Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    300s
  • max time network
    247s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 00:30 UTC

General

  • Target

    https://gate.sc/?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gate.sc/?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9a7b9758,0x7ffa9a7b9768,0x7ffa9a7b9778
      2⤵
        PID:4040
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:2
        2⤵
          PID:2836
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:8
          2⤵
            PID:3276
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:1
            2⤵
              PID:3332
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:1
              2⤵
                PID:3316
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:8
                2⤵
                  PID:228
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:1
                  2⤵
                    PID:4652
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:8
                    2⤵
                      PID:1784
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:8
                      2⤵
                        PID:888
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1848,i,18358821457270348175,8061183196544162336,131072 /prefetch:2
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2876
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:1164

                      Network

                      • flag-us
                        DNS
                        gate.sc
                        chrome.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        gate.sc
                        IN A
                        Response
                        gate.sc
                        IN A
                        108.138.36.33
                        gate.sc
                        IN A
                        108.138.36.22
                        gate.sc
                        IN A
                        108.138.36.29
                        gate.sc
                        IN A
                        108.138.36.70
                      • flag-de
                        GET
                        https://gate.sc/?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226
                        chrome.exe
                        Remote address:
                        108.138.36.33:443
                        Request
                        GET /?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226 HTTP/2.0
                        host: gate.sc
                        sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
                        sec-ch-ua-mobile: ?0
                        sec-ch-ua-platform: "Windows"
                        upgrade-insecure-requests: 1
                        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                        accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                        sec-fetch-site: none
                        sec-fetch-mode: navigate
                        sec-fetch-user: ?1
                        sec-fetch-dest: document
                        accept-encoding: gzip, deflate, br
                        accept-language: en-US,en;q=0.9
                        Response
                        HTTP/2.0 403
                        content-type: text/plain; charset=utf-8
                        content-length: 0
                        date: Sat, 24 Feb 2024 00:32:21 GMT
                        x-robots-tag: noindex
                        cache-control: private, max-age=0
                        referrer-policy: no-referrer
                        x-frame-options: DENY
                        x-content-type-options: nosniff
                        strict-transport-security: max-age=63072000; includeSubdomains; preload
                        server: am/2
                        x-cache: Error from cloudfront
                        via: 1.1 a1d3f4e4f5c5940d2f1eea05f736c3ee.cloudfront.net (CloudFront)
                        x-amz-cf-pop: MUC50-P2
                        x-amz-cf-id: ZhyP5c5IIoytIdaEwBPURZnWssEizso8O1j8KkEcqbygM_ObJbRdkg==
                      • flag-us
                        DNS
                        10.200.250.142.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        10.200.250.142.in-addr.arpa
                        IN PTR
                        Response
                        10.200.250.142.in-addr.arpa
                        IN PTR
                        lhr48s29-in-f101e100net
                      • flag-us
                        DNS
                        33.36.138.108.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        33.36.138.108.in-addr.arpa
                        IN PTR
                        Response
                        33.36.138.108.in-addr.arpa
                        IN PTR
                        server-108-138-36-33muc50r cloudfrontnet
                      • flag-us
                        DNS
                        89.192.66.18.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        89.192.66.18.in-addr.arpa
                        IN PTR
                        Response
                        89.192.66.18.in-addr.arpa
                        IN PTR
                        server-18-66-192-89muc50r cloudfrontnet
                      • flag-us
                        DNS
                        0.159.190.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        0.159.190.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        194.178.17.96.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        194.178.17.96.in-addr.arpa
                        IN PTR
                        Response
                        194.178.17.96.in-addr.arpa
                        IN PTR
                        a96-17-178-194deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        88.156.103.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        88.156.103.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        103.169.127.40.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        103.169.127.40.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        198.187.3.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        198.187.3.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        114.134.221.88.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        114.134.221.88.in-addr.arpa
                        IN PTR
                        Response
                        114.134.221.88.in-addr.arpa
                        IN PTR
                        a88-221-134-114deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        180.178.17.96.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        180.178.17.96.in-addr.arpa
                        IN PTR
                        Response
                        180.178.17.96.in-addr.arpa
                        IN PTR
                        a96-17-178-180deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        13.227.111.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        13.227.111.52.in-addr.arpa
                        IN PTR
                        Response
                      • 108.138.36.33:443
                        gate.sc
                        tls
                        chrome.exe
                        1.0kB
                        6.5kB
                        10
                        10
                      • 108.138.36.33:443
                        https://gate.sc/?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226
                        tls, http2
                        chrome.exe
                        2.1kB
                        7.6kB
                        19
                        22

                        HTTP Request

                        GET https://gate.sc/?url=https%3A%2F%2F4flixs5.blogspot.com%2Ftv%2F241002-1-1%2FT103119&token=94288d-1-1705058821226

