Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/09/2024, 02:08

General

  • Target

    Firefox 21.3.7 Setup.exe

  • Size

    163KB

  • MD5

    34d62303e757aac3144ad3478619fdde

  • SHA1

    a6fa411c5e8b1715568805ee7d09150d96ee8977

  • SHA256

    851fed5d7b5c0f331d61ff67eca02c3d0bc5214848bdaaa5f6069a86050792a4

  • SHA512

    248358ccdfd86cc56ca77edbe5aedfb656751d312dfff9598f1eb59fb4494ff07566011417808b94451064f0e323c3464142f1b03d337ca5a895c0d435b19da9

  • SSDEEP

    3072:KOXpHv1O0vxki2FeTOc3wxdxU0G6ovH86bzEQPAoutufqX9GY:7pBapgTN3sa0GTf86zEQPAoSuCX9

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Firefox 21.3.7 Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D205.tmp\Firefox2137.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4972
      • C:\Users\Admin\AppData\Local\Temp\D205.tmp\papaj.exe
        papaj.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\D205.tmp\Firefox2137.cmd

    Filesize

    310B

    MD5

    141b39729c97b1601a94b88ec4541758

    SHA1

    88d3c8d1175c93f0489a7614e1ce55e64fc25b49

    SHA256

    fdc9c6ded6792bc9f158f0638fda6f44da8e625553adeada223d8abd7ce0b663

    SHA512

    8e9da5ab576837a3c409bda6e08f43c375af8dfaf486859e2604e48e621acaa09dadf2b9f393b5dea9d17a7dde5d36052667b2a7e10f270944c10a69394e9f32

  • C:\Users\Admin\AppData\Local\Temp\D205.tmp\papaj.exe

    Filesize

    88KB

    MD5

    107ae8b0226ca50a2a39c9eb1b4a31c1

    SHA1

    515e99757bf9fe05b8d840238651a1c0ba8ee577

    SHA256

    99d80c79b645feff55265bc82c1c31589209fe8df93c311afa58a6845e337312

    SHA512

    723844497c7a5dda33548b1a9800816e7ebbe050f9db0a5d5d061d1f2d7ee16861856c06a35d859fb1f408a8d84fd1482e28187ac5cf6b51fa5a5de28b89ebf2

  • memory/3552-0-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

  • memory/3552-12-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB