Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

Doomsday h...ta.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    72s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/06/2024, 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doomsday hider beta.exe

  • Size

    156KB

  • MD5

    0db1dde537d08771f19ac7ef7173667c

  • SHA1

    a0daab6da8d84c4f575bb354df0b2e4935892a6e

  • SHA256

    ac367231d133178dc72f8d16717fc614ecdf2953f931bb6844f25f964c2114cf

  • SHA512

    8ae03af252fd79b6de0a8be22ecf8a1d45e55701a6c6c017014015b382a7b89de53cc430839907dc35801cbb96e93efd6dd3c414c604433af2083cd69aa39aed

  • SSDEEP

    3072:0ahKyd2n3175GWp1icKAArDZz4N9GhbkrNEkhV82d:0ahODp0yN90QEe

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doomsday hider beta.exe
    "C:\Users\Admin\AppData\Local\Temp\Doomsday hider beta.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "Doomsday hider beta.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Windows\system32\curl.exe
        curl -s --connect-timeout 10 "http://127.0.0.1:5000/version?password=testpass123"
        3⤵
          PID:2064
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4244
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.0.1616510482\1551740096" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b46b4ee0-8f2d-4845-a1c1-98fc0b9f67c9} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 1964 219ff6dbf58 gpu
          3⤵
            PID:2580
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.1.282985423\1169155637" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf1a6aee-1cd5-4c6c-91ce-2385333a79e4} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 2364 219ff230858 socket
            3⤵
            • Checks processor information in registry
            PID:3532
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.2.118747593\1269784621" -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3c8775b-b7b9-445f-ba05-76cd007b3f1f} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 3164 219863b1d58 tab
            3⤵
              PID:4632
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.3.1970233344\722220859" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0506a338-eaac-480e-911e-f524f5b2e9ba} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 3596 219f5730258 tab
              3⤵
                PID:2264
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.4.1285042756\109660859" -childID 3 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddef2405-dda4-40b4-851d-90fcbcaee175} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 3632 219873da258 tab
                3⤵
                  PID:4156
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.5.1492570383\861938036" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 5052 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b2f4ec-cc4f-456d-93ce-d8605788bf80} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5100 2198634a558 tab
                  3⤵
                    PID:3996
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.6.1616760107\165020437" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f16def4-bb27-444b-9ef2-8dc8f35a5ec6} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5236 2198634cc58 tab
                    3⤵
                      PID:5060
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.7.429374389\952238168" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a745afe-aaf0-42ff-8325-bf4c67c4e259} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5428 2198634b758 tab
                      3⤵
                        PID:3244
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3652.8.1407515247\584324424" -childID 7 -isForBrowser -prefsHandle 5016 -prefMapHandle 4900 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3acf24d6-10e1-4713-ad2d-efe95d311af5} 3652 "\\.\pipe\gecko-crash-server-pipe.3652" 5024 219888ece58 tab
                        3⤵
                          PID:5984
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:5744

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Doomsday hider beta.bat
                        Filesize

                        2KB

                        MD5

                        53871ddeb6fc50977f2af246b3e38179

                        SHA1

                        abfcf5f18cc939b6f92b417171843149597aaa39

                        SHA256

                        86dd53fcb4cd4c2ea5a5bf290e2024a50c424428a33f856f789e3c01de74efec

                        SHA512

                        29c1e99192ae4efc1d3e980397549fead2922014ff4e94e90fef471fd62e7edd07838c3d2275c0728d1945a0ad14b2b1ea9d928841cf9bbaf1324cab9e35e764

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        055371ca40aca3b98322cda9a6a0691d

                        SHA1

                        6913aa10c0379617222a09e227b46d12d1d54e6c

                        SHA256

                        b9c441bd91e642e0bf3c384686c42c094fc150d7a8801e338ee33cde8f7ea228

                        SHA512

                        b30b1ce69e985a1aa294722c69c0c20a51660dbd61a068557dfc48376fdf37596c2769c515a91a833a13c0c31841dcdccc2efe2d2ca86fa83f80f1a4b59e6531

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        1842d07356481d7356d3f704461e2aad

                        SHA1

                        3f204a813c597ab4893ae69ede2c39e30319dbf4

                        SHA256

                        8735df50c3b9805e36093dceafbd813e4c174321ea3f6a7d8756638c20adab5e

                        SHA512

                        538c5f2a329dae2f0ffdbbb1c1930d883cfb3f36cffe8986308d38543a274a282d5008f736aacca56aea461f676ab2bf5eb09d692aea3e3665177f2799ba7650

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\d3ec1426-6ae4-4fe6-bc90-aa39412c0372
                        Filesize

