Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2023, 16:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://outlook.officee5.zya.me/
Resource
win10v2004-20230915-en
General
-
Target
http://outlook.officee5.zya.me/
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ipinfo.io 29 ipinfo.io 30 api.ipify.org 26 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1996 msedge.exe 1996 msedge.exe 224 msedge.exe 224 msedge.exe 2840 identity_helper.exe 2840 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 224 wrote to memory of 1396 224 msedge.exe 43 PID 224 wrote to memory of 1396 224 msedge.exe 43 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 4008 224 msedge.exe 88 PID 224 wrote to memory of 1996 224 msedge.exe 87 PID 224 wrote to memory of 1996 224 msedge.exe 87 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89 PID 224 wrote to memory of 4908 224 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://outlook.officee5.zya.me/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05c946f8,0x7ffa05c94708,0x7ffa05c947182⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:12⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4006774963672567127,11209058446536697114,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:12⤵PID:3988
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:896
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5ee26d4e2cea7f6c4e2be2d7f13943e05
SHA1acd9d64904ad96ed484aed3703d3cd155372f23d
SHA2568eafdb3d11087fa30f634eff9e4f0243169b0da9f8f81c2cd422fa560349aba5
SHA51253c1ad2ad167a8314ee6c056ac65c1295bf8bfc3ddbb5dd477bcd7346d35222744739377e4791635427baaaf90e8b7af9db6c11734bdb7d37718e3eb40f94201
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1006B
MD57368398255f0e2f6174a1520bdc221b7
SHA1d942f65822b7c82712bc2f9df80864f06483bc4d
SHA2564e8aedfebc9ef0f01e74a044634e445741c59347c650b4fe2ae90197b746918a
SHA512ce6c0e48410074d8fd3f94ab1826c9f3eb8a73f96ea359b08fb2772e233e4913c6d7c4293679241ca9f4df7b586479e373a149c0517c532248b198096f430e83
-
Filesize
6KB
MD5d46b198229cb32ad81651044aa640454
SHA1bc39c30c3bc20f919652fb9c52a137059c5c759a
SHA256415885091dbf66cd6e6591dacee5c8cdca98a639d50eee1a2a77f4d73345894c
SHA5127d499621613b3d985aa80a0e1e849d06f51c4f711e984efd80d4d4be0915f9f56037b10cac118cc472657bcf1b58baefb5e702a683487c06e15fb583a2e69e7d
-
Filesize
5KB
MD5ff9fc4b2ddaf15dc4cc9ad8916e2b061
SHA112dd6bd431a010c6de5189a1b22c1e4a653b3dea
SHA256068ae82e943e83251376dbee6e3fc330cdd187dd5566ba608ea79e39c5853760
SHA5126d767029a00d194c9c72e0d9df9b7b41594b74a48ae8cbc1ad76814156af0367ac0f41be4bf6ee1cbea467fffa87b8dd316a9d83fcf6fd4f5d64b1dc6df7946b
-
Filesize
6KB
MD527c1c3b87201eef5ea1e9a7e4b3f2bfd
SHA152f6b1c8dace0fea294adb8ddf7379fbbfe4d449
SHA2563c12657f98b7e7ef3bbcd65408e563c77f2673773b5bc5152336a5829aa78ec7
SHA512022cfbd8ede7f72f53e017d61fa93b951bcb29e7f12bd3ef4a8cd497284e4057145e89f0d5ef3a166c8fe813d7dcace452ccdbbba7fdc89d2ef35e1b69969a4e
-
Filesize
6KB
MD5c671f50cd8274ff39d83cd31a90722bf
SHA19fbbc37b721255289c8807a30d1ddb244647fdba
SHA256428da0d9e9cc2d34f5434a5bd65cd828008a4a5088b02161cbadce34ef331d15
SHA5125c2ff6402bc3bc0facfebb95f1d979e146d3eced0e42fbc4c3711c3645f2524d110fd1999e973f7bf17e8eb63460f84294a5de89be95dc8442bcdd750ec2da0d
-
Filesize
24KB
MD56dcb90ba1ba8e06c1d4f27ec78f6911a
SHA171e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA25630d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9
-
Filesize
370B
MD59e97da864a474a0ae1eb37d5018d698d
SHA1aca2f496f0a6063ce57cb348bc32f8bc3fd7a25b
SHA256830418fffe38396d530d9df75463523103eaff781dae8749680f55477e8b7574
SHA5121719fdd20b8c34b69a068bd9d3a3439761a429f911903f741d2dfc5edb21cbb0efd0508612165a93140213f920d629b6aef2c0cdd6462c1d0df7497cffa37d92
-
Filesize
370B
MD5abcb1319b98f585426aa7d32c9e9fb11
SHA1afe5b96b7259599d45590f7fcde92336c589b66a
SHA25613f97aa6370872cac838572ac0e535cc462bc8168883c6aca90c171d5490f004
SHA5129066d2ef391754a5ca98668dbf9dff3358a0754e07c6676bdb246d07c41d7b8ca75e9252aceeb8c1fb5629fa26e54f2ca8c680647ce96623fd0ebba40e00953f
-
Filesize
203B
MD5ec801deb7fb84684f4cfd201b8ea1c97
SHA10b0e7c95ee9381872a864d2b62b39c83a25a4d73
SHA2566a184ca211791868c6ef5da4fd471e6d387c766d621edfeb489fc33b2e7a3497
SHA512e66fa7f6cf370bbc993fb871796a135cd05cb66e208a32f206e90b78cac8e6f9c2e5644370a3a83c6439a604854c702f986fe968e842efea6e6b9e8eb930e528
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5053110a599bd05d0bd335c9f4195343e
SHA11031f67f1f96ee363b14871f4a1b4a8037642bac
SHA2567f19195a48e4ba53756ad96f96f5c8c5ede9e2fa0a0c97096eb145551b27ea5f
SHA5123ee6e556f60e0954e7ff1102d36e47e6adbe56a2988976446a29c929b5842df56b3b44f6140a0de0dcb64330e0f5987680c2c668039ea0aa809ae2ad632fe8b9
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84