Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
181s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 16:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://itctransco.com:2096/?goto_app=ContactInfo_Change
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
https://itctransco.com:2096/?goto_app=ContactInfo_Change
Resource
win10v2004-20231215-en
General
-
Target
https://itctransco.com:2096/?goto_app=ContactInfo_Change
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4484 msedge.exe 4484 msedge.exe 4956 msedge.exe 4956 msedge.exe 4864 identity_helper.exe 4864 identity_helper.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe 2524 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe 4956 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 3336 4956 msedge.exe 90 PID 4956 wrote to memory of 3336 4956 msedge.exe 90 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 1700 4956 msedge.exe 92 PID 4956 wrote to memory of 4484 4956 msedge.exe 91 PID 4956 wrote to memory of 4484 4956 msedge.exe 91 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93 PID 4956 wrote to memory of 2648 4956 msedge.exe 93
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://itctransco.com:2096/?goto_app=ContactInfo_Change1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad51446f8,0x7ffad5144708,0x7ffad51447182⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:82⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5932 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1749415005753469676,6304960528534968121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:12⤵PID:2548
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fa070c9c9ab8d902ee4f3342d217275f
SHA1ac69818312a7eba53586295c5b04eefeb5c73903
SHA256245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7
SHA512df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5ae1f9d7223eeb528c3788ee152196c86
SHA100dab8152407691602053dd24309ead093ec0cbf
SHA25673d9433a3d03c204f8558619ecd04079278841846df73496bd1529adb9ab1640
SHA512427b5839a4ae078fa412c75866c948765c353b7e5733b1fd9da3bc1a18ad0237dc7a4e9e7ec4d093b85e0434c5eb238f5318edeea816ab91922a516fa4ac7b3f
-
Filesize
5KB
MD556323e4e5e234c227d648125d1ed2418
SHA15238c97bb1420bc9600549ea7495c041cb89ba9e
SHA256b96e207b63b9515dfd1d306a379799f36b3211c599771ad42b0e6b744f4919b6
SHA5123b9d9bda22165a393413837f4847664c9e229386fe90d28b2f0a51404bab60e0976fc86250cf616fb655efa622270be391539e987c10ceb91b4ce7b74d8fdea9
-
Filesize
5KB
MD50f25386339069e3caae5427461e5d8b6
SHA16c0aff80115aa1512d9997096b5790caeed9420f
SHA2564dbb839321b73c75ba0203e91f9c4d77a7240b8bf9cf9e1b98a34253a36c8971
SHA5121d671e0524282308dcbe1eea374924698b1bef737074fe88b103ad5766c5c7f0d8cdf97c3638eedd52fa5db3d0b855d836dadf50092e0cb3ffcdec7828ba8091
-
Filesize
24KB
MD5917dedf44ae3675e549e7b7ffc2c8ccd
SHA1b7604eb16f0366e698943afbcf0c070d197271c0
SHA2569692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37
SHA5129628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD588c622a0efa71a815da8b4315fae698f
SHA1b223e290d83144e0014b865f6baab4c9496c4a24
SHA2567c8ea8b1e186183d06813996eb119ee7c1114a273bc754da8c83edde92bd0a65
SHA5121eb54ae4b83cc539d6c9b7ec16a20e64f2cd3f728f0c9c410d7c8e98c2a0200e9f0039c9c837d6f1185bcfd7530c1b9b0a611aeaeb04339a175df4b58579903b
-
Filesize
3KB
MD52948cd4111372f14e604d3d8552a3988
SHA119d9a8ce180e18a62b60e663f1006963db152c41
SHA2569ecc849897dacf3456924d20e48573e8bb2191c5806a8e201bcb10dd71916285
SHA5122198ce862038cabec0e63e46c01806fabfcae87453f577de045807333dedc036a44f67f2c44853adda284a043125517afa2485c3dd21e3d385c2110c7eadadaa