                        746B

                        MD5

                        8e1bd28c576f6f88d04fc1b081a0627e

                        SHA1

                        b655f4976aff6ecee3b1d5b783abdac26d64ee40

                        SHA256

                        3cc11badb6f34fae0e829dcc91583cfd3bc658c5c1e2774601e51865b43baf67

                        SHA512

                        6bbd835fccc81501e6899efc11cb31b8bcbce37ff71188e15fb3d1447bb48db70c54d01e4b03304d3ca8a57084febf9d4d583d76cf8d535e922dc2cffe7f1895

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\da22ee9b-5d76-4592-b669-33544d096521
                        Filesize

                        10KB

                        MD5

                        3a30fd5d48736acecd7f73a74427524e

                        SHA1

                        aaca487d02eac161bdb8c57161ab9a1be094e217

                        SHA256

                        710b13f21a9bcc8ac8373f57a633e7eb5556ecdf0fa721c5397890cf4b7303a6

                        SHA512

                        7ea4c4a6081f1fa6b64216ddadeff775d541937a2b56a139e9c43a76c42f98e3225dad7168726be0e82011ddc6c214aee7f1b946f37acc07d36375d90e2717b0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        fcc0b65ee4b0a54c0faf8c1a6a5662db

                        SHA1

                        0944b2eba3734f73eb5664d3fb95fa94537586a1

                        SHA256

                        6ebd4e781612b3377c62a1b7ef4bcfc12848d11c926db71a9d8877ff0c615387

                        SHA512

                        172eca8b3cab2eb8354096ea37b48490eda1cf3ea9833450f106c28a167e90d5ac68fa7b2c9f626a996225bc114587d80399ddfe84fd1d0447c5f099d7973d57

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        7774314ba2acad8ac9f40887f9e389de

                        SHA1

                        22f45ac77e14d5d248a0e4621855fc5592a7912a

                        SHA256

                        c01248aaa07a18c5123e917ac0e9997654de0d8cd58c88f82ff41b76594ffb8b

                        SHA512

                        bba556e4ce37aa8551db49bc40c69f0bddcd4e8d97f712aa6517621f080fe5dab1ab888dcc2f93a61642641590e553311d46dfa89cf0038bffad6ba30be9aba4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        25f6647dfed3f05349e2428f6d3779ba

                        SHA1

                        439bbe5dc9dbd0ade320c2eb9de5df0a2cafa2e0

                        SHA256

                        27ac210b5f5bcf405d2b374397be4ed1b054329c67287f68b43441b177283af6

                        SHA512

                        337decee8eca78a170ebb34bcad44c62a3aab42ddf1d9bba83aafaaa360a79cbe3093e6ca2a2a972a0511f8404bbcc23d0fedb0dcc6abaf0da28f726e41314d4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        c3017441149c3b5bcb1b9d57b539748a

                        SHA1

                        7b11d8d0f801dd93a5d3283e0df432ba761f35dd

                        SHA256

                        ceec0b792b2c4271d9cf11b80d62d71f9eebb650a4103cb8884f5ff538045704

                        SHA512

                        701f265d16ac9ba3ea431f10c80a4b53d253215bb45ed93effaa239dd57607b5dd2fa12c359170808d2574d6bad4ab7c202edeab4526bceb3bf9c6548ec63746

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        0bb7869378d5d2fa1d85350cc9002fc0

                        SHA1

                        230b1a38dfd9ee7deca8a711e7c5813c580b6c85

                        SHA256

                        a4743bec36a3a8a5f7596cf88bb763e8e78424ba2819b32ccfa94cecde1afe7b

                        SHA512

                        268e60d3e35847af6cf657bdf8c1e4e3c5ec7f486e47e50c0da4c31fe1ec54f82b5a7b318b9450691f0dd639ddb0044ed5dacd8d5944241cb691a5e1be2fb230

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        3e428bb4cde6bd87ea394b6784bf9dfc

                        SHA1

                        f11d9f4b9949bbad1a51a2979744c4ed690d73cd

                        SHA256

                        44ea13d08979a035769776e0e6d61c83c217bc43b5aa0d434987de21f9b24678

                        SHA512

                        2a7ef522fe2327f421acedf97176dce3972e0e57e80d348bef4091dcb3f93ca28ed53a49b3f5c6cdd97b2329da883ba5e5afa20eec9ba1db544ba7c065597d67

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
                        Filesize

                        924B

                        MD5

                        305d8f9aab1f4041ea078b8648d7cbf0

                        SHA1

                        ece02b62e862d1da9d440a90599e685099d8ef34

                        SHA256

                        c95d32b186383743f66f6ab33e38b6a8da270b66880b46b1df33453313199615

                        SHA512

                        c44390408f011e5675c5a439cdf98c78841b615261b68cf1ddc59b06aa053c3270e5f7e3e47a4d47644d6ab5450fe62de51e3e602ee332e965700efa3d75e6c7

                        Download Submit