Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

241209-wte...1.pcap

windows10-ltsc 2021-x64

3

Resubmissions

11/12/2024, 15:13

241211-sl1wgsxphs 3

10/12/2024, 18:36

241210-w8wrtstkev 3

10/12/2024, 17:54

241210-wgzdms1rdx 10

Analysis

  • max time kernel
    59s
  • max time network
    61s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10/12/2024, 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    241209-wte6jawnb1-behavioral1.pcap

  • Size

    21.0MB

  • MD5

    71ec93443f4d7d8bf391a5b02856c246

  • SHA1

    d4847d5a2bd26173da036f0d8a7b851c7e7d128b

  • SHA256

    2e5d63057adec0e8d39f369d77f010b03efb0bf16b90cdd05676e346a930d7b6

  • SHA512

    3966071c8ab7e0d2e57738814fc7d9da2db0d5ac0e1a7a7d58a55d07419d8d555d4f34c631e8713919d8bbdda632848a5bcf87a16ecaab249c8b38b3d43c505b

  • SSDEEP

    393216:cQCU8iszVrdcwEyaqGl0NziHnzXzKuhmdZ8Sk5HQnCxqD:EU8imJdcbZsiHnzjKuhOZOtGtD

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\241209-wte6jawnb1-behavioral1.pcap
    1⤵
    • Modifies registry class
    PID:2936
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\241209-wte6jawnb1-behavioral1.pcap"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\241209-wte6jawnb1-behavioral1.pcap
        3⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9878ddc0-79ac-4347-861c-31caddb20d87} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" gpu
          4⤵
            PID:3764
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7402fc1-16f3-4e90-9440-d54e588c07fb} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" socket
            4⤵
              PID:2452
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2732 -childID 1 -isForBrowser -prefsHandle 2728 -prefMapHandle 3308 -prefsLen 24742 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0ef388-0842-4b30-ae68-a912f0722d56} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab
              4⤵
                PID:1536
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 4092 -prefMapHandle 4088 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {619ac85f-db41-4bf2-b7bc-b18b7026a23b} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab
                4⤵
                  PID:1284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5128 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd2a9a82-7b40-4f1a-9ad7-34043cd21b5d} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" utility
                  4⤵
                  • Checks processor information in registry
                  PID:4732
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {665c3a22-f17a-4318-8161-ba9fc3fdc495} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab
                  4⤵
                    PID:1004
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {536d87c8-d08e-4110-a1c8-584adee1a3fe} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab
                    4⤵
                      PID:2844
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ec2cc7b-33a7-44b1-912d-65429dfe1676} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab
                      4⤵
                        PID:1844
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  PID:3148
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\241209-wte6jawnb1-behavioral1.pcap"
                    2⤵
                      PID:4640
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\241209-wte6jawnb1-behavioral1.pcap
                        3⤵
                        • Checks processor information in registry
                        PID:4376
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\241209-wte6jawnb1-behavioral1.pcap
                    1⤵
                      PID:3988
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\241209-wte6jawnb1-behavioral1.pcap
                        2⤵
                        • Checks processor information in registry
                        PID:5044
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious behavior: GetForegroundWindowSpam
                      PID:716

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json
                      Filesize

                      19KB

                      MD5

                      aaa38ab45c5c448c0d875ff54eb51201

                      SHA1

                      467e91b16ca352ba633234ee5949104ebc483e59

                      SHA256

                      8292499ebe5b26db8d86b187e0dfccc3247b927a4ff720c948e41453982769ec

                      SHA512

                      a217283e99b0a9acc27399cd77461519f7a9d1693377c40bc05f5e32eecaf9d1f64509f4c02d9551cbb42a5e00250521dc23fee880d9d3a0cec9781471ae28a4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      15KB

                      MD5

                      96c542dec016d9ec1ecc4dddfcbaac66

                      SHA1

                      6199f7648bb744efa58acf7b96fee85d938389e4

                      SHA256

                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                      SHA512

                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      479KB

                      MD5

                      09372174e83dbbf696ee732fd2e875bb

                      SHA1

                      ba360186ba650a769f9303f48b7200fb5eaccee1

                      SHA256

                      c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                      SHA512

                      b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      13.8MB

                      MD5

                      0a8747a2ac9ac08ae9508f36c6d75692

                      SHA1

                      b287a96fd6cc12433adb42193dfe06111c38eaf0

                      SHA256

                      32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                      SHA512

                      59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\AlternateServices.bin
                      Filesize

                      8KB

                      MD5

                      e9cfa18d5ba2b4b61c7f5cb28913f0a2

                      SHA1

                      f440597ec58dba0c279c6b2bf67bbc925ccc891f

                      SHA256

                      1be3816712e05042df15db069ce0924a34a612a518aac2962ba2d5b5ebdaf57f

                      SHA512

                      40786c60ca03de8d6cd32fe8e4f57eeb5aaf75df69c4bc39e4d086d4ad8e7e11bda703c59b12ad4d3130b1cf860a12b020beb39cbad4283d84a96d127a5b9fab

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      a4ad058f0cc57057de49fde841bffd47

                      SHA1

                      53fd856074eb3a4bf9791023baf1ec6d57209b01

                      SHA256

                      9d53724abdc53114635b9fbcc8f7835aa54befa42c64a22b73e765ca1e47847c

                      SHA512

                      b740eb932b587306dded59883fcca9bfd97eaf64f4cc3436f13b9873e19ff88a61deb2d4c237bf323d0c82c2329bb7c04343479312072e7482ccefabfb9dfd4d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\5c2e1dd4-dc74-424c-982e-62717824b8f4
                      Filesize

