Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

URLScan

urlscan

1

https://www.mediafir...

windows10-1703-x64

7

Analysis

  • max time kernel
    124s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/07/2023, 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/xka3lmz39autezv/Passw0rd_1122_To_Open_Archive.rar/file

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://www.mediafire.com/file/xka3lmz39autezv/Passw0rd_1122_To_Open_Archive.rar/file
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4896
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4144
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • NTFS ADS
    PID:3952
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3364
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1744
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2140
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:3936
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:5060
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4172
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30187:120:7zEvent10077
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4948
    • C:\Users\Admin\Downloads\Main_Installer.exe
      "C:\Users\Admin\Downloads\Main_Installer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3772
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3032
    • C:\Users\Admin\Downloads\Main_Installer.exe
      "C:\Users\Admin\Downloads\Main_Installer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4000

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KFR0RUGG\edgecompatviewlist[1].xml
      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Z51TN6D3\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF373DE7FAF45D6E56.TMP
      Filesize

      24KB

      MD5

      e5cca2c43d245482efc1514874878988

      SHA1

      8cce95651dce71c8e72dc691386d63f795365310

      SHA256

      12499815ae68e0e4de394281bc30846aa5d5b808eefb0f9aa13098d195b55264

      SHA512

      110f6ffb1e40244270a8ad94d5ae2c5d05da64f760b58dde2c2f1fd77844c340c2eebda77a665a427629776958428fbfb9b8326039adc9900c90c497d0923bdc

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NBRUO1UD\Passw0rd_1122_To_Open_Archive[1].rar
      Filesize

      656KB

      MD5

      ea82f9910f004386fbb04b9cd19a1155

      SHA1

      e36b5b58cfb2c7400fc188956125686db4e1398d

      SHA256

      96f344090cd7d2883dbecfd1ffe6ed0b0cae85e80f1d8c7d4fa7727a95df7586

      SHA512

      9c4daf4b24116d39a253c375ca8a8b406f36b607f02620aa4562610b704a39c80947c7b7666f0d09fc96482c30ceb5c2c4738dff7a945d6279e917a37646904f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1bocfhv.mzn.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\Downloads\Main_Installer.exe
      Filesize

      25.9MB

      MD5

      82d1f7c60f69ab61e6d05a3a42fc5015

      SHA1

      96a6230ea47a8d07fe0bd906c2d795ff3bbf9a63

      SHA256

      47cbe3756ff1fd9b0af43c434830ee25f0c562f3b899a75db36828d6fa0acf16

      SHA512

      229c12da8d4ae34602afe00aca5e6eacc95adf8bb636c8de43cf665ce27b060b3cc10a4997276b2464848cf53b63c2b33227779372e379e648f53ea2f4b14c2c

      Download Submit

    • C:\Users\Admin\Downloads\Main_Installer.exe
      Filesize

      25.9MB

      MD5

      82d1f7c60f69ab61e6d05a3a42fc5015

      SHA1

      96a6230ea47a8d07fe0bd906c2d795ff3bbf9a63

      SHA256

      47cbe3756ff1fd9b0af43c434830ee25f0c562f3b899a75db36828d6fa0acf16

      SHA512

      229c12da8d4ae34602afe00aca5e6eacc95adf8bb636c8de43cf665ce27b060b3cc10a4997276b2464848cf53b63c2b33227779372e379e648f53ea2f4b14c2c

      Download Submit

    • C:\Users\Admin\Downloads\Main_Installer.exe
      Filesize

      25.9MB

      MD5

      82d1f7c60f69ab61e6d05a3a42fc5015

      SHA1

      96a6230ea47a8d07fe0bd906c2d795ff3bbf9a63

      SHA256

      47cbe3756ff1fd9b0af43c434830ee25f0c562f3b899a75db36828d6fa0acf16

      SHA512

      229c12da8d4ae34602afe00aca5e6eacc95adf8bb636c8de43cf665ce27b060b3cc10a4997276b2464848cf53b63c2b33227779372e379e648f53ea2f4b14c2c

      Download Submit

    • C:\Users\Admin\Downloads\Passw0rd_1122_To_Open_Archive.rar
      Filesize

      21.3MB

      MD5

      2b3d3bcf435c1400b8a85945d6fe2d15

      SHA1

      3bebb6f972cb8090b2c883fd534e259ecb9883d7

      SHA256

      2665c55ee0796f4954a237dc213e413dd961fd43821a40f7df5674c9a33e2e47

      SHA512

      4e369a5013acc73d9155923359f0557c42cc3d322c0af3ac830e9d68f943b76307968d22554a77cc4f3ed838df7cd1710d29730a73349c009f2cdb6a9fee50dc

      Download Submit

    • C:\Users\Admin\Downloads\Passw0rd_1122_To_Open_Archive.rar
      Filesize

      21.3MB

      MD5

      2b3d3bcf435c1400b8a85945d6fe2d15

      SHA1

      3bebb6f972cb8090b2c883fd534e259ecb9883d7

      SHA256

      2665c55ee0796f4954a237dc213e413dd961fd43821a40f7df5674c9a33e2e47

      SHA512

      4e369a5013acc73d9155923359f0557c42cc3d322c0af3ac830e9d68f943b76307968d22554a77cc4f3ed838df7cd1710d29730a73349c009f2cdb6a9fee50dc

      Download Submit

    • C:\Users\Admin\Downloads\Passw0rd_1122_To_Open_Archive.rar.u7ac1mn.partial
      Filesize

      21.3MB

      MD5

      2b3d3bcf435c1400b8a85945d6fe2d15

      SHA1

      3bebb6f972cb8090b2c883fd534e259ecb9883d7

      SHA256

      2665c55ee0796f4954a237dc213e413dd961fd43821a40f7df5674c9a33e2e47

      SHA512

      4e369a5013acc73d9155923359f0557c42cc3d322c0af3ac830e9d68f943b76307968d22554a77cc4f3ed838df7cd1710d29730a73349c009f2cdb6a9fee50dc

      Download Submit

    • memory/1744-211-0x000001D2FC540000-0x000001D2FC542000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-215-0x000001D2FC580000-0x000001D2FC582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-217-0x000001D2FC640000-0x000001D2FC642000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-219-0x000001D2FC660000-0x000001D2FC662000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-213-0x000001D2FC560000-0x000001D2FC562000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-209-0x000001D2FC530000-0x000001D2FC532000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-207-0x000001D2FC4B0000-0x000001D2FC4B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2140-276-0x000002B3EF5C0000-0x000002B3EF651000-memory.dmp

      Filesize

      580KB

      Download

    • memory/3772-320-0x00007FFBB0120000-0x00007FFBB0122000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3772-321-0x00007FF6358F0000-0x00007FF63835D000-memory.dmp

      Filesize

      42.4MB

      Download

    • memory/3952-308-0x000001BB81810000-0x000001BB818A1000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4144-194-0x000001A674C40000-0x000001A674C42000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4144-175-0x000001A676200000-0x000001A676210000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4144-159-0x000001A675A20000-0x000001A675A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-126-0x000001ECAD730000-0x000001ECAD752000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4896-131-0x000001ECABD90000-0x000001ECABDA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-130-0x000001ECABD90000-0x000001ECABDA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-129-0x000001ECC5DA0000-0x000001ECC5E16000-memory.dmp

      Filesize

      472KB

      Download