Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    201s
  • max time network
    203s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/12/2023, 09:42

General

  • Target

    https://drive.google.com/file/d/1--eFHjVR8C3-OkQ7pH_X_YACQfod_rQ2/view?usp=drive_link

Score
10/10

Malware Config

Signatures

  • Detected google phishing page
  • Downloads MZ/PE file
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://drive.google.com/file/d/1--eFHjVR8C3-OkQ7pH_X_YACQfod_rQ2/view?usp=drive_link"
    1⤵
      PID:4252
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4680
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:8
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5016
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5048
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2256
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:1044
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2272
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4776
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W67BKC2B\edgecompatviewlist[1].xml

      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G2NNCXF3\cb=gapi[2].js

      Filesize

      77KB

      MD5

      f0377dab468c45f81be3f8a3fc6eb479

      SHA1

      a8d281261d168c996a08091d17a8dbe879910ee8

      SHA256

      df9a73036272bc6608881ae0f033ea819c228da01b8c3035cc1f46fc4c54b0b4

      SHA512

      bfb8d92df1ec111fd2373276de0e1efa96e48600805a8689830f36c2bfe2e39a0822752de40bd694a86257e0c1325ea240a406775e411cdcb43780ccf57b9b44

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NAGCP3GL\cleardot[3].gif

      Filesize

      43B

      MD5

      fc94fb0c3ed8a8f909dbc7630a0987ff

      SHA1

      56d45f8a17f5078a20af9962c992ca4678450765

      SHA256

      2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

      SHA512

      c87bf81fd70cf6434ca3a6c05ad6e9bd3f1d96f77dddad8d45ee043b126b2cb07a5cf23b4137b9d8462cd8a9adf2b463ab6de2b38c93db72d2d511ca60e3b57e

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VU9ZLFN0\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WS0OTOLM\drive_2020q4_32dp[2].png

      Filesize

      831B

      MD5

      916c9bcccf19525ad9d3cd1514008746

      SHA1

      9ccce6978d2417927b5150ffaac22f907ff27b6e

      SHA256

      358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50

      SHA512

      b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WS0OTOLM\drive_2022q3_32dp[1].png

      Filesize

      1KB

      MD5

      c66f20f2e39eb2f6a0a4cdbe0d955e5f

      SHA1

      575ef086ce461e0ef83662e3acb3c1a789ebb0a8

      SHA256

      2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

      SHA512

      b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

      Filesize

      4KB

      MD5

      1bfe591a4fe3d91b03cdf26eaacd8f89

      SHA1

      719c37c320f518ac168c86723724891950911cea

      SHA256

      9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

      SHA512

      02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFE6F8C1F2713E37B3.TMP

      Filesize

      24KB

      MD5

      a26db0e57836506851666c3159c4bc16

      SHA1

      69954d060fe172c49dea057ad6ddaf4d633e11f0

      SHA256

      7b4487592d643b58814851189d052fe6b69ccc965b679a7ec9caef1833d86f56

      SHA512

      459fe7d379f3e35d88840a5e7b47dbf8c79029b9c34266bc98ed5d42ecac3651bb8b6b85902d3aa6e871551a508e65499d9519a9c6eb3b89297375257c0910b9

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NAGCP3GL\xampp-windows-x64-8.2.12-0-VS16-installer.exe[1].1

      Filesize

      42KB

      MD5

      eae68687352a39082ed266f3dd344e81

      SHA1

      301fae5961c4191f41634a8dd9e54ba42f860587

      SHA256

      76dc875e859a5a50455af88cf7e1ad59cf27149eac552002b3983a573c2f9a05

      SHA512

      4f12d5218f639957782aa3bde796f51b4bec7007f9b93a0816444e91e2158fd4025dd924b6dc28e3432d810c082d36c02d8a7a45d0de19b4db31256ca41a36c7

