Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
16/05/2023, 20:56
230516-zq4aqsce86 116/05/2023, 20:55
230516-zqq1eabf7z 116/05/2023, 20:51
230516-znevcsbf61 1Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2023, 20:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://lol.zip/
Resource
win10-20230220-en
windows10-1703-x64
8 signatures
1800 seconds
Behavioral task
behavioral2
Sample
https://lol.zip/
Resource
win7-20230220-en
windows7-x64
6 signatures
1800 seconds
Behavioral task
behavioral3
Sample
https://lol.zip/
Resource
win10v2004-20230220-en
windows10-2004-x64
8 signatures
1800 seconds
General
-
Target
https://lol.zip/
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133287441895001745" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5036 chrome.exe 5036 chrome.exe 2424 chrome.exe 2424 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe Token: SeShutdownPrivilege 5036 chrome.exe Token: SeCreatePagefilePrivilege 5036 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe 5036 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5036 wrote to memory of 3012 5036 chrome.exe 84 PID 5036 wrote to memory of 3012 5036 chrome.exe 84 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 2896 5036 chrome.exe 85 PID 5036 wrote to memory of 3128 5036 chrome.exe 86 PID 5036 wrote to memory of 3128 5036 chrome.exe 86 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87 PID 5036 wrote to memory of 1384 5036 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://lol.zip/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffde5189758,0x7ffde5189768,0x7ffde51897782⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:22⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:82⤵PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:82⤵PID:1384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:12⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:12⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:82⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:82⤵PID:1660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2784 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:12⤵PID:4872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4656 --field-trial-handle=1816,i,7877567127453866702,7024756185818168666,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\224bb2a1-c704-4cd1-8681-31c3aeba67f7.tmp
Filesize5KB
MD5769336e57bbc6ad905d870eadbc99c54
SHA1c89b94bb2cb5c425a69e88aa6a5986a7be534daf
SHA256d6f89d61a18669d26d12560d60589d180c9306158c0bb6eb3cee76497bf6f9dd
SHA5124da68d69e81fb607fb967199f5b3365649f0f4a72bf82e8e91e613f5e278008a4d2226896187624521c41ec38e97adb37eaf7df17c3b7704a53d203d4572e2af
-
Filesize
812B
MD574d3220485d2eb6a3495218e898e7c74
SHA111f5bf9745b32b78a4631ac97dbc176fa555f566
SHA256eebbf2cd8f4fbc660b8c5ab38a0837e328f2cf06dcea7f26dc1432f13d5f98bc
SHA512416b247d109df8164aa92cd5f520e277500b539624fdee38edf937456a43cc9cae3fa1897b0d0fcdb26384e691b0d5879d4a2b26f61fb89a39007d92eb3db63a
-
Filesize
5KB
MD56bd27fd929a43ddee2be492142c4b60d
SHA12b73164195715ca196048fc0fe13bc273c9b466a
SHA256df0e5f8df5583a2feb96e0de4f847a0c6c2b0b62211b87caa38ed97f18c96777
SHA512dcae0ba54d0c822440f7c3c1bef4d8abb5cdec61990dcbb300164abdcd48f74ae00b064fd725d62cbcffdc96db180c3f913dd7dc2ac21e834c20ad147af16953
-
Filesize
5KB
MD5058d872f75b38de934c5a893fa836a1d
SHA1f395849877d3cfe528a4f4dd2f5c4cbdf7131ece
SHA256fdf9fcb76ff091d6407344e8b07a51d9c69ab87b747cd62a1f5aaa40b8609a8b
SHA512a2510f377d4f1b1aa8ea0e6a90f36a19d465fadbb5089cf868209ba5e08c0d23b90ea703b16e2be501c9241ca3683fee6ef795218d4bee52ea22d2298ee42206
-
Filesize
150KB
MD59aab69a74a4c20daaeb68a55b41e3857
SHA1db093eb6860c4885337a6139a2ed8be5195db52b
SHA256d6b6abb62d24b9c2beb79f9902b70198254d621f79dd1c52b42a286a4e6f5c37
SHA51224e74e321c3e269e5d7ccde5a6ac7c5f7b90eed35ee289e017d85e7b5da47649214ce88e956c1639a222ba1008cb3a8a79561c50ffb436bbb6fb7cad1c85e286
-
Filesize
150KB
MD5ce14c1ad2a02687f3a68ecb07cb6045d
SHA1359e967dfcdf79a081c20fa9e82c4211b5da366e
SHA256b20cec5fcc5a2730cd183bd341ffbe56335447ab6e9167789513f0684b47bff7
SHA512f1dac9351f5b5bcb5c5bdfb2adc7365cda75c8b3921345b830088bca9b8df4e364124739ef37d95dcc9d8a4fb91244fbc0c7d5d640456dc632b717e18ba58b66
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd