Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
84s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
06/02/2025, 08:28
General
-
Target
https://drive.google.com/file/d/1LTVyAik4awgLqVaKwB10_VhK4uSV9_8m/view
Malware Config
Signatures
-
Possible privilege escalation attempt 8 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Drops file in System32 directory 2 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1LTVyAik4awgLqVaKwB10_VhK4uSV9_8m/view"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1LTVyAik4awgLqVaKwB10_VhK4uSV9_8m/view2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 27199 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e34bcba9-1b1a-4556-a1ac-416b59a84c33} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 28119 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06547ad0-10cf-484f-b3f1-06db50306cea} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 2772 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8199728-10ad-4e50-b6d8-aa2a0795fdc0} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 32609 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9407248b-2f90-4fda-856e-4e1744e09f25} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4932 -prefMapHandle 4928 -prefsLen 32609 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fe3f070-5f00-4d33-9a26-ac982a6394ea} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ddb39cb-8055-46d1-b9c9-fa2938e01156} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3ce57b3-7201-491f-b80a-56f897e2e95f} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44bb649c-8c6f-4dce-b622-516aba7203ba} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6160 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ecb6227-39eb-4de6-98e0-0e70ccff4a30} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\MCenter 8th\M Centers.exe"C:\Users\Admin\Desktop\MCenter 8th\M Centers.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\takeown.exe"takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\takeown.exe"takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\takeown.exe"takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\takeown.exe"takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5da5548fa042589840d603315807fca25
SHA1e39285319e3b1f9d523dd081b97069c4cc77642b
SHA25602867ee3769fbe03390d4a08d04b3c583963ffe17934b941982dd8835bcf1ae3
SHA51247ab2ffc8693875be11780207e1475717d355c4c9c99a6b496542cf2c1dd395c0c5caa2c469a42612d53d988dd4fd0d33e4c4a52ba2e1ec4639c806c6248dcaf
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD503111a4d1b7851a8d98f54a0c9389611
SHA128b46c835b33c968858b10ac896a462b1cb9bd00
SHA256d7eea2b89ad5f3c23af67332d4337b16c515389af03dfb82ca4315d03f41368b
SHA5121d3746ae8521bd601e37e5611ad9d48e1a42daef0bef5544ee105a42da150d780c56c76606e848fb00947cc423908846ac156823e1a2c26048beeb1439071664
-
Filesize
27KB
MD5cc72a41e261326316d826bb0045d1911
SHA19b6693cef52e183e6c1cc487e4febd845704d5f1
SHA25677653704f93ffb567aa1c18eba0cc7ea30eeba793dbbe4113f2577b91256f973
SHA512b7d90bd185d65dd8f0d19c92360fb36932066b3d5a1a3b979f03fd60db5f184bf568645c30b4bfdd8030944982a01289acbfbadc66450fa9d58cdcdb58456f83
-
Filesize
5KB
MD564620122d020c2195c17f90321562b9f
SHA180c3657443687207b1b9bb55434015ab89270868
SHA256dbbba0430f1a23ed11d18c83daa684ab76047c9a2f171694273f52f234e09ddf
