Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

New folder.rar

windows10-1703-x64

8

dll/libcry...64.dll

windows10-1703-x64

1

dll/libssl...64.dll

windows10-1703-x64

1

envSetting...s).exe

windows10-1703-x64

1

Resubmissions

04/09/2024, 07:54

240904-jrrekawfpn 8

04/09/2024, 07:53

240904-jrdhpsxhng 3

04/09/2024, 07:51

240904-jpy2mawfnk 3

04/09/2024, 07:47

240904-jmpeeaxhkf 8

04/09/2024, 07:44

240904-jkweyawerp 8

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/09/2024, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New folder.rar

  • Size

    1.2MB

  • MD5

    0e27b6c7d01b34ce5d813fb220666818

  • SHA1

    40b0d7df39cde7189fa2edf8df00f009e689ad58

  • SHA256

    529f80681ecf521cc214cfa2a8e057e7120a50c1e6ef8b5844e6cc960dcce4cc

  • SHA512

    90b5577ae189d2c48329ff5cd8ec56d7bf0f074cc58631a98d71d37e9c88f7e6a46dfcf7001876115c8d3e4c28fae8c4772d9c4f9f7566a9b66ada776bca9894

  • SSDEEP

    24576:tXcf7fkxdJV//YPlCPjHvL7h4tPzka1/v4it7izGHU0Old:tsDC3V//YPUPjPwR31gld

Score
8/10
defense_evasion

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder.rar"
    1⤵
    • Modifies registry class
    PID:3492
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2436
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2244
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.0.1144765541\1473433261" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1676 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62798423-37c4-427a-870c-14667049259a} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 1780 2f2f13b6e58 gpu
          3⤵
            PID:660
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.1.689132646\2039913475" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2112 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8334c70-d08c-4575-9a42-4a1d83db1ef5} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 2136 2f2e6271f58 socket
            3⤵
              PID:4916
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.2.280766103\1552991873" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c2df846-a0e8-4e4e-b1ce-057ded152523} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 2872 2f2f135de58 tab
              3⤵
                PID:3636
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.3.835881137\2047756373" -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 3296 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f0a624-8974-4d51-9e24-a9b7ed0c49eb} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 3576 2f2f61f6258 tab
                3⤵
                  PID:3924
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.4.1449901905\708165598" -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26271 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db290143-8c4c-461e-950a-b30c76df3b7f} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 3944 2f2f69c6358 tab
                  3⤵
                    PID:4008
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.5.875117840\1124875449" -childID 4 -isForBrowser -prefsHandle 5012 -prefMapHandle 5004 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50546c55-a964-4216-b976-eaf5ac3c6c86} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 5032 2f2f7ae9b58 tab
                    3⤵
                      PID:4560
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.6.555454594\12692536" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15c96dff-755f-4413-8cd8-24b549c558e4} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 5160 2f2f7ae8958 tab
                      3⤵
                        PID:1688
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.7.953116797\1629716697" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5156 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b47dfd91-e3ba-4053-ba0a-5e70e2b91fb4} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 5256 2f2f7ae9e58 tab
                        3⤵
                          PID:2200
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4100.8.699512795\880086495" -childID 7 -isForBrowser -prefsHandle 5756 -prefMapHandle 5832 -prefsLen 26873 -prefMapSize 233414 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85d8f180-5b28-4e34-9434-133d2009dbb8} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" 5736 2f2f5763358 tab
                          3⤵
                            PID:720
                          • C:\Users\Admin\Downloads\winrar-x64-701.exe
                            "C:\Users\Admin\Downloads\winrar-x64-701.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:804

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        41KB

                        MD5

                        6f8338a44bfee57136b41d4570da9950

                        SHA1

                        066b817faf2515b0918cf24358f88db1838c8249

                        SHA256

                        0cacf4c18d1d2a4e2fc8693a50f1003fdf77d4ac70e4a64d6946c5d62c9e6229

                        SHA512

                        e87d9d187dad01d43ed6eae5a412a233b3031503d78575aaee86573c4be170857d82b569a72d5f2c2b6d002b8956ae6e4f2138258cca8ccb9bf7183280931c34

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                        Filesize

                        7KB

                        MD5

                        c460716b62456449360b23cf5663f275

                        SHA1

                        06573a83d88286153066bae7062cc9300e567d92

                        SHA256

                        0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                        SHA512

                        476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        d302286cebd3f689e7fdf18fefa88d19

                        SHA1

                        c179fc2ab6bde92aa2a65f59903e363d9c6216da

                        SHA256

                        15023680d7dec7130d517e74e399144043ce720a5f13d9691f3b2bd8120e946d

                        SHA512

                        0858847cadacb7f4c680197edf274acbec20a84d1d59c23996cb4cd26f16ab01ac79d7c0ceb21f2ffc05039694bd7785c9d2dcffe3fabad9f6ad4cbaa3ab57e2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\1cf61a05-b39e-4178-90ca-10e48d8bd23b
                        Filesize

                        10KB

                        MD5

                        0e2f7eb3714d15e87e8f3fadd5a4a383

                        SHA1

                        d5bf367b73e8c16bbd988da5578e54e81f8caeca

                        SHA256

                        70fb61083e367bb5134ad1d7e7a286c87a8b03ed3c29a6bdd930a11f15390834

                        SHA512

                        1848d1fde308723b16e84a4fb1f1767a604ea3f99c6d0447fabc144a1ed90b24cf6f44b031e8e25039574793bc3514b0560bd611023c841f5382166b293794be

