Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
9e1dafe76857560288ec1c16ef46b4652fde28c8ef5ebe390978ff9b1c00be82.url
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e1dafe76857560288ec1c16ef46b4652fde28c8ef5ebe390978ff9b1c00be82.url
Resource
win10v2004-20220812-en
General
-
Target
9e1dafe76857560288ec1c16ef46b4652fde28c8ef5ebe390978ff9b1c00be82.url
-
Size
117B
-
MD5
bd9757c771061ecacb2783a403b23f52
-
SHA1
a56359bb8a2f6a230f8e010163857da9128a99e7
-
SHA256
9e1dafe76857560288ec1c16ef46b4652fde28c8ef5ebe390978ff9b1c00be82
-
SHA512
df511b0e29b6fbd9e42d0ffad2b0c5f9cfaea46644bb14f73b82178206db9033b02680459499028bed6e86b52a5d1db5a37f509321b9068a622b2a378a07308f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3400 msedge.exe 3400 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3732 wrote to memory of 4448 3732 rundll32.exe 78 PID 3732 wrote to memory of 4448 3732 rundll32.exe 78 PID 4448 wrote to memory of 2008 4448 msedge.exe 80 PID 4448 wrote to memory of 2008 4448 msedge.exe 80 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 2392 4448 msedge.exe 85 PID 4448 wrote to memory of 3400 4448 msedge.exe 86 PID 4448 wrote to memory of 3400 4448 msedge.exe 86 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88 PID 4448 wrote to memory of 4916 4448 msedge.exe 88
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\9e1dafe76857560288ec1c16ef46b4652fde28c8ef5ebe390978ff9b1c00be82.url1⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.9host.cn/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffcc5cd46f8,0x7ffcc5cd4708,0x7ffcc5cd47183⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:83⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:13⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 /prefetch:83⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:13⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6193317822852296156,4846918074934410912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4304