Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
284s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2023, 10:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://philturtle.com/secure/host16/48ec0a3.php
Resource
win10v2004-20230220-en
windows10-2004-x64
8 signatures
300 seconds
General
-
Target
https://philturtle.com/secure/host16/48ec0a3.php
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133228359532175008" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3152 chrome.exe 3152 chrome.exe 624 chrome.exe 624 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3152 chrome.exe 3152 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe Token: SeShutdownPrivilege 3152 chrome.exe Token: SeCreatePagefilePrivilege 3152 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe 3152 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3152 wrote to memory of 1968 3152 chrome.exe 85 PID 3152 wrote to memory of 1968 3152 chrome.exe 85 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 2612 3152 chrome.exe 86 PID 3152 wrote to memory of 1788 3152 chrome.exe 87 PID 3152 wrote to memory of 1788 3152 chrome.exe 87 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88 PID 3152 wrote to memory of 3408 3152 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://philturtle.com/secure/host16/48ec0a3.php1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa90389758,0x7ffa90389768,0x7ffa903897782⤵PID:1968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:22⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:82⤵PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:82⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:12⤵PID:1652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:12⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:82⤵PID:876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:82⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4496 --field-trial-handle=1816,i,435165574224270688,15410376684869601468,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:624
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\13945588-3cbf-4fbc-bb16-3f5c04d7a9fe.tmp
Filesize4KB
MD5b8f383db8996add6fe916ca9794311e4
SHA1381e6638bb23e1be9bec96b7307f2886b2f544ec
SHA2568b2ce08ab557b10ea75dfd3f2815a954487fe5354946578eaa9c65716d8abbb5
SHA512761ab3e58a350f867c40c9553c9a598ac3ab73d95e34bbb9338e040351eab755de6059e0081256952076d87630b79ac3521e29176c0181202f1cf0f98831ea70
-
Filesize
72B
MD52af9fcf9c8d51be51e66528570ae4edd
SHA19138c9d1fa8452a2c6dee503e527f3fb1767157d
SHA25622ec77a8ac77600735920d2929af6308bb5724b42b4a26e6e2951feccb150938
SHA512228438937462972dea0326da04fa895198547c93baf85174f1dd65f48f522252d285c43df72aee5a5d1cc573d02a4a823491145234031898a6f4f425df091f6b
-
Filesize
1KB
MD53b4a695d0fe0115b44d5f8647a1e1cd3
SHA11c946fd4d37c315112ad9f301470e613b6a93b2e
SHA2565d29e560e13bafaf67e7f52ee6cf99d4c7b8fe7643e49f71f20d6c5088256b28
SHA51280de52aa37ef9e7ed9d7c8f8b848bf39007347470feb605b882653feb0eae15fbaa519a53c72a88ca5a6b035d94ab7e11b0ac40ea67d42371c520483c4b565e9
-
Filesize
1KB
MD547b50b004417d7f250400f2f8bba7472
SHA1d6436e8e698afd752c6a8a1511a15ffabab91366
SHA256052dc7a8f47cf7bf8d1e5a7e87b560518fe5a89eb7b3a0d7b460a08812d55c72
SHA5124df30c1286841d61bd3c8bf4e677cebe9005b43675d4f0ea284f71c019e9832a6339af339ffb72153398c4db7109b8e6c50ee9051d67a8826f53abab1d534863
-
Filesize
4KB
MD5df85eee82084e137c1997a69156f8339
SHA12f98f41e0941729887edc81b9fbd6510f3707d7c
SHA256bb4f8690f9b91b84704b7fdf4dd44ebe32ecb1ffebe42c92cba1b2e509e42aa7
SHA5122ec428bc2b1b54221e9c65afbd593f63ac22e218451ec929b8339805d81b0c3af2057fd0059d7ce132b354a57ed3ea27399ad82f50b3e3d528b381454f7bcddf
-
Filesize
4KB
MD530a7f20115eba42526ae0b308f03388b
SHA1d1347cf7c00b4df9e514d468ccc97dfa4be66747
SHA2562bcf61056f4a106321300d1da289513c86c435e6a6a66d2ff3623adaecaf9c3f
SHA512534cea6075cf30a98700109ce984e2ef5d2f0f4ec2cb88069dd00341a6cc20549e9d716a5e3c2ceedd81a6c20962128e3a5c08f3915306a0e913cc691cefc434
-
Filesize
4KB
MD5d17ece4441b4b2c0d3fdd1a5ce6faa04
SHA18e9b26422148707b42c27987d93a2760fcb67b3b
SHA256eea341e6caa1e03a4673d6a3c3e18ca3c6d2f0e529fe3282273087e3b4ebabd0
SHA5120fdc4129e3409a1ed2d1786efe4d1bfbcf839225bc78863c5a5aeaa0cff0d72e08bb61b3725f40801242148a68e07d140028515b67be97d596be4aa28a0a42bd
-
Filesize
143KB
MD56ec142eff5e9e1a662009b1f95898862
SHA14670cc9d5f5914010daa6f6e4c948e29efa440b8
SHA256333a5a5d4040346904c2c19c0224919c382af4d9082fd58769f9e8c08d225390
SHA512b33e2f572a7866d2fbf54f55378913c382c31e900204d19ae68f62d2d99126363052c9858b698496928a5be34e185e0da70511403134294b2684be8827e7a87c