Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
288s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 12:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.zweigleisig.com/#Restaurant
Resource
win7-20231215-en
windows7-x64
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
https://www.zweigleisig.com/#Restaurant
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
300 seconds
General
-
Target
https://www.zweigleisig.com/#Restaurant
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133500532318005199" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1664 chrome.exe 1664 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1664 chrome.exe 1664 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeCreatePagefilePrivilege 1664 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe 1664 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2400 1664 chrome.exe 86 PID 1664 wrote to memory of 2400 1664 chrome.exe 86 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 1828 1664 chrome.exe 88 PID 1664 wrote to memory of 4068 1664 chrome.exe 90 PID 1664 wrote to memory of 4068 1664 chrome.exe 90 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89 PID 1664 wrote to memory of 3880 1664 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.zweigleisig.com/#Restaurant1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6a8a9758,0x7ffe6a8a9768,0x7ffe6a8a97782⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:22⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:82⤵PID:3880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:82⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:12⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:12⤵PID:1460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:82⤵PID:1612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:82⤵PID:2328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 --field-trial-handle=1824,i,566905179689587841,11495404805355147147,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504B
MD59abc81fdc0abc7a3ac0ac10898a0c8eb
SHA1ebd71c9ff305b81c36cfd432c419ea6ed3934c41
SHA256f70311fb699c7a22f6c608394c195fbc17d56bff47662798dd8287f88aef85f5
SHA51277581f25967f897525fab20492a0e8af0af65f362a1057e76ccbd65188438d99b2f41a1a7966bfaa986e83463e8357130bd5fe3a9fec1118fd0e242201f56b1a
-
Filesize
2KB
MD5f9afbed1d5fc887e8d391433333e9cce
SHA1a5c73ee3eb1fe9607d74bb2c86636f3b042d57cc
SHA256dc2a110c748525f2d56ed5c8186747789a2b6689847a0898ebbfc18b3cf84da5
SHA512caaa3e12eed99a53881e6073653d498cfaeba2f4883502fab616e890940639ae42083b5d290168b24481d2979a5c5e92efe73726ea98d32376866deddd319696
-
Filesize
2KB
MD5a95739b53a4b49c47232ce7aaf387572
SHA1cf152dc1c7351801824ff0ea7b3181e4c66bdd9f
SHA256ec0ee6ba3d802c7dfbac0086081cf711de091a2117083a33b96448d9e7b9859d
SHA5124bf452f5a25f9a99256bb84fafbc8cfaf30981f635c53c69fed6426b8701d736b01541595941d42207afa9de2e4d8c1d0fd22f1901337ab6c78baa0a4e5dcc97
-
Filesize
1KB
MD50becdf206f02550b68b664999b1bc9f8
SHA1019ecffe051daebebfb9ae1535413ffdd9b37eff
SHA25614c43343b27fd8081027797ad8ba4e4887572befbf9d2f5b8223a6653354b0c4
SHA512cefb42cedf07ab3030f7ec8a9cdcbded08e63d883950256327ede801a19f35603496288c0408317fe4a3e04098112f7b3b5995a7e312bdbd0b0e7db9032162b0
-
Filesize
701B
MD5bacc4a643b13b2c202e4ee938941d995
SHA1514db8614a6dd4d2f766dcb21b11b364ea9f838e
SHA25632c14a68aece314ce9fdf94440368fb6a32bdcd635dc39b072d760962542fd8d
SHA512e2cd996f69be5d6db797985d1140ca2c4302fc9114c1c777c114159fc5b671d07dec0011b7af050a3847852a08493177f7364aaa3cd64cf3a5d33e6b71fcd8c6
-
Filesize
6KB
MD598e3b8f3f648d5f2bc82d5a8d97fdf1f
SHA197e812d8390472d1f74af44c572d0ed6a90a75f5
SHA256ca59c0a03955f7b6b8c1fce860ec30db87f753ed781cdaa574ecd91e4c64f342
SHA512747bbe73556aed021b17cd6303fb897bc79d49cb24442522a2db2dce8e8dfac6e8605be0a12d45f6e1b409e7d8cb5a7effd8867399d0de9ba32d51310d26c8d2
-
Filesize
6KB
MD57cbe8dc3d6bdae42c469d3bc73cd5718
SHA15a075ed65347215de6acfc0e9304e57f4542dce1
SHA256bb805c1787981efef3153ca210e9f8d74678c938002d4335d3b55fe9296ffa6a
SHA51287445f9f8e0598fc467d14d8e0174a62431f4570ab98d6a8687c09773c8fce7f0615722fd7d0773705e3eaae292f82b405af5b88eff104e8f7678c4653e9a131
-
Filesize
5KB
MD5867d3f477a33a0ba29007bc0a655bf93
SHA1f6d8b39a909e7b936810b728239087c56485b79d
SHA2567dbb6c52527336e6c6e733b9382eef043afc958b1ff90c7b8cea11e501d767cf
SHA5127413fb7607d086707fade54299d942a6366ea7ec85e9d8d3038610bea3b1b11b1f3a2eb9c43ddd762cc719609a007c608c9cfbb9b4c04ebceeb8ab54bde8aaf9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f86c3010-e7a1-4358-95f2-5a1a6e995a3c.tmp
Filesize6KB
MD591a93cdfec5269b5651f1e3f069f80f2
SHA1d7134536f358ce0784daa83d3067ebae090bccac
SHA256cd2bdf7b6a578873804403832e4eb8813e2aa3d2c8835ce4d57cfc7198c9482d
SHA512790f0a52b4bf25c50310ff8784b051f270c9c3144b155e25c6fd8dc725fbb112c899803df0fdf8d02a95b7247e794787f3fd01c542e65d1196587b00b433e578
-
Filesize
114KB
MD5436ccdf0cf99471d7fc56ee7bb41a423
SHA1f4de2a35d832259c8e9efcafa1ddd7e504f51708
SHA256db21584c1f37aa2c99df702775cb79782d7d7809be0b26fabcfde001011c63b2
SHA512cc710e9c0b754065a0d6a858d1e57159984b2c7257f6cba685be6475e0379bf387f3bca21580caf5a4b89bbef27434a335a7708c9195de5daca5401f0b33fa35
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd