Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 06:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://www.myregistry.com/EmailAction.aspx?type=GiftPurchasedConfirmationVisitorNoOrderNumber&ctx=NhpEf_iFVNGC6_zBLghVDriyj8YqDb2ZLsXYVOexL8aPwG35sKacjsQ0fdQS3yHgKeFqATIkmJZZi4AKa8zSexjZqzktoi9VV5fJW-Mjj1SCbFp5IfgI9ZNJ_MmLSEbhKuq6U_ppAZ5UfZ0N3BLPvw2&tid=5UEPU56b3pdgI4LS1YrcLw2&cmd=Redirect&redirect=hxxps%3A%2F%2Fmapformation.com%2FP1kS2ato.php
Resource
win10v2004-20231020-en
General
-
Target
http://www.myregistry.com/EmailAction.aspx?type=GiftPurchasedConfirmationVisitorNoOrderNumber&ctx=NhpEf_iFVNGC6_zBLghVDriyj8YqDb2ZLsXYVOexL8aPwG35sKacjsQ0fdQS3yHgKeFqATIkmJZZi4AKa8zSexjZqzktoi9VV5fJW-Mjj1SCbFp5IfgI9ZNJ_MmLSEbhKuq6U_ppAZ5UfZ0N3BLPvw2&tid=5UEPU56b3pdgI4LS1YrcLw2&cmd=Redirect&redirect=hxxps%3A%2F%2Fmapformation.com%2FP1kS2ato.php
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2944 msedge.exe 2944 msedge.exe 4908 msedge.exe 4908 msedge.exe 3380 identity_helper.exe 3380 identity_helper.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe 4908 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4908 wrote to memory of 5000 4908 msedge.exe 18 PID 4908 wrote to memory of 5000 4908 msedge.exe 18 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 1856 4908 msedge.exe 87 PID 4908 wrote to memory of 2944 4908 msedge.exe 86 PID 4908 wrote to memory of 2944 4908 msedge.exe 86 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88 PID 4908 wrote to memory of 992 4908 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.myregistry.com/EmailAction.aspx?type=GiftPurchasedConfirmationVisitorNoOrderNumber&ctx=NhpEf_iFVNGC6_zBLghVDriyj8YqDb2ZLsXYVOexL8aPwG35sKacjsQ0fdQS3yHgKeFqATIkmJZZi4AKa8zSexjZqzktoi9VV5fJW-Mjj1SCbFp5IfgI9ZNJ_MmLSEbhKuq6U_ppAZ5UfZ0N3BLPvw2&tid=5UEPU56b3pdgI4LS1YrcLw2&cmd=Redirect&redirect=hxxps%3A%2F%2Fmapformation.com%2FP1kS2ato.php1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ded46f8,0x7ffa8ded4708,0x7ffa8ded47182⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵PID:992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10612344712157440556,15689184723727431363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56dded92ec95cf9f22410bdeac841a00d
SHA183c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA2561840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8
-
Filesize
186B
MD53d8059f61a5b2423218c447060226374
SHA1e8108ccb97273658e02399503b5e6a8b1017fd5e
SHA256b3baa979cca8899f700290fc30645f882021b4f00995f816d06a9e4d49bf6069
SHA512e8e5b24ac6af599a138372d311dca412209079dc8d6db6f9b15b987e8c3d7a921952e9786cbc5377e16d961be5c399f9b27a345498243e6d089eec4fdd110fa9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5f7fc54835bcec3be114f68d6b2c74610
SHA1f2892de7e0011c161b04588a2bbdc88ab14bf9aa
SHA256413434ceeba67c5537282eeaac86b396401fadc387e19e38f6c001b0c0128346
SHA5123fcd8c742d79de6a9e54c721da5d28320c544f91198e34cd28e4e87ae8b72536553a6610c48c48e809cce73626aa6e4351556df24907052177051d07b03e6877
-
Filesize
5KB
MD57d985195a701632586859b489a85ea3b
SHA1af7069832ad255dc11998b17665088c5d794d56d
SHA2563971e7653c808a192bb01b35d732403429927cc20d8f8820d23bc1a58c5f3e09
SHA512e4d97b292ec23a126ba9a3619c080ef70ed2879e486d5f5f784637f13ffeaa94a57b4f5305c13466c647aa179a09b8b8f269e57dba353643db9937e37c089976
-
Filesize
24KB
MD5e05436aebb117e9919978ca32bbcefd9
SHA197b2af055317952ce42308ea69b82301320eb962
SHA256cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA51211328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5692c03a29e16ff733cf9a3efea4acabe
SHA1df10800b36cbac2e0d58f7a1b3425fc0929b6a74
SHA256b88b9120966eb9454a301fda9cc8cd3828c3bfc327059d30f7f1dd7d5ed24a87
SHA51206a452b16fb10c061251b0c823612de43e970448327b0d1bd078278aad1b66c6e31eb4775ef061963364c820b824dbef66037c3ac00fbee065d53d38479299cf
-
Filesize
10KB
MD52b317fc920797de0ee036ccc0d9853be
SHA1410a71157a672db07e904014eccc57924cffc23e
SHA256dc3609a0ff5c7d21be01c789c4cf13e4e1e7f4c5d1c1c157b8dadacf0d05cb5d
SHA5127d9cd21fb399e39d9a3e73d0ab31c85db2a509e348bd2d86071f0b9915cddee231f4f3a60ee7cbd4eef9f364d5b116f0d0266975711ebad2158e16abd10e9dc0