Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

cloner.py

windows11-21h2-x64

3

Analysis

  • max time kernel
    18s
  • max time network
    21s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14/10/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cloner.py

  • Size

    13KB

  • MD5

    6a8374695d9b3f61bf846aa78c49a753

  • SHA1

    c8b39918d95913b02ae0962777108c92291c04d1

  • SHA256

    8a55a8449069c97da99dd2793da48ec35818ba27a1d774e2a57262e96787ccbf

  • SHA512

    fb573f0f41866069c04a6c182f3165913b5003b1afbdf3ee99c7a3147f98cc8293768b76e911d873abb1716654eed282a74d060931886f3add4cf277455966fa

  • SSDEEP

    192:Sn7KFNIaIsqcipxsEIVcpxxhxzPQ9Q82Ix3GPJw9nxdPoK:Sn4q/9c7NVcpxO9Q8JGxw9nxdPoK

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\cloner.py
    1⤵
    • Modifies registry class
    PID:4032
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\cloner.py"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\cloner.py
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ce3fc2-d13a-4273-9985-33124eafa42d} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" gpu
          4⤵
            PID:5044
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c34d68f2-4e4c-434e-bc76-a654b016ab1a} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" socket
            4⤵
            • Checks processor information in registry
            PID:4796
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {092ec339-ad3f-4527-8457-baf66b3ddcbd} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" tab
            4⤵
              PID:3672
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -childID 2 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {169ac944-7c76-4b35-9a6e-441d4cdcb18a} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" tab
              4⤵
                PID:3276
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4260 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4164 -prefMapHandle 4236 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4f7c84c-2eeb-4d4b-b871-34dabcac5dd4} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" utility
                4⤵
                • Checks processor information in registry
                PID:1088
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5412 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77afa380-43ef-442e-83df-3ceea6987a53} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" tab
                4⤵
                  PID:1000
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5428 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28d77632-1c18-47e5-894f-17a509051415} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" tab
                  4⤵
                    PID:880
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {119e5bc5-0d87-4a22-a566-17765947e64a} 1136 "\\.\pipe\gecko-crash-server-pipe.1136" tab
                    4⤵
                      PID:2596

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json
                Filesize

                22KB

                MD5

                c4a500f4f5f161be0ae67125117dd22e

                SHA1

                383ce3426a87ac85343615c936fc9260f0f75eb7

                SHA256

                5734ae5e1e76e07b8e906d95c592d67c88c7c7e6b08bd826fe6baffbd7752ce3

                SHA512

                f8ce1fa63015d53d3a44cf249094b164a7aa5ee3f4016db6b9180ebb7a9cef0c6456ebb3bf5fef1808d20b615fde337718e93c8844389a5b16ad5b4ae6690e0b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                c65211f8d7d2fc7c1fe9c624cbf12c1a

                SHA1

                ded6ed01dda4b723bccc2650b035896825dcc39b

                SHA256

                65ee622c51bd49702fdf2fff210bd436e2df9b05d9bafc115d562865648c35f4

                SHA512

                89cb862df6afe14f8a4395f47eee63278ce614121bfd71b21bb1ff2d18ef601081f666ef8bfe5d7f3a29ba736c4451c3be68c60442314dbff88cbc3707763b8b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                6KB

                MD5

                4e1269e4a74fadb946d70886b3ea1199

                SHA1

                b5f5f88bae78b410d47d48831662d190b417b92c

                SHA256

                8a5e361fd5504f2a3a78dff73d69218e1396b8e2fb9fd8993c1c241cd77bf789

                SHA512

                f85aad422b451c4208af920aea9b55d90598c3d239542ba1bce454d88d558c4a2ff87952715394e3daa043535ccf319811b4bedfdcb70686d3247e26621243d0

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\727d2c98-c5df-40b6-b297-8cccd8880980
                Filesize

                26KB

                MD5

                c5a689d2c925e75a23cdef1e1f71cb44

                SHA1

                6dc5e65ab95edb2df14feb14bf51d52d995a5b11

                SHA256

                ce696ea7f6feaa2a828f2023c53e4bfc61b266828e047f41fc496378e5b33fb8

                SHA512

                14f3e857eeae5276e3bd5b7e4c575158c06d84e19d1c01284b155ee8ba40366c959c1df6d5262877ad09cea70e2e318d2b468ed03d477993a97f010bd71c052a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\8e1df302-8fd6-4be8-980e-46e209c0cad4
                Filesize

                671B

                MD5

                c01944241e20d1e8a7c08ccd3d0d1bf2

                SHA1

                2b440f5222d08e0e78ab8867476be72df36b470d

                SHA256

                7688b8987c844343c22b71b3be8f0c81b898ec8dc0d2d55a7a5a9ee3ee12174b

                SHA512

                3d4bf6b7a647bf0941b640a86df6303d85e06ff036cb7255171cb71bd17707794b4e17ceab9ff1e76b4f494352121514f847a425d1be72cc04d8e13b395d0398

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\d29d1306-2f07-4b74-b035-9642a5f0be3f
                Filesize

                982B

                MD5

                ae0503c10c6b26aaec24a85532bd9d22

                SHA1

                928eb6a1343ada4b43c7bf029c641d1d82898ef1

                SHA256

                c767fcd778d00efae0ff9cb63fb04581cb5aa4918046bc43fa7ff163326da48b

                SHA512

                eb14c6a6d85d29b4de31072743e94df2e89d8544fb7e8f5b84582a50b687490d23ac54f84fdbabda50d284a41ad5495d934f1fb72d3bb231adf7bdf0cb89313a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js
                Filesize

                11KB

                MD5

                13d425744e07023305b30a03fcb60ed9

                SHA1

                35ebcf8892415a06856ec97781e85e6647d2e98e

                SHA256

                1093c8c024a9d7730c17d9d9baa4a1273d02385a9918b0868a1bc228a2f83d87

                SHA512

                25b55c91d54ae2d21cf5c4fd2761b7e01124f0cb460c0c34dd4ee8ed945b02b942555badba0b623c8f4f2928e13fcc9e48c1c12f806e757e020ad3f7678f853e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js
                Filesize

                10KB

                MD5

                e952123338deab5cf20f866aabb489d9

                SHA1

                cd0eb7e12d119537178fc6d291afc28feb0f3b79

                SHA256

                c0f6247fb38ffc27c97f845ce055b0fa83e75fb97d22d5f09a0b30ec09705ce9

                SHA512

                d58996215a6abf942dcb6df678de17fc6491ceffcb13ad7d75562da80e2a6ad76ad7689bd6990348cb859d93593f9da812e987c21611e691e342fabc9e0b250f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json
                Filesize

                259B

                MD5

                700fe59d2eb10b8cd28525fcc46bc0cc

                SHA1

                339badf0e1eba5332bff317d7cf8a41d5860390d

                SHA256

                4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

                SHA512

                3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

                Download Submit