Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

pafish64.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    158s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/07/2024, 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pafish64.exe

  • Size

    118KB

  • MD5

    4b6229d1b32d7346cf4c8312a8bc7925

  • SHA1

    4d83e18a7e1650b4f9bb5e866ea4ad97a21522bd

  • SHA256

    ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f

  • SHA512

    804f7e663f3a4e03f99e19f7ad8e89362c9d11793ece2e0716f86bce020f6ce95766fc4f6e686375b73d0b6765cc75029d8d6527abe0777b91ec807f81c7146a

  • SSDEEP

    3072:wgjIzC10pKQ6PbNehdv3I0lmPendNyrOMGTkrNRD:wgSCuMDendVMGTuNR

Score
9/10
evasion

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\pafish64.exe
    "C:\Users\Admin\AppData\Local\Temp\pafish64.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3184
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.0.844982224\1848168544" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a6e4c1-5013-4188-b3dc-b750865782f0} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 1848 1ec26df6758 gpu
        3⤵
          PID:4952
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.1.1248448817\214034253" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7aa4ecb-d053-4d06-aad1-7902e569d538} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 2372 1ec1b08a258 socket
          3⤵
            PID:3868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.2.375610003\261685934" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2876 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e78e90fb-065f-4128-994a-a94fcbcc677e} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 3024 1ec2a5e1858 tab
            3⤵
              PID:4136
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.3.192869494\1464588249" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0415bd9-6c69-49a8-9aba-1101e7cfe68d} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 3460 1ec2d3c1b58 tab
              3⤵
                PID:5028
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.4.2093482447\386007088" -childID 3 -isForBrowser -prefsHandle 5080 -prefMapHandle 5048 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7679907c-ed43-49f4-8d09-e5966b0e769a} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 5092 1ec303d2f58 tab
                3⤵
                  PID:4776
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.5.1880910270\271841935" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0efe3c29-412c-4845-9e34-8d877c0c78f2} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 5232 1ec303d3858 tab
                  3⤵
                    PID:4656
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.6.1644953382\2049532234" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbb1b94f-7af3-4751-b205-5d76eccd8273} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 5424 1ec30492558 tab
                    3⤵
                      PID:4080
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.7.416917375\1108348711" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5244 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d3cab3-7123-452c-b788-da4063a610b8} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 5304 1ec319ae358 tab
                      3⤵
                        PID:1200
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.8.2097816121\1914866856" -childID 7 -isForBrowser -prefsHandle 1268 -prefMapHandle 3564 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b6d9b57-d8b0-45bc-92b4-93f0f3b1a229} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 5464 1ec31635c58 tab
                        3⤵
                          PID:700
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2732.9.963912275\233453805" -childID 8 -isForBrowser -prefsHandle 6096 -prefMapHandle 6124 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52139e99-831b-4218-a5cc-3179fdf6473f} 2732 "\\.\pipe\gecko-crash-server-pipe.2732" 6120 1ec2f0d6058 tab
                          3⤵
                            PID:4708
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:1804
                        • C:\Users\Admin\Downloads\pafish64.exe
                          "C:\Users\Admin\Downloads\pafish64.exe"
                          1⤵
                          • Enumerates VirtualBox registry keys
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Looks for VirtualBox Guest Additions in registry
                          • Looks for VMWare Tools registry key
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Checks for VirtualBox DLLs, possible anti-VM trick
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:2032

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          25KB

                          MD5

                          eaa6e7a1e0673f4b5497367af4beb389

                          SHA1

                          3c90f60e7d2b382b19fbc8d7a5953980cf6522b5

                          SHA256

                          fc58416fe9fe818df7bb27db81fcebd2c817836f68cb10c84fa71e7e4b207ef7

                          SHA512

                          d6797cbd57e00c6b5712ba583fbabaf478aaf6bea2500d86190904a871f5faa117367966061177e212ed6ec056736e3da3946d49afabf8e45c494d66711f5943

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          26KB

                          MD5

                          f09bcaba53b31884805db41c31da605a

                          SHA1

                          055ac664c0aabc79da7b7fdef1ab70e0fd09122b

                          SHA256

                          e3070070a94f4320de8fa86f4fbf5fee79977c8f6971555637ff7861de2d09c1

                          SHA512

                          6f297635013ac9e38d3c3674a85ba5fe887384543c28d7d48e17fcbc664d9c30cd8d780650fccf3a6f416d4ba1b1a2787aa92c53edc9e437502775c8d4aa4557

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          319b7b07af36a554167e0582510782be

                          SHA1

                          ac3492e5299cce4f05f1de94ee5f120f437b7ed8

                          SHA256

                          a23b68a53b280822258d68213d62914d0d61a18791aa66a78e8c1813c7d07a91

                          SHA512

                          895736397742068e8a52ed3650099e7f3fd8bb595ae72bca7591258918fa67274b29380c644fc89299cd1bfd473504254d9307f20ab75b1afbca66d3fe9bd893

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          b6a3cfbf67d534f2590341b6a993d3ef

                          SHA1

                          c9d5049e28e85b423353ecf261a941ae3ba6e6b9

                          SHA256

                          4cd6329b895548a8fba01f4aee07b79daab0717fadd4c25770dc7d3f6495870b

                          SHA512

                          90f3046fdabece782bd435bd02f34b7f50295bb5c28e3b0f10d1c05301e3afc8166577ed433b9eed35e84f35aabf4f3c5fbee85c6c7bdd120069a1fd01e18a60

