Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
5393432e826b15fb8cdc1824d29e535c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5393432e826b15fb8cdc1824d29e535c.exe
Resource
win10v2004-20231222-en
General
-
Target
5393432e826b15fb8cdc1824d29e535c.exe
-
Size
40KB
-
MD5
5393432e826b15fb8cdc1824d29e535c
-
SHA1
c55eaa54e87e0d4c5fe7eacf148e7c80bb641711
-
SHA256
f9dec0eced7162e3f19fd45ada870078e955b758e2364b97c19c41bb7405c881
-
SHA512
f101521b38125a1e643e54e6ba0edce52754eac515657eb2fe062f85784815e557e642518a7ea8c682364afe7468e3513ff422c1b72ff117899235b7c8933f9b
-
SSDEEP
768:GUdc8DoPnnDEQC1gyYxFGMlOMywGvwftEWpc7L1sGaXY0F2kG0TZiBI:lDOB5lOnjWid58EQZ0I
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1644 msedge.exe 1644 msedge.exe 2756 msedge.exe 2756 msedge.exe 4172 identity_helper.exe 4172 identity_helper.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe 2756 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3708 wrote to memory of 2756 3708 5393432e826b15fb8cdc1824d29e535c.exe 94 PID 3708 wrote to memory of 2756 3708 5393432e826b15fb8cdc1824d29e535c.exe 94 PID 2756 wrote to memory of 1600 2756 msedge.exe 93 PID 2756 wrote to memory of 1600 2756 msedge.exe 93 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 3104 2756 msedge.exe 103 PID 2756 wrote to memory of 1644 2756 msedge.exe 97 PID 2756 wrote to memory of 1644 2756 msedge.exe 97 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96 PID 2756 wrote to memory of 2200 2756 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5393432e826b15fb8cdc1824d29e535c.exe"C:\Users\Admin\AppData\Local\Temp\5393432e826b15fb8cdc1824d29e535c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.orkut.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:83⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:13⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:13⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:83⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:13⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:13⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:13⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:13⤵PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4033300721039324123,9216587463077651692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\5393432e826b15fb8cdc1824d29e535c.bat2⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff8d5b646f8,0x7ff8d5b64708,0x7ff8d5b647181⤵PID:1600
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4576
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51386433ecc349475d39fb1e4f9e149a0
SHA1f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD51213f80c52133f70587931f2d18947af
SHA1058d17ebec8e9c54eae207b22b3da7642619593b
SHA2565682ed418eb846535f6aa56631ce3db04eae71ca6c36f94c4ba064e8053875ba
SHA5123f8c0730cf880945798c0c856f3a5c4b4a09b4346a0ddec7fb9c64a15c49c240aac9b9a26348374370b5971233c86b54c5aa3c91c59850b9245d402d963f17a1
-
Filesize
885B
MD5a1bbeed56371fb8d7607a4ff7a160230
SHA1877b27941b1bc732c3f3eacc10bebe2490b83120
SHA2567fafa39acb3fb4471dc4e215036d9a8da2a0d000a6b9ad16d255932cd1ef6c6e
SHA5120739172eb8dc8cba0aad089e7dffc997bdb24e9a5f182f1f1072fc0b72e92bad9f0f611dbe9dcb127a111a7ffc2328d539c09f3fda89807e4647ba50b620d1cc
-
Filesize
6KB
MD561d3f86b1de1be655fef45f1ea4afa77
SHA1f39c474b99963daf08d3e5813a18c7ec3e2758a4
SHA256800246f48a305329ed8b35690f268788c8999e1e2ba786c640c1d0159a74bfdc
SHA51256eb30d1b4c08fe204dac7d2444bad618f0ade8c88572aed0ccaa8ea47930fdedb3a3d67dc0e8aabfb3573773bb707e6bb1b5fafe0588a25ffe00d4c224dadce
-
Filesize
5KB
MD59683da1a02be63f1bee7b6f437c5cde3
SHA1c2564ff7047c728b3bec777af12e51c604f2e5b9
SHA256efdc04ed9ed80cf7a88220601c64a2eff543d933326b15cd6167283c9fec2f9d
SHA512d3ef1b78c86d0e96cbf98e3dd049053c94bf866d081e3f11a98bcb1745153db56046662b8e85a8b55643d6f246b010cf1f35467b32f6195d2484e4aa179ed553
-
Filesize
24KB
MD5e664066e3aa135f185ed1c194b9fa1f8
SHA1358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA25686e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA51258710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e
-
Filesize
10KB
MD5e872d19344a0eba271cfae06e20e5cc3
SHA17130f2211957a65e4bb8ec2f45ef1239093a4875
SHA256b9e4423ca253aef163f64d8312c2dfa7d9af651c99fc2d34f2d5fa3f34942dcc
SHA5128318eb47f8565aa182ed2d1e5d1b2061452f507d5e9992b1a9106cb440784283d1677ab7c04019af005ced342212949109b92f68254249b7f0de1274c469e869
-
Filesize
254B
MD529bc5f9bb28f7e68359a7ed0c2884f75
SHA1726f95c55bf2b76a204d42446d58dde41797e61c
SHA256f332de54b9c3b2d0d052470ad9d0c3536f897b04914f602604c9a7dc615bc4c9
SHA5128d2ff7ba0a46e2842c76f5a4ee113b528d304f99cb64fdd0a3980e01a98d307ff71d65505dba649f58c9583341e6eec26df187aa7a83e7b8050ae268e3c3f965