Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
192s -
max time network
195s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
01/07/2024, 13:21
General
-
Target
popepe.zip
-
Size
30.2MB
-
MD5
c667e8fb82f2e7a4f0590f2448f50a5f
-
SHA1
a8e1900cadefe6f297880ceec1a9c0caf4e5fb14
-
SHA256
460e89b89994f0279284eb1ddb2badf66a7d05abcfe13cf1f2674deb3f08dfa6
-
SHA512
0f272c08114cfb0fe666ada799c857bac8ddd7788207424efdc24eb00395621ebaa2d6e42f91e7ea3c5ac552d6890db9dfb87e0cf2593b1ec553f33523ca8b5c
-
SSDEEP
786432:ATe/Wuc3sXxDLjPnF6JvZm9HQ9p2IkkTTsBAnz5uhaJP/1Jo21:pxcCDl+vZv9YBkToy1uhaF/jo21
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 22 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\popepe.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.0.398215761\1376935484" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {665042be-e515-4a60-9400-1b9245b9c246} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1780 26747deb558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.1.48871487\930793984" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f369fe-b558-443d-89cc-8d5e6273057f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2136 2673cd71f58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.2.747107536\813304889" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2672 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {464212c3-de4b-4d70-8b5d-6feb874dc9c3} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3036 2674be98758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.3.1897773253\822976218" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d43237b-650d-47c6-83bf-90f151ba404a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3516 2674ce46758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.4.928858827\1044829204" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5d527a4-4626-41ee-af60-4744dc6e0c9f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4108 2674ddcac58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.5.958978361\260570277" -childID 4 -isForBrowser -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b41fd499-c468-4725-8b25-76069bb229ef} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2796 2674e458058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.6.275738258\652948856" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7254be9e-88fc-47cd-b776-29f156ac2e45} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4996 2674e457d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.7.1411502121\1366223263" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e56a0704-7bf6-45da-a063-71e2ba9c417b} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5188 26749697b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.8.167451771\335894138" -childID 7 -isForBrowser -prefsHandle 5548 -prefMapHandle 5684 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e352def-90ff-4fe7-bfac-1d52c727158a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5696 2674f5ec258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.9.1976718312\2083416481" -childID 8 -isForBrowser -prefsHandle 2824 -prefMapHandle 2620 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66b452d3-438d-4ef3-b10d-e2704a3bebb5} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1532 2673cd30858 tab3⤵
