Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

socd_cleaner.exe

windows7-x64

1

socd_cleaner.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    98s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    socd_cleaner.exe

  • Size

    152KB

  • MD5

    6d67dac23832cc767751a283ca6ae406

  • SHA1

    7ffcd1ae41ad8837b4e61ed707ec664eb3e07da4

  • SHA256

    713d7ef8cb4d9232551cddd2782b35c5d8b66ea6f550c154928557e780d2505d

  • SHA512

    d296b8b33e35b1b6b2e468c2b5d3845cf2e7059fe6b3c8379621686bed2f38543eed164e919416e1eb1a8121fd981cea3a2a2387dd0736a5b939d0a67c624d40

  • SSDEEP

    3072:/ecpdahZA721Rz7gKLPGIR2wQxjRbd138O8g:7YA78hc0PDR2XZ

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\socd_cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\socd_cleaner.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:3128
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71a8683-e954-48f0-9045-321b978331b5} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" gpu
        3⤵
          PID:1428
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9875a58a-6242-4454-8c99-daf3799808c0} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" socket
          3⤵
            PID:2516
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2932 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3100 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a3a7ab-594b-4ae8-a429-816f2a5d31b3} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" tab
            3⤵
              PID:4508
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e047e9d-939c-435c-b43b-d277a992d7ae} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" tab
              3⤵
                PID:3724
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4936 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d549bb3-1067-46cc-899f-d33aa96ffc1c} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" utility
                3⤵
                • Checks processor information in registry
                PID:1532
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5248 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b09fb931-85bb-4dcc-83b5-d693a1d15136} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" tab
                3⤵
                  PID:3596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {723fe55e-f2bc-4e78-8894-59845c25040f} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" tab
                  3⤵
                    PID:1676
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 5 -isForBrowser -prefsHandle 1408 -prefMapHandle 2804 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14b4f02c-9c30-4012-a95d-1eb8ffacf591} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" tab
                    3⤵
                      PID:2664

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  82eda2e03e0bec5dc25756dcb3230d70

                  SHA1

                  271b76ca8252ac630c5a28b2c1fae560a60bf6d9

                  SHA256

                  338bb14914d2f31ebb6cfab0c166d19b12eddd1cfed8ce30025723cdcfe31a2b

                  SHA512

                  fb042ce99e3abe68849a7467eb856c2b1fcbace25e5a88d5bce3365e3756666b4e76c38fb58d1181251608e3f1e4878722590b8dda53be63f5694c9ff9f231b5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\0b628887-70f0-4610-a879-fe4dcd58f803
                  Filesize

                  982B

                  MD5

                  697e723bf30960920a02e372c428d553

                  SHA1

                  fc29d2d7e927f18ff4e5c0c9770ced1f81392e9a

                  SHA256

                  6d327ddabf42505434ed97020f31b69efa6ca568e5e8fc5f6766943906a1cfe5

                  SHA512

                  d6a86dcac7c5214927abc44b97838616931f147e31fb311b19fb24f47e949605707c8fb4f49bea3823af259128aaa0d5eae7da3196fc046b10644c3972dab837

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\4f4e5e79-76d4-42e4-878e-1ffc17cb7468
                  Filesize

                  671B

                  MD5

                  864720709f7ad267a3cc284d170298e7

                  SHA1

                  c6b4d9098f4d15fbe09913a8057b39156ade0ceb

                  SHA256

                  4b845dd8afdf47dfcc01fbd5036ee95682ce2179715aa027d1d6585cd873cfc8

                  SHA512

                  4ee8ad10bfafa83f31bbc798bedc3cadb4ab314fa421be041a2ac73733a4938454b6708ffdb568668c6a98ec8fc608b28a45011734abce4e4dada6e5932a21ed

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\d56fcba9-942a-4daf-9e6b-c70f7475bd15
                  Filesize

                  27KB

                  MD5

                  a32ee6b8484db351d754f6a5e60d3aff

                  SHA1

                  f37578c1ad838a6df9ac817e1b578048b8adcf94

                  SHA256

                  9d8709cc08c3965dd3a18ef1cf1133da13ef4a599f73a14e4d69bdd20a051862

                  SHA512

                  134da80a14c7c6548e7d31e4cb14b31efda3cd0bd5bbbad5c22642ec58cb943265bf24e3c542d2fa7e91e1f96f132593eae9d685be21c8dc73934ab953fa9274

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js
                  Filesize

                  11KB

                  MD5

                  ce228e84cc450f9f53defc486ac28aba

                  SHA1

                  10377df9dbe3d6faa40e872e4c364e760e8616d0

                  SHA256

                  966f140d7998b198675c7d88cade0f13b72f26210c8ff6aac15324851c129531

                  SHA512

                  bddc11719ed5d1a4fae194c47f170ceab05dee3d1283bbbfd14b41ccbb7872fc8704c4fda2a7f0879905f76f2b7e6ff2bf27c4b0af4defb7ada7c18544a9023b

                  Download Submit