3abce95652c3f6497808a106b19
SHA2565fc4376999567c9ded0b57866307c2a6aecef481d8cb594af0c77cde265173db
SHA5122861838a7297c4d9deeddea13b3858cf8bece3156c0f7dab514e75e3001de7cd79c86e09bfb592467ef6d052fc6515fedc0f5b57ae092944a5e1ea725cce5dde
-
Filesize
7KB
MD5c911e28c7dbfb6e65a93b46214e7d881
SHA13e7403affe6765053a1b8d0c05a9941a79e43de4
SHA256013a4cb57d521da1c25924cfb71944edf2b4cad41f8d7923a7f210fd056ccccf
SHA512b063dfa7b84f2ba598e7b46ead2d964e2d09558af108c2a803752dc6f47a8e3231d451f85be31deb654ab386936257645d36afa234c92f9124a75b9ea3f0c1be
-
Filesize
6KB
MD5c401d8ec9cabdcdee6c323b797abd2c9
SHA14326c8ae6fc644edadfe445b168fef3c2d16ff03
SHA2565e5882810bf0cf648c8fbe0494d9df62256622c319173ccbd30a66100e55fe20
SHA512f7a1137b6a5af22656ebafd791c4f4c5619d0b96d82057182c710a7f9601196264e04a2e2bd07bbc1fd96f891aebc9f2815e9e95778c8d6cc06ea74998d64253
-
Filesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
3KB
MD5a35504bf82b9636aa5220a1f917ea2a6
SHA1d12e04413776a9dd10265b170e6d9d1542f6895e
SHA256100cb4781a5cfd7abf9219065e6e1a4154f94e6e310c7fc9732977bd648401b8
SHA512028aa0c0df1e06e26d21514bbe27f66855cb0e835a7d97fb5f13af75083fea0a8fcdb89fc7564c2a6ebd976571520dc15e4af32dc3c3370dec35fae90255c2d0
-
Filesize
3KB
MD5221574717eaa0494c6db9c48f1094ca0
SHA14937fa44fc9ff5cec82b961898e606615180d062
SHA256d948d3056107f72ed6a7057825a7748e51a0187ebdc6fbb0001768619249e365
SHA512f61b1b92ff84103eedee91fddf2f2af00c15214a5a0f196bb322b72aa0aaabe56509cfcd186a8542ec0a8b7080858cace546f3797693acae30201cc367c81f02
-
Filesize
3KB
MD5be1d23242aad6ef29c196aa5020fe0e4
SHA136dac0f4cd1d15abae0c192696e4e4d6c7235b9e
SHA256f2299c1d87b4dca7b804f1c96e3e001534688ad37401b0a732204383c4d3ab26
SHA512ff6d1fc31aba6dff6c16aa884da8484fef30c09cf8beb54389f1d7c38eb6602ef6f8624e18eb20bda9d960026fc5adda6e9a13241962c13e7fd20a2490481cce
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.7MB
-
Filesize
4KB