                      982B

                      MD5

                      57873eaf49de6dc610c19d9ef061d9d7

                      SHA1

                      41702e4076ed8c5837ae97a10a71641ff91470aa

                      SHA256

                      8de1a10b445c24d32b9bedf2dce430172d71febf01af5818c7a5df241061514a

                      SHA512

                      3b0fe18bd2196d91944d6bd5465a9a66704529c7a21528eda09f8a7696bd72fd078b6a56293389c479c5abc5de32f44a13f284a10f07f2984bd14b70a6671135

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\6238462f-d588-4ed5-8c50-6bba3f849869
                      Filesize

                      671B

                      MD5

                      ce93691721f939c6000fe92523adb489

                      SHA1

                      32990256f938d7f820512c90997191112209f870

                      SHA256

                      089f7185373242ef264feada1cd79c322187d188086fa6c5cc8b315b45ba5885

                      SHA512

                      89411d0021308ad9267132263ba1f6c3b895aff265f016bda940b5c2bf1b0236498b346b9d00ac666aaf5a986022fc82d7e45eeb79f36e5ec500e368742954b5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\d08d3d9d-c34f-4df8-bba5-7721f5b38b0c
                      Filesize

                      25KB

                      MD5

                      fb884b28d4aa8f50dc7de8eb177885fe

                      SHA1

                      cf0d67e8b6e33495949d512acef20b445d404bc8

                      SHA256

                      a544a50bed8ad6524eb36d31c3bd788027c7a986cc6ab0979d610fa76d9ef75f

                      SHA512

                      8bea95b320823e07fdc22db78ceb4264587b0fd5adb4d027fef22ddb4374eac6e9a7871323759633d87f0e7941759a07568581bbbbfcfce66e0336d84331fbee

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                      Filesize

                      1.1MB

                      MD5

                      842039753bf41fa5e11b3a1383061a87

                      SHA1

                      3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                      SHA256

                      d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                      SHA512

                      d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      2a461e9eb87fd1955cea740a3444ee7a

                      SHA1

                      b10755914c713f5a4677494dbe8a686ed458c3c5

                      SHA256

                      4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                      SHA512

                      34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                      Filesize

                      372B

                      MD5

                      bf957ad58b55f64219ab3f793e374316

                      SHA1

                      a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                      SHA256

                      bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                      SHA512

                      79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                      Filesize

                      17.8MB

                      MD5

                      daf7ef3acccab478aaa7d6dc1c60f865

                      SHA1

                      f8246162b97ce4a945feced27b6ea114366ff2ad

                      SHA256

                      bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                      SHA512

                      5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      5e1f8a29775f97dd23417d7fc7b4e04d

                      SHA1

                      10adf9919a7854942d627617888af0839d1a9091

                      SHA256

                      38acacb2698c4b3e78b03ba37ed0e90bb98b69d53ae9f5580ba84cd2698b674f

                      SHA512

                      330f256af92f462954ab95336e8dca73612544d948b0664689f5075afd546cecfb0a9465b86d22afbc9a673bf15168a96f61651b31fa45f8cda60553c7fa17d6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs.js
                      Filesize

                      10KB

                      MD5

                      264e3243c44af5160d88e5c7035c9917

                      SHA1

                      95d5bfd3251dda6cb02f0b678435cc9f8de13dfe

                      SHA256

                      9a317c7ef6b5dc7e3d983367e70702b98fe4ed1a26244747b47606e97248a2e1

                      SHA512

                      c3a80b57bf52f06532a667c1cf7ebc9c390e7d6b65df85ac4ea3d2358aa76509e46f2cb7c2b53fc8a9375442d0a35fb62b5cfde185bdaff3845488ba1661f4dc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      1KB

                      MD5

                      e929cdd2536a76de6c652db4ebd51c72

                      SHA1

                      e62ed3b56c3b7d03d8e151c934f39001c3b47aaf

                      SHA256

                      acb22e191e7fdfd4ca4aaa301ea6389f23cbacc45290932b611c5c07f1fe7900

                      SHA512

                      b36d0f6a8c2114628005083069321ec56b95e01bc5cfde2c9d5d47cb454bc20375eb809d8f6d1fdd3e8a52cafe809a5ea06cec58ee22bd9a28ddf81e8c21aa3f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      1KB

                      MD5

                      4bb4412b196bd9d3868a82aa9223584c

                      SHA1

                      fbc1af86f40de67de0887a7aa2f95eac3b30681c

                      SHA256

                      2bb87ad0bf37599634ccd27b3f1c69512dc369e3e1273f01cee169a88d9f7f8c

                      SHA512

                      d662ee75d7c1cf94b61fb00750e42d7c0d20d209c7ee8b6c9d68adaf65dc7028653bb19676daee1b1549d0e51e33c5062dbfa6457ab74f93189eb5487d9d262e

                      Download Submit

                    • C:\Users\Admin\Downloads\1pyL_-uE.pcap.part
                      Filesize

                      21.0MB

                      MD5

                      71ec93443f4d7d8bf391a5b02856c246

                      SHA1

                      d4847d5a2bd26173da036f0d8a7b851c7e7d128b

                      SHA256

                      2e5d63057adec0e8d39f369d77f010b03efb0bf16b90cdd05676e346a930d7b6

                      SHA512

                      3966071c8ab7e0d2e57738814fc7d9da2db0d5ac0e1a7a7d58a55d07419d8d555d4f34c631e8713919d8bbdda632848a5bcf87a16ecaab249c8b38b3d43c505b

                      Download Submit