Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe
Resource
win10v2004-20221111-en
General
-
Target
b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe
-
Size
66KB
-
MD5
63679b2a863e8612d98bbc0cf0eacf37
-
SHA1
9cf3aa7d7c3aedc9da9d0905fd68591b28eddc29
-
SHA256
b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe
-
SHA512
91c4b7dab09373ed4223cbadeb152a1f1b023af22329db7c7d586e8ea8665b3545560db6138a7670749505cdb1d8c668a8875c13c000e337d9f91cb9d7aafe38
-
SSDEEP
384:Xn5XJfWchviKbD2ydxLf45LQfrsLXuSfaXx:Xn/fWkLbDxlIux
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3976 msedge.exe 3976 msedge.exe 1644 msedge.exe 1644 msedge.exe 2984 msedge.exe 2984 msedge.exe 540 msedge.exe 540 msedge.exe 540 msedge.exe 540 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 5008 2176 b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe 81 PID 2176 wrote to memory of 5008 2176 b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe 81 PID 5008 wrote to memory of 3652 5008 msedge.exe 82 PID 5008 wrote to memory of 3652 5008 msedge.exe 82 PID 2176 wrote to memory of 2984 2176 b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe 85 PID 2176 wrote to memory of 2984 2176 b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe 85 PID 2984 wrote to memory of 1372 2984 msedge.exe 86 PID 2984 wrote to memory of 1372 2984 msedge.exe 86 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 2544 5008 msedge.exe 87 PID 5008 wrote to memory of 1644 5008 msedge.exe 88 PID 5008 wrote to memory of 1644 5008 msedge.exe 88 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89 PID 2984 wrote to memory of 4832 2984 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe"C:\Users\Admin\AppData\Local\Temp\b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c6a046f8,0x7ff9c6a04708,0x7ff9c6a047183⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7910315944613326954,11560873052937574372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7910315944613326954,11560873052937574372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b3b2d1476ea67dc80f6ee789e65a6b73744674beb41261363539654e809dfafe.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff9c6a046f8,0x7ff9c6a04708,0x7ff9c6a047183⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:83⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:13⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:13⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:13⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:13⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:13⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1940 /prefetch:83⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17541693767737779057,11379873273058862317,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3432 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:540
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d492567d4611438b2f936ddcaa9544ef
SHA1ae88af380bbeb5e05a0446163a5434d70710f853
SHA2560cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645
SHA512150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48
-
Filesize
152B
MD518ad3a99cbd5ddc6b806e98374137f92
SHA103b6e4402a81fc0585430539a6d4a208b6ca9020
SHA256b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f
SHA512faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0
-
Filesize
152B
MD518ad3a99cbd5ddc6b806e98374137f92
SHA103b6e4402a81fc0585430539a6d4a208b6ca9020
SHA256b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f
SHA512faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0
-
Filesize
2KB
MD5b0248ab20da396d5ac87b95167df0c59
SHA1617dcf81eff7eab521e91968a214c4263e57deb3
SHA256b844f1eb2e1f5b799412e6507cd1507b930cec45bb0ba2c0890787069932e0b7
SHA5127168fad6432587a6e151068a0c4c76e3df95ada110e9729ccf3fd00d1120beb1fa544181171f92329b558f9d914b5ed3a52df1b58149c9f1ab2dedc021ea0d06