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      1KB

      MD5

      d62ee607524cd6ac5e14e1e27a8cc35a

      SHA1

      988dcd74be95ac4ea1847da51b9c1aa3c786f839

      SHA256

      038c9d31c45b2406d65c721eb0e04ff57c76510d974d640b6eb851ea6531115b

      SHA512

      9bdac7e32d4b7412fe3b5b8d540d2ef8a904f02f90dff6f267a542fcba4a64de3f04e517481e1b67e6bfd39aee9a8ee7d243ac0f83a2eaca9d33b9083c16dc5b

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

      Filesize

      724B

      MD5

      ac89a852c2aaa3d389b2d2dd312ad367

      SHA1

      8f421dd6493c61dbda6b839e2debb7b50a20c930

      SHA256

      0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

      SHA512

      c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96

      Filesize

      471B

      MD5

      bb6f7cb0560aa31970d2993dfee19c05

      SHA1

      71190ab273003edb61a2f742cc2c580da52b692a

      SHA256

      a181ca8eee71b93a132f181bc7279b18ec65477a164878e5339841f1802e1acb

      SHA512

      92ca4ed00d6a3f1a78f1e73345060a63ae4df65566ded85c08183a933e6b6753b76e27e7169a64aec3541eaea964b45eac37c66044fa029d4c18316cf9841f00

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7

      Filesize

      472B

      MD5

      55d617fc286187fdb5548d244325f604

      SHA1

      452b41d10c561f076e825cdb6faf0ef131d7253d

      SHA256

      dc097ab713611cd2b661de88d3388fb72e3c68358b36393905f7c125a62c5a50

      SHA512

      bc2f43200a75a753d7d9c61dbf351c5816a8b28656dfb943a95f72616d5d71daa716d74cb8fdfc5a87d2249d0290f5db80b0c2468f1e632352caa3929f95c212

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      410B

      MD5

      7129eb1885b5c441edb3d91ce2c7ab0a

      SHA1

      bdde8ff5bce5460fcae6f48956d8dc11cea3d7f8

      SHA256

      8094944fbaeb94427d37bc4fea5fd9661ae78b0ab71863311630ad6ab76508c1

      SHA512

      1d00702d948427d9ed7345c047e963047447225dafe4f85598311b36d6e4fc6b70d4b170f7e2b6666c56da6a0a7cc73000b3599799f2563b2135b8c2aac44377

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

      Filesize

      392B

      MD5

      969982b4a76a4136ca2bf4fa60896eca

      SHA1

      6d54630ac8264f6d765c8406c29fa1c67581d8a4

      SHA256

      e6e9104f44965f4f407dca42824e906f7aa63945a76386c8af1eace7f1ff1553

      SHA512

      7641ea0b45b6760a75ac1da62ea4e8f657c69487720735a23cd4a9b1a5423417945e626c12f1e8c6f3536ff7e924ac2f3c26bfa867ae2d62c4a960ae0f811d3e

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96

      Filesize

      406B

      MD5

      fcea1d1dcf7d7a6d1bd489e51a263436

      SHA1

      a10a30d7a086d8042fd5d51951a32e103029f8d9

      SHA256

      f76a264c7743f51635e27c781fff40279f094508d5d139c61d416e74ab374de9

      SHA512

      6670fc25c8db1d475799839e2b93b08e5e494588265b166b497703deb7a20452db735390904e99660c49a67f542d4e0264054c02122f0076edd7c11a90bfe326

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7

      Filesize

      402B

      MD5

      e1a6025087a1ad1181a5977b908d075f

      SHA1

      4a28185e7dc29f306a0384e22f1f232cbd2b5a8c

      SHA256

      0a2ae2abc4fe3c4b78bed25bf45827629b7f07f676b17d97728494a369d2e5d5

      SHA512

      be80a2a8dc48663d36bfed793cb07cc1dd2e3330747aa83cb0f7a3808cf7a42068e009fdbd001d74d9fd512c6f4919227ce71f48ca92a81a3e6d4aca5ddd2445

