Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
203s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 20:26
Static task
static1
Behavioral task
behavioral1
Sample
0e7392c4830201922313c3a26171365584945a2fc0ec05c0fb21a022f922e59d.url
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0e7392c4830201922313c3a26171365584945a2fc0ec05c0fb21a022f922e59d.url
Resource
win10v2004-20221111-en
General
-
Target
0e7392c4830201922313c3a26171365584945a2fc0ec05c0fb21a022f922e59d.url
-
Size
256B
-
MD5
ec335d6823acfad37fe34a49b2b633d9
-
SHA1
0a67be14deacbe985d1a833cc69b7774f9a6b572
-
SHA256
0e7392c4830201922313c3a26171365584945a2fc0ec05c0fb21a022f922e59d
-
SHA512
4d5bb7b80b37b15a23a1a196b48a24e77a23d4dd9b2c9b57ccc75a63b54702e52d5deab32d0a8c48691ce4aaa06e2c0dd37ae270c2d0231680f04a9b74d15cdc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3884 msedge.exe 3884 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 4868 1588 rundll32.exe 81 PID 1588 wrote to memory of 4868 1588 rundll32.exe 81 PID 4868 wrote to memory of 4288 4868 msedge.exe 83 PID 4868 wrote to memory of 4288 4868 msedge.exe 83 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3400 4868 msedge.exe 86 PID 4868 wrote to memory of 3884 4868 msedge.exe 87 PID 4868 wrote to memory of 3884 4868 msedge.exe 87 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88 PID 4868 wrote to memory of 2508 4868 msedge.exe 88
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\0e7392c4830201922313c3a26171365584945a2fc0ec05c0fb21a022f922e59d.url1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.hz38.cn/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb814546f8,0x7ffb81454708,0x7ffb814547183⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:83⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:13⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:13⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1132 /prefetch:83⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8930399880910309879,11733602028206636308,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:13⤵PID:3736
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2956