Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/01/2024, 20:36
240112-zdjqkaehem 112/01/2024, 19:25
240112-x5akvsegb5 112/01/2024, 17:37
240112-v7njdsdca3 112/01/2024, 17:33
240112-v481xsdbc6 1Analysis
-
max time kernel
601s -
max time network
605s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12/01/2024, 19:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://constancia-rfc.info
Resource
win7-20231215-en
windows7-x64
6 signatures
600 seconds
Behavioral task
behavioral2
Sample
http://constancia-rfc.info
Resource
win10-20231215-en
windows10-1703-x64
8 signatures
600 seconds
General
-
Target
http://constancia-rfc.info
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133495616265380079" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3948 chrome.exe 3948 chrome.exe 4044 chrome.exe 4044 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3948 chrome.exe 3948 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe Token: SeShutdownPrivilege 3948 chrome.exe Token: SeCreatePagefilePrivilege 3948 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe 3948 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 4100 3948 chrome.exe 72 PID 3948 wrote to memory of 4100 3948 chrome.exe 72 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 3824 3948 chrome.exe 78 PID 3948 wrote to memory of 4368 3948 chrome.exe 74 PID 3948 wrote to memory of 4368 3948 chrome.exe 74 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77 PID 3948 wrote to memory of 4248 3948 chrome.exe 77
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://constancia-rfc.info1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdd6349758,0x7ffdd6349768,0x7ffdd63497782⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:82⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2600 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:12⤵PID:4012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2592 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:12⤵PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:82⤵PID:4248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=292 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:22⤵PID:3824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:82⤵PID:4748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:82⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4060 --field-trial-handle=1792,i,5267517073502129008,11374347917935772208,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\32f22270-bd59-4c53-b1b4-a4cb83b8ce51.tmp
Filesize6KB
MD59bc2f63f6acbf65bbea8689adf7ccf52
SHA1c0eb4115c255432e517cdab3a613294d93a35390
SHA25620076d962f50f643d7655b461670aa228bb8c9b622f5117287b5a4e9eeaad965
SHA512ae5e2cf9fdef9aa029faa6232f27be93412c8438d2c582f80c8f0d515b49edc42bba35d5fd1e36826a996dc699cbd68ddba047f13c5f4d215f97c268fbcb6853
-
Filesize
168B
MD5788614a54cb188627b94e9abf56dadca
SHA1ad4c603b353488a925eda82d2722370261699b5d
SHA25647736cf08c02a9eef6790e8dcf42ebbccda4425edc9ec3f09986ed1de637b917
SHA51243b14bd5733d7c4353033c6bad75e4ee1af32dae3dcacfed26222279dd2bddfa7f967531111d6988eff9d8d610c69bc34aa3d6a6671f94157c3520f27b7ddf86
-
Filesize
1KB
MD57c6392c91712fcb65c694e3555a41f2d
SHA1db493219b65df414c7ab837cccbfbe4161fbb92d
SHA256e7f1a9df2b958752bef5ea1cce1d78c19b13bf5e776956b18385c595a9423b05
SHA512d9d36ee13cfba6ebc514bf045f0cf91b034a79d64306ca1064af1cbfaf6f4e5ce49bd9b776e3d6dc1d099157e70e67eb2f104a22d0be7595fbb7b8999b7daf6e
-
Filesize
6KB
MD5c814085abfb093a83637fdbbe7aaaef1
SHA14c8967646af22a358974c112554f50a3f2bb4a5c
SHA2563905dc0dab2da8e1bb0a5cfa619f755c60e60b882443e4e4ae7adadd90c9dd84
SHA51292a68930eaf958e5660bbd2fcdc0bce63d619ba764ebacdc320914a4273a53afa67186041b9e357a8c8ed058807110d8da5283bdfc1a37a2a5d810b249842b11
-
Filesize
6KB
MD5386a94e0a2da3c3bf5887dc1e0452710
SHA1b4c068d58f5917d62b73379ff9620881938afed8
SHA256b04d160ed967a7ae87fdf698ca3bb3b3a692f4d113d7cf0f24ea8ada8bcd7502
SHA512459981160e4ef53f82d7c55ae7baf290744458c911e23853fd519911677b9672ba4c88816bacf8dbee3d48b04588062da481d76c6030b35df79778ca9bde4060
-
Filesize
114KB
MD540448ef897e12830fc00c26a61144688
SHA1628d7d65d29de46189bf0ca862aca3fea19f110f
SHA25688a51102281bc033dcdc2b9a8705dfb6dfd8a46c8d3360db49593222aefc2cdf
SHA512cc0fef473ca09a0f8de0774918de72f25480dd49f4c2a6c232b8183d472ade7540290462d321d3b472f76b6174de3d3c721613af70230442e4084d19ba95d72f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd