Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 12:15
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.google.com//amp/s/nancyrips.com/rosongd/gdhno/mmnbb/[email protected]
Resource
win10v2004-20230915-en
General
-
Target
https://www.google.com//amp/s/nancyrips.com/rosongd/gdhno/mmnbb/[email protected]
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3752 msedge.exe 3752 msedge.exe 3816 msedge.exe 3816 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe 3752 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3752 wrote to memory of 4532 3752 msedge.exe 65 PID 3752 wrote to memory of 4532 3752 msedge.exe 65 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 4916 3752 msedge.exe 87 PID 3752 wrote to memory of 3816 3752 msedge.exe 86 PID 3752 wrote to memory of 3816 3752 msedge.exe 86 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88 PID 3752 wrote to memory of 736 3752 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com//amp/s/nancyrips.com/rosongd/gdhno/mmnbb/[email protected]1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1fc746f8,0x7ffe1fc74708,0x7ffe1fc747182⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,6448041786163041525,14523614688040663767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:1120
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD57cbb58c8fb23932d32cee2da713d3105
SHA1d242c89d24e90969430fe73cc2bdcf71de322960
SHA256a9149032ab7cf7e871b62ce78a8603de1d284016dc86ebba45ffc7fd1d8feae4
SHA512931a06d5551de2d1741f60317cb827653cd95a0bde0749454438deb2edf299446101c7d93f914d6135460e10750a39475ed02836f48c3d6baef938028235eadd
-
Filesize
1KB
MD58674fb0a5760db69d68c9263f460b959
SHA15072014523172b6550a0e223c920ed70c51ecb70
SHA256445f18522729531b31ceeb4c9e71be7d569f273364a5bbc4e1cda5c2c808f53e
SHA51259c054750a54ac430e6bc71926c00de3e7f64cebf1e383b485238b817f827722d1ed0b5a8a5633da514ec1af4eb9b2979921f7fa22ce05c67894b471d0ae2efb
-
Filesize
7KB
MD56678271182a690f345ea733de952211b
SHA116a682da35d6ebed055392f7c3e7927c2436e409
SHA2566d5fc9c24823010985e238e99db8083532bcf6225b5e2861e0c56a3fe0dd768b
SHA5127912c62564532473d055194369c4bf473930d816f917ecc433de2b855463042c71d28a87af2d8118bb5d536fa88407f8884e47e55bf290a3d9fcc0c452d45cbb
-
Filesize
5KB
MD5fe96cbb959b945778d0f5d237feb30c1
SHA1b517cdd588f2805697fe4dd28115d65c61bd2309
SHA256998e7ce25270210313d219c9c55228d3990146dce6ebb7917b1ca6ad118e625b
SHA512fb5b33ba28d1802e4ad0de7cf71c3dedbe04ca25368ab7874e4ac3d854f80f870e134956e67cb534824a517b3f93cb5903b98e657ed8b3f194500119c029f01e
-
Filesize
24KB
MD5b690c7643af8bf5f3a96b59e33522135
SHA1204ca48a942ecba4d2f2ef844275c3f5905ed453
SHA2564577c23a112c820b430e2b16d0283f4715b06f64164e1e5bf883034a7201c695
SHA512f690f6f5cb19c2e7338feda4741c47b107e48e86db530829cff7e4a0737b813051d31625b1f3108bf8a2f496fad14767b6c255bc816a3e8a3bc43d4c2b63036d
-
Filesize
10KB
MD5e7e1d0dc9f7999201d2d8aee380cd487
SHA1b84393ec0d13a25643d8ab1e8f291b2de390531b
SHA2561c79fa1fc86c253c8ff49be74bb22c188dc69f9c2d85c4189adae59f9d58f5ae
SHA5122416361e947cbbdf8c2409d9ec77e803ca7eaa312292a9cd413ac57ab94dcfc06cc719643eba88352479fb53d66f9818b41d76766155842e4e747119065e4ec3