Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

AottgRC64.rar

windows7-x64

7

AottgRC64.rar

windows10-2004-x64

3

Analysis

  • max time kernel
    47s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AottgRC64.rar

  • Size

    47.1MB

  • MD5

    6accb9d971aa04a9c74c381fb9d1937b

  • SHA1

    cf9f76406257e93bcc25d8d0bf650c07ea7efba4

  • SHA256

    47ce751109a1ac114b32f648aeb558d7fbb86ad7e4ff61a4030df97c1115b21a

  • SHA512

    e76d9f15918c95cf418c0aa1f43d759b7ae177c193b0d3292e32817025ab3dde64b98d284df7344608703d7ed9776f2ddd47def44d1676d8ef489a3c70735549

  • SSDEEP

    786432:KPU1+NwidaxuxpuBGPTZbOOv43QcSR24vjlYugA4IAvgRu9tTkSkTvFfr:Kc1+brbOOgAf04hY3IAWuDTLkTvFz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\AottgRC64.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AottgRC64.rar
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AottgRC64.rar"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\AottgRC64.rar
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.361234283\1195855048" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46363921-43cd-4291-adaa-8676e5127809} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1296 101dbe58 gpu
            5⤵
              PID:2612
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.1.504820503\43651103" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27249658-0d30-41d8-b5e8-85794c2e3fb8} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1500 e73858 socket
              5⤵
                PID:2656
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.2.885257798\281788439" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {745d7af7-5827-4557-bf44-29b8f1ee1c62} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2056 10162058 tab
                5⤵
                  PID:1648
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.1323126023\1188270790" -childID 2 -isForBrowser -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15752933-30ac-4824-b48e-bb4695d303a0} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2432 1794fa58 tab
                  5⤵
                    PID:2192
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.4.1226795590\299194852" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 3796 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af376a17-5066-46cf-a939-5ea8174b901c} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3800 101da058 tab
                    5⤵
                      PID:2420
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.5.2035335582\1441378221" -childID 4 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82864551-b13a-4e4c-8cc6-e9dd17151129} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3896 1e27e658 tab
                      5⤵
                        PID:2352
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.6.1633398400\302232862" -childID 5 -isForBrowser -prefsHandle 4148 -prefMapHandle 4088 -prefsLen 26526 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5417b4cf-d124-4e53-8bae-4a64a379a028} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4128 1e27d758 tab
                        5⤵
                          PID:2116
                • C:\Program Files\7-Zip\7zG.exe
                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AottgRC64\" -ad -an -ai#7zMap18306:80:7zEvent30353
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:268
                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC.exe
                  "C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC.exe"
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:980
                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC.exe
                  "C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC.exe"
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2844

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  31KB

                  MD5

                  7b4dd365e5c13dad2ea654362ddb7113

                  SHA1

                  804b2e53c401fb2ac798452c1ba38c6a62d07819

                  SHA256

                  fe9a6c5e8351cb8528f7d2496c6f4955105410a1eb89acd82f2349752dbfc694

                  SHA512

                  153b373111853183b0f419f49a51427bc22d7592ef1716b489ee4267bd9e46c03be5692c24f30fa2f7bf69e24826b2208617bdc126e704f756f6d72c3d3d226d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  32KB

                  MD5

                  f525310f793b86cbd3e010d4d00cf697

                  SHA1

                  e9d70df50a739190f6446c5e7a06388fa20d2528

                  SHA256

                  24b980e6b7272d4358200c1d6de5550998ec73cff0a940b6c7f0a3e9d28986d8

                  SHA512

                  7c21b71c62804eba3d471175e9ae1beb179b91e12bd69a054945a9346b6a7427af75f1bdcce085890137ad8884424004183e142fa4f7653b44ab6fafe4440ab7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  d8ff3dedad8f8c9ee10801b60ba3cf25

