Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2023, 20:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bancaenlinea-bantrabgt--leduardoqpita.repl.co/espere.html
Resource
win10v2004-20231023-en
General
-
Target
https://bancaenlinea-bantrabgt--leduardoqpita.repl.co/espere.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1288 msedge.exe 1288 msedge.exe 4768 msedge.exe 4768 msedge.exe 3064 identity_helper.exe 3064 identity_helper.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2612 4768 msedge.exe 73 PID 4768 wrote to memory of 2612 4768 msedge.exe 73 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1308 4768 msedge.exe 84 PID 4768 wrote to memory of 1288 4768 msedge.exe 85 PID 4768 wrote to memory of 1288 4768 msedge.exe 85 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86 PID 4768 wrote to memory of 1936 4768 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bancaenlinea-bantrabgt--leduardoqpita.repl.co/espere.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6f0e46f8,0x7ffc6f0e4708,0x7ffc6f0e47182⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15039773126360607893,8247930644122168253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2088
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c62dd66-4440-45f4-a683-0b3acc1b5ccb.tmp
Filesize5KB
MD5bc48739cc13846bf53636676b84af278
SHA1aa9d152c577af883c36b93153dea32e578d28296
SHA2568cb9020baae2cc0b183bde725fa72439cdfc96c3fad97962e9dc0d86a98abf79
SHA5124acc30c5b5ecacb3818eaa1b0ce1a7d783cd6d74185e222240f4a2b0c2297436fdf94aef518076090698d6b644d5983dd43d031309afc6a2c76008dc3664f594
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD517cd31772fbc07b575739493a1602cda
SHA125e0308119c95618bb91482958dcc0fce265e721
SHA2564147060950bb4fc7a790ae3e84937b617b2268f190ded3e17f2dfb48c3dd77b0
SHA5121af77eb795c159da8051fe54df0a20af3cc2fa47ce9d9a05a9477e551da93a2d2be360844668a7a1225b1b83f7d50bb8ec2cd7d73f78a9431afd796ef9da00e5
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
390B
MD5b1889d8954f1e3d1c231039fcba7b285
SHA1cd1122d250d76d7cd53ceddd899fff28667b8839
SHA2569f9123ee110bf08730f06470063ba10334e2ee0a30c66507dc55dbabcf833ce8
SHA5127cfd01e16d25ca346a9418603943d27ec83227e24c8f69dd747170d4b976a5d06c4685809103f740541bbb85a2d755d8637d42ed070f9eabb0b9f3d2ad034f52
-
Filesize
5KB
MD57cb2262ad005ddf6bcf46b1b9beb6f5f
SHA15af5297a109bea53b89847b63fcdf975771b0b7e
SHA2561edd057fdf9a6bd9a780e70873f51eeacd5427b1fe3f15ebf35b06de87a25d27
SHA512b0bfbea608a969d4934d53391854269a5fea307d602cff102552d6e30c46568add52047b7a9d8cb54f0580b80806c7b04a1bc510d78001e7bad1022203a63618
-
Filesize
24KB
MD53a748249c8b0e04e77ad0d6723e564ff
SHA15c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA51253254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2
-
Filesize
532B
MD50797cff19a8f3b4a81f665603b28c3cc
SHA1830d11635ba2a7e69e2550aef54b30618b70bceb
SHA256bbc5f9d75bb1949a7d72e4ae8214418efab667b96808edc83fec131c036ba0f3
SHA512d7e67a66b9e580f399c4f3b8c233f7e9e07d56d5d33fa43eef1f5f7e8173ef34e5c2bff9508346deedcd617344a2257402c81d3c999de3f602f82dbd30660581
-
Filesize
367B
MD51fdbf75b31b8d85e467edb625b4c6a25
SHA1cef3067ac324279ed91680ef8e158f2c4707910b
SHA256ffe814c931a7f845503499e02d727edfeb4e28a0797b303c5d3edb38efb02d44
SHA5123b558d6481655711ebbcbf542626995a05abbd975ce6f0476514b84b447229087fecc9c1e90f41035776fc93eeeee0db016f2aae736d8a36484e93b489a81d5d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5deeb3fb4f24ae0172819b917adb21182
SHA1c3cb8d075dd81debb3e143786eb10939b3fb382e
SHA25647452baa0ac7a1d2985134dc50095188d5782033c5903c1a83e76f26d5416cd4
SHA512a322145e3989be55910d32e6e051b13b6bf01de95a860b0f736d64d7f705c3ead198a76e802b77fb84ed3bc788787e6fb26347e97ad2a5ab9407c3f071e1dc5a