Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 14:59

General

  • Target

    https://click.mc.ihg.com/?qs=5add2cf152643e82f753ee24a3840398b2b67d8df70a4184afd46ac136da31720d3830d511080401a9e0e18c09bc5f56742c01d2e660b8d362b299e67443579f

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://click.mc.ihg.com/?qs=5add2cf152643e82f753ee24a3840398b2b67d8df70a4184afd46ac136da31720d3830d511080401a9e0e18c09bc5f56742c01d2e660b8d362b299e67443579f"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://click.mc.ihg.com/?qs=5add2cf152643e82f753ee24a3840398b2b67d8df70a4184afd46ac136da31720d3830d511080401a9e0e18c09bc5f56742c01d2e660b8d362b299e67443579f
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0ddf11-5d9d-4ed6-b2c6-15acd058b581} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" gpu
        3⤵
          PID:3564
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2af2934-7f16-4977-9642-9f4572a7dad1} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" socket
          3⤵
            PID:4864
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2984 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f5cabb-486f-427a-984c-4bce53cd5bcc} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
            3⤵
              PID:3252
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -childID 2 -isForBrowser -prefsHandle 3820 -prefMapHandle 3812 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d3786d4-307d-4792-bcd3-ab79f38afa26} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
              3⤵
                PID:3408
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4732 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {863b2854-3019-4dce-837e-529f0a1d7cb6} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" utility
                3⤵
                • Checks processor information in registry
                PID:1892
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 3476 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f31d72-8b42-4535-9476-3bba56423346} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
                3⤵
                  PID:1908
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {027c1340-e394-404c-b4cf-78fb03ac48c8} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
                  3⤵
                    PID:2212
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54bf65ea-e8db-4bb0-807c-52e5c5b07b1c} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
                    3⤵
                      PID:656
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -childID 6 -isForBrowser -prefsHandle 4176 -prefMapHandle 3564 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51d519b4-3931-4ce6-9b76-b1c30528582a} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab
                      3⤵
                        PID:5364

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

                    Filesize

                    45KB

                    MD5

                    fab3cf2d51dcdc10247f6a60964bf921

                    SHA1

                    99d6b5929db9fa70aac2906468bc3457dfa77017

                    SHA256

                    e459227a816f57fd3bec48ee1c95569a272be7b6b1e3c5ca1a3ba3165a9ee51c

                    SHA512

                    de985766b121d2a53d0f812b8a572203151dd167e9eeff7d50c16c04a5474242d5bcf65d3dd845fe738eef350fd28719f6558df9b6d70273b8ff7963ac0c1e18

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\doomed\12750

                    Filesize

                    94KB

                    MD5

                    5611a227d065b4db190343c76f10534d

                    SHA1

                    50dd6628bb63975ba6a29e7d48219c4fea24ebb1

                    SHA256

                    5f9d3da16f48524a19e9452d04bdf8add121124e85fb8b1c708f0b959ad70df3

                    SHA512

                    57c8c18ca98c103f3fffc4e242f75caa566aa71f25b316327b0e2c533e1b27ddfddfb01aea12dd92b58a952592ad7e97168baa9d159ea0b98d8dad8b4951d63b

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

                    Filesize

                    8KB

                    MD5

                    9dc7ad0a37806f77dcde9dc935920838

                    SHA1

                    5e827cd0364d151cf8cecb01dc28a615076d74c7

                    SHA256

                    a6ea982f7187e06d6d2dbf50894b0e453bd4f461a0c8da5b8538c882cd7c6aec

                    SHA512

                    ad864870d1e02970b35372c82ee992bfa3c7bb986a1efe33a1dc5be51b633394ed7b2b94802b967fb9d0d24c0306ae8364d17e119e268f26d04ae236b90555f4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    9d2942bd8ec5a77212605226bc5e7abb

                    SHA1

                    6034cbc0b87876370be27a9052fdcbf8c473b79f

                    SHA256

                    54f9fc85e77e7277b4755b62cf67cf1af05a4389998ded534babd9390e5a2a63

                    SHA512

                    ccf310276bc687ca19b440a98563d6ed6890ac9e1576bbab81b77b082acede65f7bed81d61fc53aab733c281ad8c021cede5e8d18da0d04e63f527c84704a587

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\0398d76a-b621-4746-933c-4d0a122156ab

                    Filesize

                    982B

                    MD5

                    0c749f0871260209b9b0b02e50df8b83

                    SHA1

                    40c3f440d9f5e284852838a4d0cae7d994daff32

                    SHA256

                    8ef768ebd0cbaf5033636b42202430d24ff9dfaaca69ee9a69768fe22be847fa

                    SHA512

                    9dd801da58cde4530605e7f7a71961600d207d821e52654798be21864b6974c3c8298c891dde1c32cee2ebf9cab2aef21909315868007296a0af030d053192f9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\127754e8-5b79-4f97-b293-5028e20bdd9f

                    Filesize

                    671B

                    MD5

                    323303a373aa7d615e86154bd3d1a507

                    SHA1

                    bc9b0e1852890bcdce8bd2c5a3d7b3b9fd04de92

                    SHA256

                    e249a8a567d23a1e6b32592bc6c1c736d4d22df5eabd300ec30db45742a42cfc

                    SHA512

                    039dc7791d61095798c482001ca63e50369306bd0f55453b9ecaabbfa660cf85aea467256da6518b3495a175e6c4c65673d15f309b591662d62d1a254b590ac7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\7dc09012-b506-4fd1-854e-42542e795cf3