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          e7ffe603d9bd72536dedd0abe1eedda4

                          SHA1

                          12bc5fe2b58acedf078045471ea66b2f0317bd69

                          SHA256

                          88bbfc5a8c9f4eb198fff9ba4fc6151b93e429b9cbe9094ddda3d1e3b9bb5754

                          SHA512

                          01f94f47742d5beeada79b0dd8b945904d5e3fe20d699e41f6625d47ead9c1f27ee49f14b6a04553596733bfeedbd88935fc83e927c7022059130bf96835baa8

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\prefs.js
                          Filesize

                          7KB

                          MD5

                          828560d9338a613af56b637134f19e1a

                          SHA1

                          a79e8bed53d9643bb5ebc9aa79dae1f615300fc3

                          SHA256

                          6409c54049383e386fd8406031bf7194cd0ac03ac4f7395a29a290186df35c40

                          SHA512

                          76d658176c292cb947f88e98e51820f7c529f38a993a99e66c8c13aad651416cb0061f2886295a4a2facf26fd12fcc2a5c74a04988532ad7ba7d8708dc1e6718

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          460ee858e929cd3cd87caed890363ae0

                          SHA1

                          b688beb333d3a24c58578b3e9255bcfcdcc53371

                          SHA256

                          7eeaaa0f13ffa29004cb1a20083eb095eb19cdab5ff1c17f43477e889c4081da

                          SHA512

                          a439933e5ab346b07c2a91507849b8511882d6bedddc365d156c266e37cc6a80a66d293efbecb5be5b1d0eef1ac430384b2e54c2aa93662c5abd239167ed1ddb

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          01fcaefaa390cbd0bfa7a10266cfeb8f

                          SHA1

                          e3df4a61d95f44429198926c1763074e7b6d2ee9

                          SHA256

                          c65583aef3558f0cd7513a5575f8b2ecce8036c6e1b0efab4f0a1da0278ce398

                          SHA512

                          7dd7feb90221ff12bd10e039e2253c601b67c7e91c638358364e70f16ce2146735ba527f2c54909f77a588759072b421ac81f686d23415e4f90aecd7295f5aee

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          7KB

                          MD5

                          6a24ef31ade6d16b304568e0dced93b9

                          SHA1

                          3585cd7bb09484cc938d42069b5ede5c9f5eeb9c

                          SHA256

                          860c6b35db0e86f06c47ef6720991165db2a4387a77e29a5d124e2cdbd94f70d

                          SHA512

                          79c4e20af4ed506672d11c799879790b9fbc1a43e265fa702c7608408033d6b420dce2bdbcb6806cf47f6b757cd21ed5170f91ad385b12105185a68e5f4c9484

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          5KB

                          MD5

                          29208880c593b4e9bb12200dac2d174c

                          SHA1

                          c4434100b8917f61965fa47a9dfd2b4c7bccbcbb

                          SHA256

                          f0fe41358c5c5633fa2f3ead33386d63963d2b39feb811f4c449254a3d32e9ba

                          SHA512

                          21e47e4176a30575ca032aaa87371194faf4c3b2857d321c6870bc50daed5d0f19574ba223487b5537fae319337b7e521b64fe8934eb2b0907aafc334068f725

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b5ssbkd8.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          7KB

                          MD5

                          b769c76d2e8a2171aff9aa31cda34e8f

                          SHA1

                          ddcd9b5d24d14a41b957edae42b2db23c9ee22eb

                          SHA256

                          f1cd0e0c657701f5b8b23bf02e93d0b380e29fd0deaa32522a460a35036a95de

                          SHA512

                          98f6898b5c5252f8846077953aa4e09335baa674e87d1550b09b4ada891f6e74005c4fdb704f05203ba95bb183001f70b7f84256255aaafbb1b97461c8ebd7c7

                          Download Submit

                        • C:\Users\Admin\Downloads\pafish64.AhAU0wql.exe.part
                          Filesize

                          22KB

                          MD5

                          ab3b1cc84ef6bb83a45b689bb533369a

                          SHA1

                          c90b52a4f854173be2db64fb962df79464598779

                          SHA256

                          2b0d3e62f3e23dae0f4ccc77c2cdf07381b63cda4b4affaf3f896f67d96d4f4a

                          SHA512

                          27cab99e800899e30008d32516c39ef7ddd6e268882132e54bde7fba89146442ffa2e617cfcb695e9be807ae10ba50aa4e4dcd32f38cc1d871124466b8441392

                          Download Submit

                        • C:\Users\Admin\Downloads\pafish64.exe
                          Filesize

                          118KB

                          MD5

                          4b6229d1b32d7346cf4c8312a8bc7925

                          SHA1

                          4d83e18a7e1650b4f9bb5e866ea4ad97a21522bd

                          SHA256

                          ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f

                          SHA512

                          804f7e663f3a4e03f99e19f7ad8e89362c9d11793ece2e0716f86bce020f6ce95766fc4f6e686375b73d0b6765cc75029d8d6527abe0777b91ec807f81c7146a

                          Download Submit

                        • memory/2032-581-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                          Download

                        • memory/2032-592-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                          Download

                        • memory/2032-597-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                          Download

                        • memory/3184-4-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                          Download

                        • memory/3184-6-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                          Download