Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
202s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/02/2024, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
AimStar 4.2.2/AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe
Resource
win11-20240221-en
General
-
Target
AimStar 4.2.2/AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe
-
Size
2.0MB
-
MD5
e8481322b3a0c5bf49c656b050678473
-
SHA1
e96d581fd26c4155f6b6ca6060db3173388e84b9
-
SHA256
17ece671248ce2d728eafdaaf2566cd40ea329d9e8988918159b4dbbd726fd2b
-
SHA512
8f066e45b48c8f6a33bfa50f935e015a4ee015d1b8885de9e2000642bc8dfa6923f3b0c4c47b449dff9d3259fc0bb3a786c91a7ff5926f3e93045bd0186f670f
-
SSDEEP
24576:AstDacvopRFWVl5NKzRbV4J7Z3YQdWQhsl+x/0f8W4aSdOlOZ+ISizD1Dfca1:ACMWOmnWQhsg0k5nEs+IC
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 3768 msedge.exe 3768 msedge.exe 3124 identity_helper.exe 3124 identity_helper.exe 2692 msedge.exe 2692 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 3768 3528 AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe 85 PID 3528 wrote to memory of 3768 3528 AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe 85 PID 3768 wrote to memory of 1936 3768 msedge.exe 86 PID 3768 wrote to memory of 1936 3768 msedge.exe 86 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 1928 3768 msedge.exe 88 PID 3768 wrote to memory of 4856 3768 msedge.exe 87 PID 3768 wrote to memory of 4856 3768 msedge.exe 87 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89 PID 3768 wrote to memory of 4688 3768 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\AimStar 4.2.2\AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe"C:\Users\Admin\AppData\Local\Temp\AimStar 4.2.2\AimStar-16ea93eaf2b2b3326147b9b0fdbee8cfb65be9b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aimstar.tkm.icu/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef21b3cb8,0x7ffef21b3cc8,0x7ffef21b3cd83⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:23⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:83⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:13⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:13⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,7594250825756701532,1472001156166903750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1696
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
Filesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD568b4ce1da63c98460c18cee4e7af6a6b
SHA16902bf457bc36aceb65cb0c69e47c56eb1ec7a80
SHA256e7c2a4fba52b769b6f0ea652618605f15c2509b3a0293974684864f44a595ac7
SHA5121b8c37a45ce0484ab3d9c654266cfd55b8a1ac4172c739ad600fc08eb34bf43b56bf3846a2346c2cc5dcd5bad1448723db90cea9ae99ea4a24b670cfb8c1e302
-
Filesize
331B
MD5d47be271323c1c6ff19aea22570d800c
SHA1e5b382a1eb5f4e6b1e50bb0d48bd1d1c4a2ce5fa
SHA256cfca4418a8bf2018a03509db0bbeaddaa3b271bdf6ea5ede78c3180f2582f447
SHA512fd81b1402d88114747369a9eea1a834e7a4f7efceb822115b3b5c7a027f3b4481b10f87e7fdb7e121be5649f3f2637292eaebd46ce2aa899055a3c020b6e6798
-
Filesize
6KB
MD5abf2cacbe21901dc7b2c40b3b8ecb575
SHA190537cf0515596d79b58162b21253f5759afcf4b
SHA2560ca5da8cedc60f8f9e1db50379a7f86d67e5f6c89f064c042d50c029c6e8a72e
SHA51238a2798d582e4c8f513a0f315223aee9fd85e666f92a68b5d1159bc33aeab0817efacc003a9c657c11b63d5d8520c911c9d7015c5dc446bcc07f9f27f216f4b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a5e48813-500f-4ae1-8837-99bafc0bd6e9.tmp
Filesize5KB
MD57c4aa7e23612e8bc894f5059e6f1ebf1
SHA1539694c45d1b8277a1f0844deb972e9f947a310b
SHA2562c48c45503ee65f9090f2647fb04a4d6821ca34b908cad0e13c2a7f9955bfff4
SHA512e3dac26292969e0a02ab4aaeebb3e22b553bcba1cec0cac746677bcf9e81549f5b701f5fb12519c55ec135c7f7c57c7159b27b4e02205727ea25f8b1d2138ad1
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5b42e51defdcdcfe9de037fd2aa9f5c03
SHA15ed0cfcac959a7710f97d2780f593704bd5bf941
SHA2567c79b99fddca4e0f1cf8207ab100a073305b3be0fcfcd21fd3132aaa44ec325d
SHA512dc66095723cd7ced5099e0d3ffe45212ee3f8ad72c2d759e9e41eda4e79508df644f46ba6fbb2bf08ef7ccc1020c0d5e0b6dd3556fd3c969121a4f26c69e88c5
-
Filesize
11KB
MD528d680dfb2e98619872af8a7a7f540dc
SHA16003fa66642602bf313f4e95a8141772255ff7d7
SHA256c1f2c7c5637eb9324fea292d689340f086b5364528e0e959d26a4f3c8276361f
SHA512c3a038790d37a8b50364c20c4ff1c3932ac6ea34e3ec87947b89295b5c3ec7b741afb8a5595a0d0d88c1bd783ce587844002eb9d6accbc66c784568fca288254