Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe
Resource
win10v2004-20220812-en
General
-
Target
b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe
-
Size
528KB
-
MD5
4b88c6e996a391b8be1ede13d555e63d
-
SHA1
96ed996d88a6214a048f7f445bbf19dd33a2140c
-
SHA256
b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135
-
SHA512
514c42bfbae92d786e612d620994a4f39ce161a936636a56fa66dc540cf7ea8e091a244fa04fff452591ef20ca32db87beb69213ac96f0ef771dffc2e2b6cc61
-
SSDEEP
6144:qo2gmzMtvK9x08Opj5XV+1iRkST3H963kbZw6EBRiWcfX:nFmKa
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\wmplayer.exe" b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\77652bf6-6d54-4a71-886d-6ce270ccc971.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221021100317.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001" b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Download b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 216 msedge.exe 216 msedge.exe 5028 msedge.exe 5028 msedge.exe 4048 identity_helper.exe 4048 identity_helper.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2808 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2808 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5028 msedge.exe 5028 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4328 b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4328 wrote to memory of 5028 4328 b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe 81 PID 4328 wrote to memory of 5028 4328 b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe 81 PID 5028 wrote to memory of 4964 5028 msedge.exe 82 PID 5028 wrote to memory of 4964 5028 msedge.exe 82 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 320 5028 msedge.exe 85 PID 5028 wrote to memory of 216 5028 msedge.exe 86 PID 5028 wrote to memory of 216 5028 msedge.exe 86 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87 PID 5028 wrote to memory of 1760 5028 msedge.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe"C:\Users\Admin\AppData\Local\Temp\b77a49e4a133da84942f4eb94d9ed19dc04051b7dc53928f8ce155cfda7dc135.exe"1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=tkFQS92d6gw2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb17ad46f8,0x7ffb17ad4708,0x7ffb17ad47183⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2360 /prefetch:23⤵PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:83⤵PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:13⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 /prefetch:83⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 /prefetch:83⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:13⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5840 /prefetch:83⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:83⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:952 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7c1125460,0x7ff7c1125470,0x7ff7c11254804⤵PID:752
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7113314935850177643,338981667738869459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6076 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4468
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808