Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
29/09/2024, 07:23
General
-
Target
patch.xp3
-
Size
28.9MB
-
MD5
86cd9cc083018ca45c79ac489e6c1184
-
SHA1
afcc81bb5d1035941f03318abdf705ba906bb561
-
SHA256
7167f8dde8c75ec4ce17d67363d6b746cc2337b7b0ddfd649b975479d6bfb894
-
SHA512
c3ca7577da1fb4a054576bb9330fbfe5b4c765d2cace186597480803f9a4f2d58a364bee8d0794ad2690f90ef39b5028e10e629ccfa8349531c40d8a28d28f5d
-
SSDEEP
786432:w17uFLmCeV8NAP8aYhIK7cDdgzyxbcwQAastZ9j3ykjLmMnjo:4yQCRSPD8IkchgOxIs/3yUvjo
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 13 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\patch.xp31⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\patch.xp32⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.603240621\257697250" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e5898a-b500-4946-840d-17dd2a86aea3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1800 25af7ad9c58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.98779350\1534852345" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21016 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4357607-c015-4052-b160-1b68fd68d3ad} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2184 25aecae7f58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.1347563881\321368392" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2756 -prefsLen 21119 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e611ad5-ac07-4283-8e8b-e42992aa15da} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2872 25afbbb0f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.858402608\1411198240" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3624 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a9e684-bdaf-48b9-8333-33fefdfc2377} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3652 25aeca62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.444188022\1321832172" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d02ba0f1-7c11-4ff7-98cf-9848e60a8b06} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3880 25aeca5e858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.975251668\835105310" -childID 4 -isForBrowser -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cdfb9d0-5b27-4c82-be56-e35a44bb8c92} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 4872 25afe1d1258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.220935263\1943819463" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {143da7e8-d776-43b5-9d4c-7551454c328d} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5004 25afe5ab158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.7.1233721451\389706217" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63941fb-1a88-4e73-ba92-54bfff30ecca} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5188 25afe5aa558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.8.956741962\2097006540" -childID 7 -isForBrowser -prefsHandle 4816 -prefMapHandle 5428 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b567cd-99d0-41bf-883c-63f314541a14} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5548 25afe5ac958 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD576cec4c37afe35d37bf80d9b58aa9f7d
SHA15c22a976ae2c944b5680584efdf8ea08103d9f68
SHA2566dec61a71a6e191728160e03d0bbd72a3f6b9633b2762bb42edffc62a0ec8d59
SHA512721d3931683d67deb63681e6a79d105fc1339f2ec5d478ab1e7395f9c04865b6fd05de883bf0927ba916ff42118c842ede576e5d751c9dbfa1b886edcc4a4f98
-
Filesize
221KB
MD5a31e6a1f1392af515efca30330479d63
SHA1d0140e37c834da14bce0488468283552581830b1
SHA2567d754a201ebbd09ce3dc7cc4f7295dc45ba98d1e46f1397212f72930db3ae729
SHA5129931269791c4b5636c1785d2d50b5961b5d7d9f0518f1c070cb7616f32ea86b57cf42b9ab892768d7338eb70e179a6a7c985749e76f4e2e0374225b472539a39
-
Filesize
2KB
MD5115d42aeffbfa4afe8bf5733826a4840
SHA175925f1c5e2fd8c661cff504ba40369fb1517b08
SHA256547538c7dc35fed25ad98db6c63d7aeb1c85345703590d07734c45c8034e918a
SHA512ec954ae476ffd1dd2903485111bf741565e204cafda2cc3b286ed9cb94396a81c9ab20565cf0e104859072fc477a836c838615a94fbffabca075027de457a1d3
-
Filesize
10KB
MD5147e75019a06fed86aeb8444b1bbba38
SHA10fd38c9a307230d3bc7abc6b81814579172ddb58
SHA2565bd91c99f07d0074ac8d310e74660de05162fcbfb9c8d2b8c330357b17d75230
SHA512560e4e78f699f80501a9034872b9957c96b4a3f362f0736081336a0f3db5898903bc6935d2ea4623e64527a085453444cc75f0432d31ad00e398af0d09dc2d71
-
Filesize
669B
MD5627be4a16369d28f0f953b23542a6ad8
SHA1b949cb1ea7c47481da11e2275533678020c9c39e
SHA2560da0349513e7dc31d0c3e4a15ba48cbb83f6ec2d139f478b38eec6d310336ce2
SHA512d773c238ffef8cdd88316c861d0fe1c0d96217952a5b9591c4e73002e0f6f8ba56f30d756309b8d2989816e7e1096c1318a7b43708e04473b7a8c8397c35dd7e
-
Filesize
6KB
MD58ad4a2aa26735be58b11b356205ad016
SHA1bb979088827dff4e7f1eb8e5a152cc157c60159f
SHA2567ba12d7dcab2d68d7a33a34928563b8c4aff88a2b55909cde449a8e64d3af1b0
SHA512d936f42c28fe58ed52930d383508c946126b013c0b1afed5ffea3a5ab99d73c0fabf14821c5ea1ab78c98f6626da230d0bb15c721fbf8a9fdf78992fbf1ec5db
-
Filesize
6KB
MD54b3c23adf6128412f290a5b4b2e05797
SHA1dd2814c28b9bc9ceb9ac500cffb0c8ecca90cd6f
SHA256dbae0d7c41e662204278bb895b4d159a91a962a892cd6195d77cda51d481c859
SHA5126cc670267da721129e303d5e8be4f20bd5da78c5255103e670e261c4d119975f8b56ce30b43cd4e5f58f50a0a17d248f6b66bd93edbcd66d9c3bd12e02b1aee5
-
Filesize
6KB
MD5e3769992c41646d417525ddcbac45fea
SHA1acfa3f33c289a617998f164bbbb8e26a63c3ac40
SHA256fbf45bf10b26af3d6d13612cb3b1648eba4915d0af88bf4c7a4919e9f8f04c00
SHA512cfc6057359a2edb6c4b584729d8b073deee5d36d2081335a49ff817bb10a79f5b6c35f12095aff5a2e45e4703be6088f0e9fc36e89016f5e099304f01fb7854a
-
Filesize
3KB
MD5f0742cbb626295d01c698c6ea3fbe6b7
SHA1aafc6eb554b79a18c50d5428b75e74f38915eba0
SHA256698bdc61dc4925940bdd86079b64c83f90645539dea2b21d340c04b1eb326e2b
SHA512b5128fa937f8da97b89d2bb33a0f63202897141b69b8313091b7143a19a4fd68a8632aa949d862620c1a89189548ee06c8af31e09f0ba4af76cebd3617fb7205
-
Filesize
4KB
MD53bf8e2362cf2e08bfacb8b18ba704dab
SHA1d69ffc70d474f597cfd02d337e79218dd6f8a7d2
SHA25659540638c29c0e968a61a7c6b92a6a972e82f54663ea6bf603d6de95aa8c70bb
SHA5124b203a0063235edba06961b391dc07d2c040a4f43cca7ed053401254aeaa0446fd29fc6ba83d7e25ac65a722db4089995c5e4f93feaadd349c4eab056788dae6