Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
181s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe
Resource
win10v2004-20221111-en
General
-
Target
80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe
-
Size
56KB
-
MD5
d6db2418b92c1df56422e5fceaebe0f5
-
SHA1
15c0b039d8bfb1b0f9f753af73c279f1cc57df3e
-
SHA256
80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840
-
SHA512
41f12b640f0909b8170d254255960d30ed49891fca0754379e7cc0528049a8f83cbd4b56a04edc75e78e98f9d39b1d9f15c30d71bb46d48259736596aa68451c
-
SSDEEP
768:ECPd5jJ2AeYUllXWhwkVzVVLZcTW+ZR1kUE6dLXUlPRAR911BtRbS4r:ECPd5jw7MF+6UE6d4lyr1W4
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\AlexHack2012.dll 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 364 msedge.exe 364 msedge.exe 3068 msedge.exe 3068 msedge.exe 3568 msedge.exe 3568 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3568 msedge.exe 3568 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4900 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3464 4900 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe 83 PID 4900 wrote to memory of 3464 4900 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe 83 PID 4900 wrote to memory of 3568 4900 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe 84 PID 4900 wrote to memory of 3568 4900 80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe 84 PID 3568 wrote to memory of 1928 3568 msedge.exe 85 PID 3568 wrote to memory of 1928 3568 msedge.exe 85 PID 3464 wrote to memory of 5036 3464 msedge.exe 86 PID 3464 wrote to memory of 5036 3464 msedge.exe 86 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3568 wrote to memory of 3060 3568 msedge.exe 92 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91 PID 3464 wrote to memory of 3028 3464 msedge.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe"C:\Users\Admin\AppData\Local\Temp\80daeec32c4197d23614bfd6bb33b970fb45afbc5ad2990e1d7571735f2dd840.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://facebook.com/25bil2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2ef46f8,0x7ffab2ef4708,0x7ffab2ef47183⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10476167925385654078,1178532487335449370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10476167925385654078,1178532487335449370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://billkr4z.blogspot.com/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x8,0x104,0x7ffab2ef46f8,0x7ffab2ef4708,0x7ffab2ef47183⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:13⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:13⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:13⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:13⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:13⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,7386504014269431637,1721391942348011568,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6376 /prefetch:83⤵PID:4264
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize471B
MD5cc824a79f28b8a645a799f23df0b9491
SHA1f0b40369636e0957130906c68a609b146697b61f
SHA256ac65a021aad43fa51c9375a41e1a33e7a80368b0bc9c82284b74d1be602e9372
SHA5121fbc15170884ae6d7adf2a31621b014ed29c41021e837f4a8521a81b1b1d9a3f62c45b4e27b5beb8430575f5db50ee647237df77367a058484379adf398d9161
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize442B
MD5cfc12b6602aa6c474b1d348fc31d13ff
SHA1209089b83c396117d9a734df89a436da5754c1d7
SHA256999f1e9cfae17b7c081b2dce55410178cf6e738baa19ccec4cc132553a33c318
SHA512366706201275eb7ddf7b27d43ace80e8a27f5451ff495f84052ac43e8ccff6efe1525c18b6ebed42fd0c140cc8ce6cb3a36fe4788ad55bca81277b85c997aafa
-
Filesize
152B
MD5d492567d4611438b2f936ddcaa9544ef
SHA1ae88af380bbeb5e05a0446163a5434d70710f853
SHA2560cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645
SHA512150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48
-
Filesize
152B
MD5d492567d4611438b2f936ddcaa9544ef
SHA1ae88af380bbeb5e05a0446163a5434d70710f853
SHA2560cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645
SHA512150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48
-
Filesize
152B
MD5d492567d4611438b2f936ddcaa9544ef
SHA1ae88af380bbeb5e05a0446163a5434d70710f853
SHA2560cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645
SHA512150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48
-
Filesize
152B
MD518ad3a99cbd5ddc6b806e98374137f92
SHA103b6e4402a81fc0585430539a6d4a208b6ca9020
SHA256b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f
SHA512faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0
-
Filesize
152B
MD518ad3a99cbd5ddc6b806e98374137f92
SHA103b6e4402a81fc0585430539a6d4a208b6ca9020
SHA256b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f
SHA512faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0
-
Filesize
152B
MD518ad3a99cbd5ddc6b806e98374137f92
SHA103b6e4402a81fc0585430539a6d4a208b6ca9020
SHA256b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f
SHA512faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0
-
Filesize
2KB
MD5640a2b89f5d6711f69faf87a7fd8bc50
SHA1c19c874cbcb450519e921038ce00ccda7937dc4b
SHA2565d1cceedf6281b2d83e8e214556a29f90f8c024949680811b076d7ec0af19d21
SHA512992faa5c13c2529237db043f1aa156cd1ab6eb87d0665227d0a58e9e25c65208ae06b54f6d28e1636c497736aa4a60f2f908d064d9c57cfa05f4df4f94ba5965