Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
f8e37e02fb5eb8b1483cfd0af13ca51f79db0633620eecac7e071fb430e6dab8.url
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f8e37e02fb5eb8b1483cfd0af13ca51f79db0633620eecac7e071fb430e6dab8.url
Resource
win10v2004-20221111-en
General
-
Target
f8e37e02fb5eb8b1483cfd0af13ca51f79db0633620eecac7e071fb430e6dab8.url
-
Size
202B
-
MD5
868819b9da6957884d3d2bbb0d3a7ca4
-
SHA1
0c665b27dd2c7f7d496625432ad37cd16d13e262
-
SHA256
f8e37e02fb5eb8b1483cfd0af13ca51f79db0633620eecac7e071fb430e6dab8
-
SHA512
3afa09969af8cfe2bd71f555c8d99dbef8e7ac5305bc2679827344f54ec89ebfd30358605b2c62263b0ff197d303858ccd3ec12df98342212f1a8480e9792ca1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2744 msedge.exe 2744 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4124 wrote to memory of 4924 4124 rundll32.exe 84 PID 4124 wrote to memory of 4924 4124 rundll32.exe 84 PID 4924 wrote to memory of 2248 4924 msedge.exe 86 PID 4924 wrote to memory of 2248 4924 msedge.exe 86 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 5104 4924 msedge.exe 89 PID 4924 wrote to memory of 2744 4924 msedge.exe 90 PID 4924 wrote to memory of 2744 4924 msedge.exe 90 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91 PID 4924 wrote to memory of 4692 4924 msedge.exe 91
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\f8e37e02fb5eb8b1483cfd0af13ca51f79db0633620eecac7e071fb430e6dab8.url1⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.longyingfz.com/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8cec046f8,0x7ff8cec04708,0x7ff8cec047183⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3506094723372142322,8371794268325810124,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3506094723372142322,8371794268325810124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3506094723372142322,8371794268325810124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3506094723372142322,8371794268325810124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1468 /prefetch:13⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3506094723372142322,8371794268325810124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1152 /prefetch:13⤵PID:952
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:816