Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
173s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe
Resource
win7-20220812-en
General
-
Target
d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe
-
Size
26KB
-
MD5
741dd56df115492676e64b2469474d6e
-
SHA1
d70e578e5ca8b9e62d2867819ae8cfafa290b581
-
SHA256
d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc
-
SHA512
aa01c77639ed85cf164a95b756c575a7ce74f0a1a95408ac1260335570f66e97759ee522bb5ca3976d2628c8d0cb9ab312323214e484faad9200cf6edafb7263
-
SSDEEP
384:JDowEhdUj1NiEgFrSSXgirpbSWUJWUN4fZyR8:JDo8VG2MRFbwV4L
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2312 msedge.exe 2312 msedge.exe 1880 msedge.exe 1880 msedge.exe 3844 msedge.exe 3844 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3844 msedge.exe 3844 msedge.exe 3844 msedge.exe 3844 msedge.exe 3844 msedge.exe 3844 msedge.exe 3844 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3844 msedge.exe 3844 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3756 wrote to memory of 3368 3756 d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe 84 PID 3756 wrote to memory of 3368 3756 d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe 84 PID 3368 wrote to memory of 1792 3368 msedge.exe 85 PID 3368 wrote to memory of 1792 3368 msedge.exe 85 PID 3756 wrote to memory of 3844 3756 d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe 88 PID 3756 wrote to memory of 3844 3756 d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe 88 PID 3844 wrote to memory of 3480 3844 msedge.exe 89 PID 3844 wrote to memory of 3480 3844 msedge.exe 89 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3844 wrote to memory of 1600 3844 msedge.exe 90 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91 PID 3368 wrote to memory of 1072 3368 msedge.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe"C:\Users\Admin\AppData\Local\Temp\d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3e0b46f8,0x7fff3e0b4708,0x7fff3e0b47183⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1170756070377529744,14813915798850657348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1170756070377529744,14813915798850657348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d33639021c52ace5e9c4a59c73db2acb38a6ab24cfeb206f5c31209aab7ee0cc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff3e0b46f8,0x7fff3e0b4708,0x7fff3e0b47183⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:83⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:13⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 /prefetch:83⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:13⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:13⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6360 /prefetch:83⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:13⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:13⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14374802618340426691,6157198967176020334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:83⤵PID:4560
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize471B
MD518c5ce66b5fb6e5f744da99e7bf49c2d
SHA1ebc776924a1095dfd21379a8df954995ff5c54bf
SHA256e3f8d374fb04424f91bc57bccbd493cac0fc6e66506b1fed05a4d5aeb5ecd9e9
SHA51263f9420456899909c25f81e89bd99d8c4f1c66488c03d7de814d81844be27a28854dadbb3e54f307ceef48b4afe577c4a2c0c9dff4f42e3fe38246f8c0f4c8b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize416B
MD59fd5e1a88c909c07a55ac9f134823c81
SHA15d18b6cf067627fb2bb5f799d66f3cfb5efc165d
SHA25693008e7d5809191e20ddc60f773e991a7432171da012a174cd1ba4bf582c7019
SHA512d7a1d9ba142edb0296cb3c363152d0ba6c8280046568b8068825893dd0263d88238119f06f83bea024d5cb38f507de1e1efcc4951efc1d3134820f8a8a4e0c94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize416B
MD59fd5e1a88c909c07a55ac9f134823c81
SHA15d18b6cf067627fb2bb5f799d66f3cfb5efc165d
SHA25693008e7d5809191e20ddc60f773e991a7432171da012a174cd1ba4bf582c7019
SHA512d7a1d9ba142edb0296cb3c363152d0ba6c8280046568b8068825893dd0263d88238119f06f83bea024d5cb38f507de1e1efcc4951efc1d3134820f8a8a4e0c94
-
Filesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
Filesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
Filesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
Filesize
2KB
MD59807889232b555a80a9aa8aed7437f8c
SHA1882f0adee2f98078769f1568809c334ec0b97ca6
SHA2562b2224ae277c5c9b0038e9eb8deb652f1f3f6879aa73ee4ac9beb2773887e236
SHA5126e8748a8700f0c108b36243b807ece40618a7a9e3d2c5dbe76b9e30df430ffba764e897faa4b107c81c4e4856bf6e9e86dbf7990a0a070f8f316b8e287ba57a6