Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/12/2023, 21:30
231212-1ckrxabghq 1012/12/2023, 21:29
231212-1b6yradea5 1012/12/2023, 21:29
231212-1bwg1sdea2 10Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20231129-en -
resource tags
arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/12/2023, 21:30
Behavioral task
behavioral1
Sample
VERUS_SPOOFER_1.exe
Resource
win11-20231129-en
General
-
Target
VERUS_SPOOFER_1.exe
-
Size
17.7MB
-
MD5
d3a14b5f30f3eecfb5e5fde915407483
-
SHA1
9e0c77d22472098bb29f123edf808d431cd6bce8
-
SHA256
6725567ffd26fc65e4e5dd8777b1da7f0688ee1c21caf66f8e85c91f8fdd10fb
-
SHA512
8e0b550011dbf84bd03cf3bc834d73b24dca12a1680f7656023940df53efcde508fc264b8a5d857d7c0a9902cbfce6bd54e3329289ed3ca0067eda230ea7672c
-
SSDEEP
393216:wyqPnLFXlrVgQpDOETgsvfGFwJgw9vE3cxs6LCq:w3PLFXN6QoEdBSHIT
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 3512 msedge.exe 3512 msedge.exe 1836 msedge.exe 1836 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 3048 2444 msedge.exe 89 PID 2444 wrote to memory of 3048 2444 msedge.exe 89 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 860 2444 msedge.exe 91 PID 2444 wrote to memory of 3512 2444 msedge.exe 90 PID 2444 wrote to memory of 3512 2444 msedge.exe 90 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92 PID 2444 wrote to memory of 568 2444 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\VERUS_SPOOFER_1.exe"C:\Users\Admin\AppData\Local\Temp\VERUS_SPOOFER_1.exe"1⤵PID:4732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae7b23cb8,0x7ffae7b23cc8,0x7ffae7b23cd82⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:82⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:12⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,9511118352595997770,8474661942224743854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD514e9465c402b5bcca1c1a5dfc22d7d90
SHA1594df1de88b4a29906adba222e4f86e8883015ee
SHA256152b5faa97c13b54704dee55ee0a0f0e1b9aec33e899e91a441cbbc9af072ff1
SHA5124af6de55f21d41cc7c74ba97b6a9ee5ccce89a06139d7fe0b61f3cd7941f17968c17e448aa9f49694fb7efd4bd701e2e689147a2b6867cb2c63d56ccbb3dbd1a
-
Filesize
5KB
MD572ff620187620180d67983308d6673a1
SHA1f525d99f5d34018eac6a31c6473c82218cc9f3cb
SHA2563363b59ef4d73492f493db6ee9e64d615ed0a01f8d21bd2219557e0238c1cd62
SHA51285864dcd1d46002f719a82704e961cce33f0a8866fb5dbeb0f30f72c91b0102d141998cf0e648e670323a5e5f18b47e2804ac25d7c3180f1e69fa91d69e69e7f