-
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\popepe.zip"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\niplnk\aeniks v2.exe"C:\Users\Admin\Desktop\niplnk\aeniks v2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\niplnk\aeniks.exe"C:\Users\Admin\Desktop\niplnk\aeniks.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 9922⤵
- Program crash
-
-
C:\Users\Admin\Desktop\niplnk\aeniks v2.exe"C:\Users\Admin\Desktop\niplnk\aeniks v2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
Filesize
960KB
MD579e8ca28aef2f3b1f1484430702b24e1
SHA176087153a547ce3f03f5b9de217c9b4b11d12f22
SHA2565bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7
SHA512b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438
-
Filesize
2KB
MD57f38048a5b4bb647a43e93df970417c3
SHA1f7022125ba74f50d0d4515ca0b47ccc88c2f47e1
SHA25681d8c4d06be3654f64a49a2effb3606bb48a37556f4db38a524033d9949915bc
SHA51206adc7711a98548c94954546a4a547b2547d63d1f26351a58e17d38b73c02e54823daf99d9aae8311225c02bf9e2f40bbb903ff6707c3ddaa64b1caafbbe342f
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
554KB
MD58a679c02bfbb88c2760ca0d962c0b1c8
SHA170b1528af5c62336043b2531fa7b477f9412278d
SHA256bda7bd9f39a00b007f21a4e9b82fcd2267f4dfbd53800379210ab4f91e982529
SHA512df1031975a8acdcc471638dc21642c5081c9edb704382fd05c63ca638c61c637ceb97a480a18cfd3a1c784c020a2f2cf853f8c9bad5e3b3e3857c7ee25ea26a3
-
Filesize
14KB
MD52a4325e2473367762683c8cfaa431e5e
SHA1cd9abab16600becbbd25dbd460de044f8ec6835d
SHA25661de67d61cf9977a30ebbd11f82570d4472620e3e15af06e4c6564d96faa091a
SHA5124c0132997381bbf074232857874ef0bf052f42be78abe23ea9c30c10735292f1580710df63c8eb78ae70979db301d43fb53ca3ceadc4bda4dcd7fabe13fac8db
-
Filesize
587KB
MD557df9e2d44f84a5e7e87c90f68315065
SHA19970f89466e835133c9c32359d5ae50335b44bb2
SHA2565d0aac392bbefee9db6dfcadef1d10c58e047cad3b49a45eb2dd1b2e99fe8efc
SHA51268e80de2f7cd5b65ace061aecf897cdd1106afb52b6aa6a4736f26392bdfec2cb1b055820659c1c6922368c13ffdd86dd807731110916c82ae8ca167601beb1b
-
Filesize
2KB
MD5a5c8d08bf65e43ac2128a2e84656d629
SHA1349f9feea34d0db5a98b108428a75d0b7b3fda26
SHA256560e444472749fcb8dab13669a82d8a18095919f07c068ae0eb85305fd61ea8c
SHA512bc523321627a53e60c691d2becb469409e8c634532c13a87de42adc95818f694e48176b377b8425ef9fc6a3a3d37828faa0314232f07b4a7a02d5526dbf15820
-
Filesize
746B
MD57feed74edc985b11aaac538c35d02cd7
SHA14285f58943f79735f68e6c9415f635b4f03e8a53
SHA256456b67c2455dfc6a76ebff94e51d2f129a26dc563399820941bf7f1b05f54b92
SHA51205dcd41e8465d74218054a28781df8a678658f4d83714b8d07d22c10d7a2f214c121fd7e7be6b5b292f43ca813b0cc5e6fde777215609c2f3217441b19726a73
-
Filesize
11KB
MD5ca3cd377aad5aee7667ce0600166bbc4
SHA167b6f61b52631fe9bba7e0dc79a6180c84b4c9a8
SHA256a35724479c52b8a2dd46c244d703488c2f657cc25b6649a7d05a9d3dae593f19
SHA512da4aa64000a51b7cb7a2ba9df17f44f8309d760276458839fedb1ea2bf8baaeba80582e2ac599b6666a415867b46f89221b7bf84e2cdfd2e5ae7c7fb087227dc
-
Filesize
6KB
MD5bae965cb3d5b0e9169d30ac0de3584e5
SHA1125a08c31ef5e85a97aedbb9146e3414cc6c5428
SHA256033830cd555460b966c28e6d94c9f8552c5c0b98948d3459b3572b20f94098ef
SHA51261b5dbbc34a800ac296b07ca6aa0b6c8b8acc07af54716f5e34ce8fef6f31c5ef88ba4873e7124a758b784474a8bc9ec5cdaec70fe0a8499da6804a67837c87b
-
Filesize
6KB
