Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2023, 21:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mrinfo.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
9 signatures
600 seconds
General
-
Target
mrinfo.exe
-
Size
636KB
-
MD5
ed8a02662e0a07f949837fba2ef9b9a1
-
SHA1
68083ab97cba9c8937ad43d09fd843d973d0fad4
-
SHA256
635535006c48140282f0ed1e7925958c171e97b9dcf03a17d00bd771412d5f30
-
SHA512
51c7340933e0bb44721bf93642a47eb4331fbf64cc951d61dc90451a76f102c7df5a2b6edbbf20eeae46791aa7721e8e0918af23a0c5006b69a742a94d6c874a
-
SSDEEP
12288:Yy22wXB2TkGoKHmeT6KbvOoQ9JS88vS57GTSireo2YDMIkm70Ott2Y:YDDXwTkGPHpcoQR57u5Dd2Y
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 1548 mrinfo.exe 3224 msedge.exe 3224 msedge.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1548 mrinfo.exe Token: SeDebugPrivilege 1656 taskmgr.exe Token: SeSystemProfilePrivilege 1656 taskmgr.exe Token: SeCreateGlobalPrivilege 1656 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 4888 msedge.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe 1656 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8 PID 1548 wrote to memory of 796 1548 mrinfo.exe 8
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding2⤵PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\mrinfo.exe"C:\Users\Admin\AppData\Local\Temp\mrinfo.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault252183dfhc83dh4212ha9c0h870aa22b2ceb1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffbcdf046f8,0x7ffbcdf04708,0x7ffbcdf047182⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4601591223846566860,15813645100881855548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4601591223846566860,15813645100881855548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,4601591223846566860,15813645100881855548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:2128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:1804
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c032c944f0c68db2f9bc2541ba822212
SHA1a829f6cf1e7f3f796eeb68ef3525d7f3d177a38a
SHA2561b4b0d7b255a79089375c9c200df8f48c8536ec99752f877e9090af9dd8e4127
SHA512cc22cf70c068f1b5c518a8d3302cbb5a79a66929488cd34939f7743aaa999cba091f182701cdda5872b6b93cf89d396b809b0b7f6f2d5f6e7ad1b5102623cf7e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5d641f25f1f899dec25bbfa9b8f9f57ae
SHA1efc76848cd52a148bd577710271b9f108a459c13
SHA2568ed35447ee3fe2d790adaf3d538ba134f97c68eeb133d3ea4aef0ff9d0ce3c0a
SHA512c130590635e75b605b4cf5e1802de9d0b0fe0bcecf3c5a0580f7253df391218f951a09738a81ef57259e58b94b6f543e8a9a7ae66ec2d14509fecb1d104d80f0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD53df88353d9cab0e33fff588b4ca67a0e
SHA1c82eecd9b99e438f961bb590a7257cf4a1e7d97e
SHA2566439642e141b0b82e39321e2e072bc5f60ba45973ae24bb66cc2a1505b97da73
SHA512a221747b66ce1c386ec00d0063bffe082b3d4d851fa21af8cbba86a4438f1a5d26bcc93d1377dfd248f226f0cc290479beec29e6f348edcc3d94132aa637447c
-
Filesize
3KB
MD55f2de31b93a6171d9e31ccbaf9a3cec2
SHA1e615d3062ef8306d042c2a8f90a496eba88c9005
SHA256ad7923a16ec93db9cafa910138efe850640c68c06b109e2e1bd2169ac42b1203
SHA51273d425cd7f475cde19635a0055ed4b835f18512d32360022be38beb76d3d8bed79cb5ced6be62e2babbd54978ab44a8ead82c7f1aeca49c4d4fa012de1928b15