    • memory/2256-225-0x000002A8C9E30000-0x000002A8C9E32000-memory.dmp

      Filesize

      8KB

    • memory/2256-371-0x000002A8B78F0000-0x000002A8B7900000-memory.dmp

      Filesize

      64KB

    • memory/2256-316-0x000002A8CABF0000-0x000002A8CABF2000-memory.dmp

      Filesize

      8KB

    • memory/2256-323-0x000002A8CAD70000-0x000002A8CAD72000-memory.dmp

      Filesize

      8KB

    • memory/2256-326-0x000002A8CADB0000-0x000002A8CADB2000-memory.dmp

      Filesize

      8KB

    • memory/2256-329-0x000002A8CADC0000-0x000002A8CADC2000-memory.dmp

      Filesize

      8KB

    • memory/2256-332-0x000002A8CADE0000-0x000002A8CADE2000-memory.dmp

      Filesize

      8KB

    • memory/2256-335-0x000002A8CB200000-0x000002A8CB202000-memory.dmp

      Filesize

      8KB

    • memory/2256-338-0x000002A8CB260000-0x000002A8CB262000-memory.dmp

      Filesize

      8KB

    • memory/2256-341-0x000002A8CB280000-0x000002A8CB282000-memory.dmp

      Filesize

      8KB

    • memory/2256-360-0x000002A8CB2E0000-0x000002A8CB2E2000-memory.dmp

      Filesize

      8KB

    • memory/2256-363-0x000002A8CB800000-0x000002A8CB803000-memory.dmp

      Filesize

      12KB

    • memory/2256-366-0x000002A8CB850000-0x000002A8CB852000-memory.dmp

      Filesize

      8KB

    • memory/2256-368-0x000002A8B78F0000-0x000002A8B7900000-memory.dmp

      Filesize

      64KB

    • memory/2256-369-0x000002A8B78F0000-0x000002A8B7900000-memory.dmp

      Filesize

      64KB

    • memory/2256-311-0x000002A8CAA90000-0x000002A8CAA92000-memory.dmp

      Filesize

      8KB

    • memory/2256-305-0x000002A8CA590000-0x000002A8CA592000-memory.dmp

      Filesize

      8KB

    • memory/2256-292-0x000002A8CCD00000-0x000002A8CCE00000-memory.dmp

      Filesize

      1024KB

    • memory/2256-238-0x000002A8C9EB0000-0x000002A8C9EB2000-memory.dmp

      Filesize

      8KB

    • memory/2256-230-0x000002A8C9E50000-0x000002A8C9E52000-memory.dmp

      Filesize

      8KB

    • memory/2256-82-0x000002A8B78D0000-0x000002A8B78F0000-memory.dmp

      Filesize

      128KB

    • memory/2256-132-0x000002A8B74A0000-0x000002A8B74A2000-memory.dmp

      Filesize

      8KB

    • memory/2256-126-0x000002A8CA900000-0x000002A8CAA00000-memory.dmp

      Filesize

      1024KB

    • memory/2256-123-0x000002A8CA900000-0x000002A8CAA00000-memory.dmp

      Filesize

      1024KB

    • memory/2256-110-0x000002A8CA700000-0x000002A8CA800000-memory.dmp

      Filesize

      1024KB

    • memory/2256-94-0x000002A8D15C0000-0x000002A8D15E0000-memory.dmp

      Filesize

      128KB

    • memory/2256-92-0x000002A8CC3E0000-0x000002A8CC3E2000-memory.dmp

      Filesize

      8KB

    • memory/2256-88-0x000002A8C9E80000-0x000002A8C9E82000-memory.dmp

      Filesize

      8KB

    • memory/2256-86-0x000002A8C9A60000-0x000002A8C9A62000-memory.dmp

      Filesize

      8KB

    • memory/4680-0-0x000001B89FD20000-0x000001B89FD30000-memory.dmp

      Filesize

      64KB

    • memory/4680-35-0x000001B8A0460000-0x000001B8A0462000-memory.dmp

      Filesize

      8KB

    • memory/4680-16-0x000001B8A0600000-0x000001B8A0610000-memory.dmp

      Filesize

      64KB