                  SHA1

                  ee73e1edabd82c219875bda74e12d0b15b22f675

                  SHA256

                  76273be8a68a4fcf208c3592e5d4d425f829afb4af0bc7ef5721250cf6102ebe

                  SHA512

                  9ee4e4ebd4b01a027e58fbe23eb277f5df06ed1896d4c6136bfb2c848d2b47fab1392b015900fdfcdd4e001befc0bd88833ce2c6c19f411d36a5c42ac4a2b6ef

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\1bb5129c-e91a-48a0-9eaf-18c7f4132a5e
                  Filesize

                  733B

                  MD5

                  b230a29454eda52cb96cec61346df250

                  SHA1

                  cf62c0bd02b11aabaf8307e328bf90754f862fc9

                  SHA256

                  9c67f3dd929df9143b2966cd07df488ee69e6f516996829d876b57fa931fdbab

                  SHA512

                  ad373aff1bcaa426ce2ac5a1b76b9ce34637626769ce88210e13ae55496c6836dbf7478114e38ac6c045ec76c20e37fec82f2cfc67a4a3cc0cbc53a36f13f8a6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  6c993b83cebff09270be628d274f3cb7

                  SHA1

                  f42cb4611677e52451277f871c44ad320a92d9c4

                  SHA256

                  14817682e7b81bab30b201a8a883352ff036f2f0a1c12d44babe7dc2e33c4eef

                  SHA512

                  ff8c4ee890eb1d86c9632a2f357bc08256b2d80fec12984f80c4912d0a2cb1a6b6f01d9f8a83712d0b8cda7e14f0007af00873235bfad30a8996ef5fad0f145d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  1bed61d4cd30b4db105eb9b7ebe42ba4

                  SHA1

                  9021ab4a396c6d91deffa2c95fa4c5abba538403

                  SHA256

                  7f7e48aa60f80826e4cbe336b6461b51434e644a4b945976a53bd7fc2ff3f6d1

                  SHA512

                  36ffbbe240f76d2b82b0d209dcb9f4beaddf24601b91d49f51e1badcd78980237ac720f07df6be32c27bcaad2f82c875b5f50c1f2277f6bcee40764b2d4bc9b9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  441ae2d2702258d355f43c5e3792d9b1

                  SHA1

                  2ac11be45d9f2e9e4466071aab89773547742341

                  SHA256

                  2b9a01d5e288d0b59d20e67ef7df44d74e36e6ebb1a127852cb93d3219d54a21

                  SHA512

                  48bfe7fb059b0774dd1c566f82350b241d95562aa263083c33889bc4b51701433a85c98e2616d4639fc97d839492ca787a0769a089d23b6bea16d806b606aac7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  937B

                  MD5

                  7c3b839def596629c01c81c43c5b7442

                  SHA1

                  75f2d6bf0bdc677a2ac409391eba970006d73867

                  SHA256

                  64e7ccfe39c7820a814f1a699ab61e87c9d4012f4c3d6e8c2c2dec41b3ef5701

                  SHA512

                  dd2bf79bdd732e41cbe2e614a6ef870d57cf92587e5a549a5bfeaf7da90d6895faa7c80a71639f523b6f8954167dfe8daf1c7b6ceaeff8ecd401f504ee27d583

                  Download Submit

                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC_Data\Managed\mscorlib.dll
                  Filesize

                  2.4MB

                  MD5

                  fb09849021dbe1ef55a52cf3c1a382cb

                  SHA1

                  a29a65d921737d9f27d9a2a97e275953cdde5acf

                  SHA256

                  17bf3a2f8e27549b3cbd1ea7146d4326fedc567a98f2a3b926fe69e820761050

                  SHA512

                  fc93d351174ce0c6e01ad2656ed6f8399be343ebbad4d9f42bbcf2fb17ee848dd68094fd963bd5bd8d6985164301d95b7fac10c7ddd47a897f52d18cd73988ca

                  Download Submit

                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC_Data\Mono\etc\mono\config
                  Filesize