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\6287acff-66c5-488e-a134-68b0c09a1436
                        Filesize

                        746B

                        MD5

                        1cd9ee77f6935d72bd4a0c4c90e84d61

                        SHA1

                        5647c4ead5be3e8016b4e3a8db50d85243978b4a

                        SHA256

                        1128aae3774b4be8399dedb6e728286e8611a875d8a11736f4f60063e87ee4b9

                        SHA512

                        0d76564fb489d61d5e021142a64b1f30aa065ef332861ec92f09e01d45b6d85ed5fad6fdf62942a3695144619170782ab66576f56d6425062048ff0002e7a0fd

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        0fa9d4345a57f33ef510d38ee12e4dac

                        SHA1

                        1a0ec29b294c23281f3912cb404d60d35fecc706

                        SHA256

                        5664c3ec05c5199a7a9507fb87208bde8ba79bcdb34bc79e9a2c0daa817e6c20

                        SHA512

                        2a9f6018283dfb37406861ab41ca3c6c831fceb8f858f593ff967655b66a083411de410469aaa52e9d7e29ce6702051d2dc562f36da41dbbc2a92c2eb3d43868

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        60376b08405569b740be7f20e60a4d4b

                        SHA1

                        fd83792cf66fd8f3d8d2f209580db82c017b9119

                        SHA256

                        36f1444e76791f74127d0bf4d7534af93b6db38635ba5e7142cc90b902d8ed65

                        SHA512

                        11e378e196e8e09e319c4a6501239218157f33860419c3b805aa4dd11b5b56c8cd2deb33c65bcb4121e3e751a8eec77a175fcc8d7ca6710076bbd981f042e6bd

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        07c5ecc7934a8e2d6d676dc0e3bec49e

                        SHA1

                        259011401908c7e05f4e16abc34eb04290f01f6a

                        SHA256

                        59008bc93989fb1c94f15b16762029ee97ecb565bac8cd2a27ce137fec734ea5

                        SHA512

                        3d37b4f6a23b368620e1ea503565a22cf41093e762bb34086232a22cb30b23f2fca01d6689fb74e0e7a2518c59354525ef27d08d2d02eb7af674d2d942b1289f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        0daaeaeb1f87b69e95f4e013a201a34c

                        SHA1

                        80a42f2b7f19e471ec765cea4bd10f976fe69b68

                        SHA256

                        3699833de84a2bd3c4ed8044a174fab0663459309a0fef961f43ffaffe8d71aa

                        SHA512

                        e6028ae45ef943ef109f4aaf243e7c55b4237a97e2af41f2bc341d4ac224c0c25da15b519feb75042b93a868604755fedad630c00a17ac51068015f4d107d301

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        2KB

                        MD5

                        8c382b577219a2d532e33cdf1ddf9dd3

                        SHA1

                        c001d3571682e39bb54e0129ad68eb0c0ffc333d

                        SHA256

                        b6fd8716bdec96ef0e9d8e418f391808006589e55b9f61fbb76d5ba2f2f3edcc

                        SHA512

                        8ef430c6c14e05d481f80d24730e4a708fbd4733e77d8f39003664e1e7139f5466d225f9e0ed1889bedbbd0b424389444a32f458309143df07e7866f2f21b972

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        ba2dfa53cc2043f510f2c0c9f98a439c

                        SHA1

                        5f23593b86911b4868f77a55ab6f15ce2909db73

                        SHA256

                        2e1746bd860bd3673df0c1968f6f3c7ad98168689784699a61d6bf851594afd5

                        SHA512

                        35776549f2d5bf22041ea7e98e47dc6e708e76b5688057cb88d7d3c1d1d97f7b2a527ca4e0bd08909e4692e841640f5d1d1a35187a2ec05df5ec1d0c74f937ec

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        a844f94c0cc8610d71f4dc0403bb8566

                        SHA1

                        f45b62f345ce0e7c514e9bf86d163f3b544273f4

                        SHA256

                        9900dcd59cd9a450eb93c38a80f4325dbc4fef929e405c05410187d553c5be97

                        SHA512

                        c56093c2d2d04f64c631841b595239f354f041a9176d259375a9df4784631d53871cef66d161eba7c65c8c4100bd820e54e50dce916e504bc2e6d50a63c9a3b6

                        Download Submit

                      • C:\Users\Admin\Downloads\winrar-x64-701.TnWpdZrh.exe.part
                        Filesize

                        47KB

                        MD5

                        70e4cc58595997ae41e042eb68b8e449

                        SHA1

                        b5e49f62ee2b8cd549ba1a947b039f2f5cc44b6f

                        SHA256

                        2d7c57719a623b92fc312d9a472a676095958577b1650b3f485dc2c557ea1caf

                        SHA512

                        759de8b048dc3a6860e43de34beaef6b915ac4ef54f8fed1b1da0e97545a3aed8be1dbae6f2065973bf7d1cd645097804c97a212491360e5fa4ccc7c648c325d

                        Download Submit

                      • C:\Users\Admin\Downloads\winrar-x64-701.exe
                        Filesize

                        3.8MB

                        MD5

                        46c17c999744470b689331f41eab7df1

                        SHA1

                        b8a63127df6a87d333061c622220d6d70ed80f7c

                        SHA256

                        c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

                        SHA512

                        4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

                        Download Submit