MD544c2518618d3461182c2236c8ba30228
SHA14021a61c5f1450c46eca43aed305da055cc45f17
SHA2561449fced21fe412cbda96040cf985fed2f4ffe8811bd678d9e42a7826a6f7b52
SHA5121bd5b6c054e9d66a21ef84e4bcd1ca8946ce3b18e0da643b3b05285d1e446ffe11b4fabfef4a4bbeb7a791b3e37d9dea63f1d49d43f1721592463cee91807aa7
-
Filesize
6KB
MD5d177ff7e6ab2e1f885e327b9ecc8c9e2
SHA1b8f4ee8cacf2b902ea2adef7622bf356df2d776b
SHA25667d190f777bdc56aa4e69aa64458faae32b4c70860bc665306bb090bf092b53e
SHA5125ef5dcb193ef2111839bec58c225eb94eff95cab8e9acba64a45c5168987ecc112d5ef35fde9bc0ba0c9d5983f506dab65a5152c07e936088af1cfe8bd88f52c
-
Filesize
6KB
MD5f03eb6aecd5793eba6e7726f8c78d295
SHA14b95dbb565049c142e4b3fe54db28438531d1ce0
SHA256d09786a2057673d4ea87141ef0d2ccc01db99fabfcf2cb61c88fe448b13b7f79
SHA512772fb3f93b1aa00e35d964c81b8f861e1199f30335b42fc791824363c95f38922c5f87c88b18e7f9ae912f76bd19379d6dfbf82b7c19997201df95406c3c57a6
-
Filesize
3KB
MD57f54c2f7d12e7455d52771200e2777a9
SHA1f542e67f0aa73a72b2e31f27ca6fa89c6a0de51a
SHA25636ff26f63f21786f29b63e4629907aa367a061fa9ee9fbb3e51538982c1e9d62
SHA5125262a4561889084fd5a6db3114b6f8a750f851fdaf1818a4554f1b8562cf32ad1944a7839f8201ae81893683813ad7b1bcf15dc67976ce7a5f5b4acc0e7ac70e
-
Filesize
2KB
MD5d76af305db62af1ffdd6427def419545
SHA1386b6652a4c85ca41d847f41fdfcc7ab482eb3ae
SHA256475e025e99f2ce512c4b94f245f15168bc078a9eee9c218c6d92077a2a209063
SHA5127306f71c0513d16706b8bad1d1dceda31e6c1fc07362e7e3e0255d60ed743a7192e63cd56daaa00bcbac3cf526b03615fb735f02cdb8989eb5e484f8b2b32f8a
-
Filesize
2KB
MD5c376ef789cd2f2baeb1e9dc869bd6bc1
SHA18a23f31769b5cb225a2ea2ed93fefe69a1b31c33
SHA2567f5afe0810be1126721953250472e02205007d66bcb9f0648a4497f84ead784d
SHA5129b4b5f9e9cc62adcc1fed2ff4fe023fe2c7e4b961280fa8175f6cc7804300053d2ac77bc8929e8cbfaca294f3ad1a84c2c115bd41162d9db166eca3dc56fab45
-
Filesize
407KB
MD5155d8b3ca4845f74a9ffcf18d402fb50
SHA1896fa15dcc5f7a3585b1e91e42866059fa3346fc
SHA25657ab7f36936d31e2975e26c454d0d85c3b2ab56f3c7f34afa2378b1b2090ed45
SHA5122fb221fb6dcad9793d7783ead27e77b98d39681bdf758a6dd2840445e7c050ffcb3392649d61ff2ed22899c4b07b4e2084cec04a6ecb8031cfd5a7b552fb2e5e
-
Filesize
357KB
MD5b5b50daadf3cce6a6f597a1af09850ff
SHA12b2caa80be066f47d4b9398af2e645d51cd3bd9e
SHA25635a457b3beb4e959df2add3d0bb9733b1ef85bf231377ea9e7768a3fd2afbe84
SHA512247a218a2b5a2203d244f4ce057b3d854201fc1aaaf921179eff127b2a0614ef031b692722cfaab263662f89286af0ec81b35c9d80bef16bda955cf9132d6852
-
Filesize
15KB
MD51863a933f19192af21b62bc67d741121
SHA107c998e9d972b41ad5af8d4457f65677d2d84a70
SHA256f45dcb9cd8e4f02c0cf3a406075ce8d743dce293d7d85fa1d73e8b683c75bfdc
SHA512fbfef4c62f8cfb7d3d2fd76c2ba920e625365e5d05666ae553f5eaec6c623b89f3de963e1227559473b3a89b960292740754b403aca29245768f892e9c7c9086
-
Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
Filesize
459KB
MD5d3174cb9af9b1856d403323eed5a390f
SHA16a5c3d15e43040194f4d3b429bf51e719ed2df32
SHA256c7abbb14ef21abb5307ae660edce7cd00833048056288eba00097d610c7b8729
SHA5122ddab8137fccac26648e3058ad04664e23bfd17b57c37ebe89006c80cb6f72aeeee71fbc66cf8140d57d34cccd696cae8a963002de1fdfaef6317efbc1ae4b4d
-
Filesize
24KB
-
Filesize
448KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
360KB
-
Filesize
5.0MB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
24KB
-
Filesize
400KB
-
Filesize
300KB