SHA512ba0e97534f57e08d3f891aa327125ce77c275aeb809a1ffd9056cabb4e3ad5f6542f8e91d789303f0398c6c4fac919b1777ab0275a956b5296541d3cc14abb4c
-
Filesize
6KB
MD5fbd5f09a6d1de7ab2b3d703d89fffd96
SHA1249b635bd02d07d083ec1d1f05693ba2d422a595
SHA2564c8405e90b47fcba82d1b76a7a15163d7edb4370aacf36ca033a0a3ca5f94926
SHA512f743fdda49a30950ea5318a0ef67597c29325c3ea0e5b821e5bddad7784e308b9ce2f7e6a2c59cf434e888a1efc5d9f40ad6ae4796f96275d5fff4a8cc9845e5
-
Filesize
16KB
MD5ba726e02c03f65d716d10e4235d0c031
SHA1a22568645fdbef7072ea9c258baf05577118ca74
SHA2568c5b625ec2eb7f41a51dc579270272a4665f1b68514a4cd7dc0b444704423dd7
SHA51260a073819c5e57ebd64a299369c4e65883f20f427376981dc910c00cfab7902112d9ca6b60fe134603d014381aca18336e379201a7cf08db76d06106c87d5a4e
-
Filesize
26KB
MD554bb6dc66fbf7d825bf8c409244407a9
SHA15574fe8faf4f38f9e8cad04df2451fbbea10e0d6
SHA2568ccb391535fda94f5ba740e470c4e49efd8bbb87254f85d295dd15ecdf769863
SHA51292ad25b11fcc6a0e21f2f85432c65f3a4de75be13bc9f4405966f10f366d5cab1712127af35505c3c874d6bf689bd59226771f43dafaf93e899c386a1bd1da2f
-
Filesize
982B
MD540cfa309a57667415eadd221a0f1e108
SHA17e235657938e893d6d3d6f055092c74a806c2aff
SHA256373c58d259fe0ccedbaad632e6bb26a3b141c3374f1c4dfdbfe884738f3bfdd3
SHA512f101ca3f2413d1f126c37c0703f610a332a5597a23e1516711b121c466d9cedf9e42cfefdbb79e0d6c6f1ad7a63fa9d38aa29f83984e8443b70e86bbce681f6e
-
Filesize
671B
MD52b3c1aa763853aad427af70e0c691b12
SHA15e1d80f8eaca113dbce327404009eaa2acf55900
SHA2569c387cc11820b9a4de2c593024b08d841f3196e56d7ad03313f41f6a3b0125f0
SHA512b8503fe17df0c90ee84ae66d81b454aa505e8ee356077050cb3414647a49df77903a20b943f93eb9379d85738fdc3178346ad7a8abbd027309f9023bbf52bcbd
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5c667a6c44bda0e3a357fba901d40fcee
SHA1ee9a4e6ca678cb6e83d21c1c243142c3207321cf
SHA2560392edd3e38240580ea644c634439c35b2e289c535c3c60955736d8836cce3bd
SHA51281d165e668f2df6a7406f1d8788e11ec62809e8210e608c65645fa5a43abbca39cb49191c3d626472d5c12ab107c54d988cc71b4f7a8965596715cdbd7e326df
-
Filesize
10KB
MD5c568898ea1d162e7060644158fab5dd4
SHA1c1184a3d8fb402dce45c30e3fbd0c1f7fcf198db
SHA2563959dfbd746fefbde25afeb5e93380967dd2e2a0dea80cfe043760877e4af1ca
SHA51259aa7326a8820b1bbaf67335241f9e6ee6d359fabf1a524979c7637585309868d647ad141063cfbaa3830d971e8c6f8ab42c923cae311429b57abba06a8fc2d6
-
Filesize
9KB
MD54906c59c460d4e6453dab4f18cce1137
SHA1fd7a7a61e8f467a157dd56d7ecb595028fd23820
SHA2564b9ddb4715ce261172f04a7a2f8615421421e156884d3edfaecbf08068dca493
SHA512615414d9218091e1fdc001aace6b83585907b84113404ddb63e30308aef5efb41a6dfb50353749dddb3fbbda64d06ea5b46f23a760a60682797a12db0c96c8c9
-
Filesize
2KB
MD56dfc7841cebeab0509155f7707bcbecf
SHA105d281ec2731f88d9e2744cd5a7834c666992456
SHA256ae4904e9fade4a02c6838998a21ada2a7163cd29f325492cda710890f1f0fc4d
SHA512f0ba63be058249ddb93dba85bce1d9bc67ee0e882b65ce98f24fe87bc6d1fd57c21bc775eb510b4694368405662e9068a434622a5542c693c78852f132763e23
-
Filesize
5.4MB
MD52369353e9e56f0603911050df498dcc5
SHA1f4262f0b85edfc99b574ec250064184123e6b2d0
SHA2561fe60ec98637326b6ef1020308b8c03db2bb444115d65170bd215c87e59eca9c
SHA5125fd52e70c8b6d24cc83e1b6215672f39300fa3242474c0351bdcd5d8dfbf10cc8f2b8d07727c2ef78a055fa852c3f5bda08ca7638f3ec97b586ede40648f7739
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
10.8MB
-
Filesize
248KB
-
Filesize
9.5MB
-
Filesize
336KB
-
Filesize
10.8MB
-
Filesize
744KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
596KB