Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/01/2024, 19:12
240104-xw1qpahccp 10Analysis
-
max time kernel
116s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 19:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://youremailonline.com
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
http://youremailonline.com
Resource
win10v2004-20231215-en
General
-
Target
http://youremailonline.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2716 msedge.exe 2716 msedge.exe 1540 msedge.exe 1540 msedge.exe 2892 identity_helper.exe 2892 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 4480 1540 msedge.exe 16 PID 1540 wrote to memory of 4480 1540 msedge.exe 16 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2912 1540 msedge.exe 91 PID 1540 wrote to memory of 2716 1540 msedge.exe 90 PID 1540 wrote to memory of 2716 1540 msedge.exe 90 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92 PID 1540 wrote to memory of 5088 1540 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa5e946f8,0x7ffaa5e94708,0x7ffaa5e947181⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youremailonline.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9330268289753004611,14289950164729929370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:12⤵PID:3020
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57a5862a0ca86c0a4e8e0b30261858e1f
SHA1ee490d28e155806d255e0f17be72509be750bf97
SHA25692b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b
SHA5120089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5214a5047eeeb550991d80764462c9386
SHA16a9985c17481473b3ae0ce67e8c7489c4faf97a2
SHA25624e4ee0980e7f5a3a810fd3d26ff2dadae671c748f987ac164320d9012ab1f88
SHA512609ebc71ffecfa20610d0061305fd5acbeedd71b8e2403e83688ed560ede739baa16aa5901425aca109c527bef759d6060f52132e47aa8d586b7effbbd6af0b9
-
Filesize
5KB
MD53f48669cc1b7393691ebc3cf8adf646d
SHA16b9c329f85ccbd806246d3b17e99b1ee19bed9e8
SHA25631ab1f4199f52e511350324507f7797e4ecda225108960ba15ccaf734455b6d9
SHA5128b838366d4135bf57f16b279fe8b15ad60c7e8cf1bcb4476bdbe06d82a5c7565f41086e744855d476a981eda134b70fdb3ec56de663bd94c70a07abdfb022692
-
Filesize
5KB
MD5b86d9adfb219285d232e5638919d818b
SHA1dc4df056b7cbc9c66fada52787cbabc98894416b
SHA256bcdfbd78a328853677b766534515bc16a94b322386042e65aaa8a0f84127124b
SHA512d25fd19ed05d5d83009a0c9e7dcca0612f571034b5035b1795d653f4cfa88e89273b4d48f8067a3df76b5bb125002ed06e983a073c05823a23324bbc71f073ea
-
Filesize
6KB
MD5789dbcc57204aeee4824023e92538765
SHA186183d2806b057e68f6a02dfb8ef74e1d8c24b33
SHA25634ee9547f53653dfb455aaf75106ac00bbfd2eb56064d3bdec2edf48002f0c98
SHA51203cbfaab456d7cfe8506d913933c9f86ecfc2c0f922a054253832c88021bad15fd5ba7304c244414c8bb9b86411de1ccf1b308eea3ae5c22d8d60f140aa64f4d
-
Filesize
5KB
MD514629b550ef8f60d70d5d79b064604a8
SHA14f64d43895eff510bd353f5119601af58cc44753
SHA25620467418a089542b9d08d4aed7ec8afc0055bfaa58caab0a89a0413126d14349
SHA51225bad50df23d85c597aba6bee1d254db3490f367b413d1e376d60d07795c00fa4aa375f672e553575ef96ecfbc6caac9f982fd92720a43e443030ad3e17a3258
-
Filesize
24KB
MD552826cef6409f67b78148b75e442b5ea
SHA1a675db110aae767f5910511751cc3992cddcc393
SHA25698fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb
SHA512f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5089a06c34b57d7f7217076b907e67d50
SHA11ad2504daf769b19dd7a3734fbd1db59f3751610
SHA256febbce0d022c29cee811a1ce1535f763c94635b4e6501edf3c0b0182331ddc71
SHA512877121e4b9deaa1d0656077ed6c0edbe7b614069ba1b20006be461b735e50b715045dc8e4d35317c45f77acb29da864246a714c7812b828730dd1bf7b7cba999
-
Filesize
11KB
MD578c2511299bbb14f715386d82630c810
SHA1dd420212152932a898cf7b22483223e84e81044e
SHA256b303e58a43a5efc6315bffa84d8c14959c2747eb5d1c8d727377d52fc10218a6
SHA512356da997203075161f172aff18b4c2a1fa2896a89df9487d2cfda44e55374b58f06700ed926bd295e41cb62db5d31f769dd6f13dd18b394085570fe4251b76fa
-
Filesize
11KB
MD5917ff8bea4de7d7391e9dcb18ce1444a
SHA1cb14aca0839b848a754b10a058bf52c30343729d
SHA2562dbdd01ea03861d4d380bcb3fe2d9f534ebb29f8b173dc7c93b97969adbd665a
SHA5120e5ac99bce8738e0468b24be7c8701e80ce882133366fdccbdccde7633be56d9ec5264668a79986861d97b0584211aba977c7df99bdf5a0a2c60920619ebb883
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84