                  1KB

                  MD5

                  f95c345c1c53b820487f6b72e62d5485

                  SHA1

                  957e4e50e74c50347af92abf240c2c7aab3f3f79

                  SHA256

                  b585c70c70c88b3e03489361558f5d711c2ef71df9baaf37d92dbf95fbf6cd92

                  SHA512

                  6b06434d07ee51be064a3efdca65b73e6c8e7560b43fb61633b08c7d2a0d792fe0670e57088c1dabd23929e0b7f7a27f65f503f2b640587042c8bbe98946368b

                  Download Submit

                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC_Data\mainData
                  Filesize

                  810KB

                  MD5

                  d941320066e629a988b1d54d40c30bff

                  SHA1

                  1d610f1c3a3f8d0504616221a7a4e9bb11018f2a

                  SHA256

                  690f0b14178d6c5b30eb1667bd2425cf8d4f0a40e69a61a17e795a8751a62e96

                  SHA512

                  2d509718ba89c889cc34f1dc074e758613ec441dd436af0b23e49f99c9cbc2be485c5a96a6ee3b1ad2169323abbd6209f3e6f8233e1e9a2ebf8a0abaeeb96545

                  Download Submit

                • C:\Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC_Data\output_log.txt
                  Filesize

                  36KB

                  MD5

                  64e601434406120e35c858ec133d559d

                  SHA1

                  46ba887cc61e6cd2c1f2e5c716df1d98b814a03f

                  SHA256

                  472389b962945905e78e8d5617a8d83a3eec8de26b0d0045b9d0b5b2cb926a86

                  SHA512

                  320368616835d568cb2553645fe6a5eee359ce8f426f5c5001b2d6846ea74a58d866ed7374d568ce55ad2608824eff73a88f03ed2aa333fb739091d2e25e55db

                  Download Submit

                • C:\Users\Admin\Downloads\vBsjfLW8.rar.part
                  Filesize

                  47.1MB

                  MD5

                  6accb9d971aa04a9c74c381fb9d1937b

                  SHA1

                  cf9f76406257e93bcc25d8d0bf650c07ea7efba4

                  SHA256

                  47ce751109a1ac114b32f648aeb558d7fbb86ad7e4ff61a4030df97c1115b21a

                  SHA512

                  e76d9f15918c95cf418c0aa1f43d759b7ae177c193b0d3292e32817025ab3dde64b98d284df7344608703d7ed9776f2ddd47def44d1676d8ef489a3c70735549

                  Download Submit

                • \Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC.exe
                  Filesize

                  14.2MB

                  MD5

                  3f6e0245cc9581cf9abb1046ff74dbeb

                  SHA1

                  d3e18cba8b76feaf7e7ca11e796838266d01d1f0

                  SHA256

                  42746553878ed7f124e5d1ad707bae56c0dca4272892d4ad80f51b9eb22248c7

                  SHA512

                  ab6c98d2f17376481ed79853a275de098b0930d0aa9b47712fb6916eb5ba01770ecbfcdb46ff5ded52956a6bf0f9bef0600bd679e7452e7cfe0200067ea6d521

                  Download Submit

                • \Users\Admin\Downloads\AottgRC64\AottgRC64\AottgRC_Data\Mono\mono.dll
                  Filesize

                  2.5MB

                  MD5

                  b880f4e39acfc5b271749803a71679e9

                  SHA1

                  e209ea7bd4682322a5d905ed5c4f6c6d458c6f6a

                  SHA256

                  1c58b75f008b2fc1525ef552d9cb6fbedb23a141430b70a4f3363b12e816109a

                  SHA512

                  0756428813b832da2d3e8507b51288d5fe9a7041be96cb9322a67ee520a3bae7a2667cce6cfee79f65c2dee72eb95722830b81dccebd8dde4524576239f72462

                  Download Submit

                • memory/980-321-0x0000000003AE0000-0x0000000003B28000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/980-320-0x0000000003AE0000-0x0000000003B28000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/980-340-0x0000000003AE0000-0x0000000003B28000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/2844-349-0x0000000005050000-0x0000000005098000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/2844-348-0x0000000005050000-0x0000000005098000-memory.dmp

                  Filesize

                  288KB

                  Download