Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 20:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/uc?id=1Cu7J73IOSx504y3DhSS6UH5OQfK1ne9g&export=download
Resource
win7-20231215-en
General
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral2/files/0x00020000000228c7-45.dat pdf_with_link_action -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4452 msedge.exe 4452 msedge.exe 2180 msedge.exe 2180 msedge.exe 1628 identity_helper.exe 1628 identity_helper.exe 5064 msedge.exe 5064 msedge.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 388 2180 msedge.exe 89 PID 2180 wrote to memory of 388 2180 msedge.exe 89 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 1392 2180 msedge.exe 91 PID 2180 wrote to memory of 4452 2180 msedge.exe 90 PID 2180 wrote to memory of 4452 2180 msedge.exe 90 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92 PID 2180 wrote to memory of 2112 2180 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1Cu7J73IOSx504y3DhSS6UH5OQfK1ne9g&export=download1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4a7e46f8,0x7ffc4a7e4708,0x7ffc4a7e47182⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2529216073331014003,123158224506099949,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5504
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51386433ecc349475d39fb1e4f9e149a0
SHA1f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e
-
Filesize
512B
MD5797a0ae4619a9eff8effe57ec91f6d47
SHA111c8df796cfe2881e223b4739e48b6f061bacc49
SHA256bc34959476ef1930e31c5070e1f48dc6e19df43d81e19f63be9119c8361ff4f2
SHA512695018db1f0755fc856c9cc2fdbcc77498093f19655857475869595938a1384cce2de8143132f4f9fc2afd305f5946c4ecef7ca119436ade0ad6d81923b419c6
-
Filesize
5KB
MD5a70015c8ffd88122357b1c584d72a0d1
SHA1140b3e61a96f1adff4a023086cea932ac0755ea9
SHA25616f6444201d20287d25b0a620cff3439e3f0d4c38ef5e07f451c4bc81b14055b
SHA5125615f5c2463f199f7383350a5891036eba00c838f405d0e9ed4bac039042f7dce798f8609ff0cd92d110ab4248748995bee37012ffc65c72cd2cb543463bff6e
-
Filesize
5KB
MD504408d828ccd18405b9b5c4c3b4ba49f
SHA185ed861a6017a94e9376e3cad3dd88c7bc3fe233
SHA256737a68da38c0c950149359fcc04b8cf6dbaeaa3476afe9d6414bfa80d0eade4a
SHA51272787394f96fd11a5fc73a213a8d9f7c5f3e2ce0ac66cff3b3742474f07872226b05d165ed578ecbe4c0a4d09816a09e9ebf69e6f09c460cb356e280f4f09283
-
Filesize
24KB
MD5e664066e3aa135f185ed1c194b9fa1f8
SHA1358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA25686e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA51258710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52b99f646f05a4fa14bdebc97a9af26e3
SHA179c509dc51ecf729cdc2ea2f0a82aaaa8cc9cc9b
SHA256b87b7abf4178e755bac756b9b4c591328b3f4869577d9702d50057c51f1981c5
SHA5127ca726726b896f59bde1fbc7e68bccc964d1fd22e9bf1e9fde5879918ae0f9115edbca26597e5ef4d4e3712e677af177285f86173d14713321910011cabbd0fc
-
Filesize
3.4MB
MD5171063013da094216c0407aaaea8a900
SHA1a4fdf394a07165d66e4fa1b87208e82a731897ad
SHA256979cf0be27e19c62eb4425ea6bddb5f087b567518d966f824b0afaefb8a11eac
SHA5126fdcd657b06fa9d016b2e64fe6adc5669695e737ad7e6693faf47762ea8440f3703b166a62b6d0b3359f7591a2de8023166070e05059fb97be811dc90f9b0e25