Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
208s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
04/09/2023, 02:26
General
-
Target
https://snip.ly/xc1vok
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://snip.ly/xc1vok1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a51846f8,0x7ff9a5184708,0x7ff9a51847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3628 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,8210965372525831069,4876053119889208994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3316 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD529e414757ec5f96753331ee050189d4e
SHA11e77a6b0e6d4a9236ff7bf4d70cd5bc3552716dd
SHA256ad7db569f6f5cd84623a76c82eb816e86b4cf01753f353a5746a4907fff326cf
SHA5124be7a1fdf2440637d9230c389d475af184e6f5599f0bb5547fce31f3a23a1c439746d433402243574a83f25ad9b8e4e1152578a37bdfce80a840baf7a2d68ea5
-
Filesize
20KB
MD5ec9b878f22e07c765e9a0d551d0232c9
SHA142d0cbb9b6cb85ac2655adc711c3f5dd344bf743
SHA2568b4c707b438f74e3e7afa3e675e9c71c3ef2063a04050669c99ee818ecccb16d
SHA512c5f9b8d0880801f883169159b5dd3c231e9ef7dbf63d2d8efe93247b96ad73d335fb87c4fe05a1b5567835a29c33af47745885c8f294b9ebe96d268373305fa7
-
Filesize
168B
MD5dafda17f490a3f3d40e1bedbcfcb9cdb
SHA11e215062fcd36cf96af7fc4aa08377e468bffeca
SHA256ebfd6abb22ba361b8bf4912fb8bf49d308d7cc420dc97950237ce804fe4a75e0
SHA512f77cf39445f70731ec707075508e311671181536bfd59871fcfdcdd6a1462211580f1aa6e69ae13e7ea6a690c8fe5e2f8ff92b2bd7e7679e5d536faa053037d5
-
Filesize
168B
MD526f310e3df06ca647b1a4af6678b2865
SHA124d03349f825b82c570230ddcb973df280638078
SHA256b1ef598cd534a862a3c1ade780a971ce36383d79e8a35d58b28ac9ea3b8dd2e5
SHA5121befb50b79f11e5e0d4fbde5b248595872cea6ef34bff3f40b0259a91b837c996f464f65f3b6b92a9aaa5ab1acdc7990f31e7a389bc032c3fa9fac603cdebc26
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
850B
MD56d59b2f9a2fed71ff7409c651b51cd24
SHA1e349fb1905be023c735081c462e61004260dc950
SHA2565218bcddc8da843a652d802c4c89d9245c5cb154608a613cfe071a426156535f
SHA5120c7728923a6ff97ccefe52ae88c897353585c2e20a879ac54a391ff711d3eaf6f38039dbdf5e446cce911a53ffcf6f16d8ecc7405d715a326e1eebf0aaddc3e7
-
Filesize
880B
MD559424f15c39b49e9b7ce212087312b86
SHA1b9658e4987fcd31ce32aecf8383c3c497f29d811
SHA2560ff53035ad980e62d596ac0420d74d5912beecb9b5e8168f1c36b321b5aaf095
SHA512596a5272e9187182d415f32fdc4e2cc875d577d4c6748c4282f43b7cd4110461657eec7a8d92e9ecae7fe559e7123ffec2217b32ad4358d2de0a1fc60d18a406
-
Filesize
5KB
MD55094c74caa34431ff38423336ab2be23
SHA15c55a31c86098cc74929846111973d5ea294c7ae
SHA256a07e0790995b1f6f73c9ecae524e1115fbafaa1825eda73a9133ea5ab76243fa
SHA51252fbfdde9b8cd62a780c99e4ade13577f56e82b6882c54f7060c1145ef6b75decf656d66ce524cfb787c35f92e188cc4466e7e216afe947734ed8d8b7deb7b58
-
Filesize
8KB
MD5f4583eae73625a00a53f4c0956c5069c
SHA1406a7939fa056d235c4ef79630717cef8085b0b0
SHA256156ee31b5d6f14e9b20cc732be0773f18ea26d92b9b559b6825bb4f908aae0fa
SHA5128a3dcc116e7b6cc539cd21a1cc04060032b36cac76796e5b5dfd5fd702861d473d0a58fcbe0ab12f57d02a6d9b4fb46cf3b6f65b60b216f919c86f5fa85e6fa1
-
Filesize
5KB
MD556bd9f894e2fcd321f329d5df0dc356a
SHA1d7b2d36a1a71f4d3cede2611d78147c0aa75e6c2
SHA2565d76ae2f164ed35b003ff8ff09c41a317a907006e0ce83951f0e4d6ed204e3f3
SHA51206c75ad457ce5b7744f433f707bde27e207e413198ce0d393be834b423092d1ae25c6b02b90728fd7e669e29f607c90cc79bb840427aa2f1d96b2bad92ad378c
-
Filesize
8KB
MD5033a9b59c50a945cf5018b9526017ab8
SHA167ba281497ee05c488c9dd6f600f4bf139291162
SHA256b0723331cbfd45c3cf942d2dc1a4a631ac4a476e7afe6efe072721252df74b65
SHA51230ffe4d8915733c7eb910f578898b657c3ae644e50fdd053f0c495e79e8072cd8af5a10ffcdd95278943783baea1bcffb675e76e553459d394f142adcbbe39ae
-
Filesize
8KB
MD55eeb7b56a9cd02223ed5d2b3ceb66a03
SHA179b3eee0cbe2a7096d47432950221538cf92b934
SHA25699f3713765d4c5c25e7df02604dd5063e4d59121a7272bd5ff62bc6ccb577133
SHA512a3f7c14575d235c908ce50640fe77d72100bad269d6afd0ed123a05f89c014128ad0f595f5f5b5ccd0d353f73b1972085c875a8267c7057b2b5a263e88a5fcd5
-
Filesize
24KB
MD543062664ec19c0b51b85145d0df5968a
SHA151a8415751c5103768f8302b0db9a6e563dfbf35
SHA256096da77cb8fa554dae9cc74c6e391a48cbc4099da3c5b00a51b2d238b94b35d7
SHA51286b899a78d0e0d57f80830fedb400b09655ace63ee931f0af70e95b796544f012465d12f0f659fc264280f68dca7525c6b634d794bed422df3be2d7a09763ef0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cbe7f347839437fe5aa0da54fed0b78b
SHA10a7cd900955236a8b3c8fac48ab72978e27d6da4
SHA2564edd581694ba4f8529a8904494a98f992244b2daf769d749205bf3139799ab75
SHA512b2afcf3e34b6f3d0092d070ef8fe22875c7515556c36c2a3ed8f5ae5b4c0b55a0ce4ef9598f734a3bc15d6769cda3e0d2330fdb5221f69e8c63a1b604f0121f3