                    Filesize

                    27KB

                    MD5

                    682603879a5bdb8494cf25564bd1bf50

                    SHA1

                    fa05d46228af3048a3e2ad4ee7421de4d0b9023e

                    SHA256

                    39d189bb4f7babb1a38ca63ea1cef037805ad3d52f4110f459792658728bf8f3

                    SHA512

                    248857c8a85c36ebbcfb26b08d7e0814e2aa023c3aa6a3aa6c565b35a3352f4dfa8cab8af539d680207c1bf9f219250396d442c5cff17618cddafca2abb77006

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

                    Filesize

                    12KB

                    MD5

                    95a8f8bdd5276cc90dc454b137d5bb34

                    SHA1

                    a1caecb59e01d5e20158d7f0d764758dc32c6d9b

                    SHA256

                    4279e94dcbf703568186627156d33a3435f6a7c155e6dc53f6ca5877c10f59c4

                    SHA512

                    60a333e68f177c0c1b9d2005a378de5ba3ae8f54c85534cb0c7bc47bc69792809db6cbde049434ba3ea80294a6bee068267e48ec834f175c5bc3f7bb024e39e6

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

                    Filesize

                    12KB

                    MD5

                    0ecee4352dc458402be7397ee8df4f7a

                    SHA1

                    890bd9f868438f774ce8c14c1fd391037494d815

                    SHA256

                    b5bb5310cd84780f5d0a3e424d9b68f341272b84a818122d331acf3c67893d5e

                    SHA512

                    7acb01f9e937abfb95a98cce122e00d4864bfcb006a89c49858fb01b1d04aeddabc6763669412e59c222c31428ba4a75aed60f4425c7c5f771ac514e9bc442fe

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

                    Filesize

                    11KB

                    MD5

                    b7f56c3313588faf55c28fc47283a973

                    SHA1

                    86aa83eceb37cef561198fc311b4351d5de3604e

                    SHA256

                    b24013a8cb0a38938de7e8d2b34582d8a167205703a01a6978def30705c47297

                    SHA512

                    6f71c706f05d28729def1c32c2bfc9b26de334ca05d2b4292a39fe7472b1bf106aa435c3c339e614c006914587d3d828e884dc1704a0cdd0510bb159f4c12a36

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    80031cc4030200a3277226b9eee3ece0

                    SHA1

                    38b20aad0bd7d8566091de8d2fb7af2e018f3984

                    SHA256

                    962a2e28b542896591f2bc31bf80defe525de21efe441f6c6043abd44e480ce1

                    SHA512

                    be2ea1830c5e6e8ce4b69a900bdffcd672830524b77e0b91b4181f904a7219f995270a9bdb2339205ef97cea14e277954143c5e26bbdc3e7be1e09f72541eacc

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    bf7f13087560f01e85854d28c23e39fa

                    SHA1

                    a889667540f0a43a5deff1ffb5227db7bb64a9fa

                    SHA256

                    c12dc5f43ae5f140cd9677aff3a480a6f4caeb64c1455e181729664c00f5aa3b

                    SHA512

                    1c537dd9aad40e283e34b4f6421b4b693001e11a0d2dc7cf5cc591ef70d3318f813889d3c1b77e3709ac5588c6f2fe1a4e3c28016650d133abe13a9e6f4e4da1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    6KB

                    MD5

                    9e8499ec610a7d1997eb05f0ba24cd1f

                    SHA1

                    15ca4cd985f95bf53f8d3e5196236dd2c1cd4c11

                    SHA256

                    f5b06e2d506877f2011cc4316c329c616954734ed180318b760239e5586b9081

                    SHA512

                    e6e7b48154a238e095e11c207c20886a22255540a7b66398faf41a8737ad5dd4ba53cb208b641dd9e2466cd855ac4f07487de67fd16ed474f14f3a64187d6810

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    6KB

                    MD5

                    6cf1af1500ca416f1fa1dc6755e290d1

                    SHA1

                    8f58556f6f6f6c79c154d3c4edbe9531517c5da5

                    SHA256

                    53ae9baac891cb372251042c351fb6effee944034820134a31548e2a345006a3

                    SHA512

                    24bbd21f4cf6a365fc17b06107e713650fac9148d767513a6cdb36cc311748a6b9fe17035a2d6ad1f97bec5ac6b189a2157dd67548e648fbb5d102431233a362

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    6KB

                    MD5

                    a78f667adcde17fcff1b8f6a246855c2

                    SHA1

                    f69c320e97c8cdd02b33e87e9c946c65f0c8535e

                    SHA256

                    e91bd566fe89a30569975fd88d24a3c0356589cd5caf2b95502f0f3cdd71bc31

                    SHA512

                    48352c0fcdd65e61bdf53ef7f1abdcc437553f0a4bb5d7c9038902cf9275cbdaa2590758005f81cbd1702f2aeb796973e8d7d877604a8e3b98ac0a80969d9e8f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\default\https+++www.ihg.com\ls\usage

                    Filesize

                    12B

                    MD5

                    5dcd6f987b5c14fe549ccea0c535c4d7

                    SHA1

                    a9c088c20730b500c25b494add39cda910f1577a

                    SHA256

                    3a7a6aebece791e4eb9d5274bbd2c2931ddfe84227dce84e4b6c2816371f9776

                    SHA512

                    2adf297a4f2d503584be91920d97f33024f8d3567cb87e6c047b36dc35da82aac57c116015490f232456c6d7cc25423ae6b8a091db181a2f767391b85462a76b