                        HTTP Response

                        403
                      • 8.8.8.8:53
                        gate.sc
                        dns
                        chrome.exe
                        53 B
                        117 B
                        1
                        1

                        DNS Request

                        gate.sc

                        DNS Response

                        108.138.36.33
                        108.138.36.22
                        108.138.36.29
                        108.138.36.70

                      • 8.8.8.8:53
                        10.200.250.142.in-addr.arpa
                        dns
                        73 B
                        112 B
                        1
                        1

                        DNS Request

                        10.200.250.142.in-addr.arpa

                      • 8.8.8.8:53
                        33.36.138.108.in-addr.arpa
                        dns
                        72 B
                        129 B
                        1
                        1

                        DNS Request

                        33.36.138.108.in-addr.arpa

                      • 8.8.8.8:53
                        89.192.66.18.in-addr.arpa
                        dns
                        71 B
                        127 B
                        1
                        1

                        DNS Request

                        89.192.66.18.in-addr.arpa

                      • 8.8.8.8:53
                        0.159.190.20.in-addr.arpa
                        dns
                        71 B
                        157 B
                        1
                        1

                        DNS Request

                        0.159.190.20.in-addr.arpa

                      • 8.8.8.8:53
                        194.178.17.96.in-addr.arpa
                        dns
                        72 B
                        137 B
                        1
                        1

                        DNS Request

                        194.178.17.96.in-addr.arpa

                      • 8.8.8.8:53
                        88.156.103.20.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        88.156.103.20.in-addr.arpa

                      • 224.0.0.251:5353
                        chrome.exe
                        204 B
                        3
                      • 8.8.8.8:53
                        103.169.127.40.in-addr.arpa
                        dns
                        73 B
                        147 B
                        1
                        1

                        DNS Request

                        103.169.127.40.in-addr.arpa

                      • 8.8.8.8:53
                        198.187.3.20.in-addr.arpa
                        dns
                        71 B
                        157 B
                        1
                        1

                        DNS Request

                        198.187.3.20.in-addr.arpa

                      • 8.8.8.8:53
                        114.134.221.88.in-addr.arpa
                        dns
                        73 B
                        139 B
                        1
                        1

                        DNS Request

                        114.134.221.88.in-addr.arpa

                      • 8.8.8.8:53
                        180.178.17.96.in-addr.arpa
                        dns
                        72 B
                        137 B
                        1
                        1

                        DNS Request

                        180.178.17.96.in-addr.arpa

                      • 8.8.8.8:53
                        13.227.111.52.in-addr.arpa
                        dns
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        13.227.111.52.in-addr.arpa

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                        Filesize

                        1KB

                        MD5

                        36f7d624068b46e9faa14f0c3df0e071

                        SHA1

                        53fef022ebcea6a87f2ed1a71e2ed1282adb6aee

                        SHA256

                        19ac174a349898fb404e4124aa9e63fa524b27376f523a7c28af7d82a4926460

                        SHA512

                        3a45ecd38efc6f7d06c83a56084e2ba5fe8f6ef5555767438ba385021dd9ddbfcc98c1561bde3914d2597b050024c63f06d7ceaf579d1b57c04e8db70c8a1ea7

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                        Filesize

                        538B

                        MD5

                        337161f0bc5897945e3781db5eeb1369

                        SHA1

                        b7f51427846168731a15f82352ab54134c20c37a

                        SHA256

                        ec44f332f6b1edf9da35c6035c574f94570047b6f89f677d77b0230e904d7b1f

                        SHA512

                        16018f27e1bda2e0bde9dde8b36da688d81501598a0635e79a68271e923f27f9ae60d39190b5e20660c387d0bd5c601d56c8089b62c770bf7eb245f1571bfe72

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        6KB

                        MD5

                        88edf8f0082113447a6bef6c83ea5191

                        SHA1

                        de80524f00c6540a87f4046a2370647b27f85f1c

                        SHA256

                        8fefd930fa700bb09fd46a17d4b81575188c9f587e2f38283b22a13c4e2a90b4

                        SHA512

                        4ab430f61139769cf4b53fee5af8f193a339ceb3f18f745eb80b8f7604e1fe26befeca5ca0163973355bd0e0bed01356319838006828eb3908c295dae0a68680

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                        Filesize

                        6KB

                        MD5

                        a15adbb6fa6de6363885aec47a6c1480

                        SHA1

                        8c0e87e70dac28b7363543207eb72606724480e7

                        SHA256

                        e94f8bd59b8a3f2cde454ef7936871c4dc9c3975871e6cd04ce816c58ed8a94c

                        SHA512

                        e93a53107d4043197401967653c336b53311961b9efe7f97c3aaf66a5c15fa7537a367878bea2d5dc7f101c7502b5a5d6df49547e2832e9602c29bff7af29ede

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                        Filesize

                        130KB

                        MD5

                        57b0eaf92fbc7c98cdeca45714650e6e

                        SHA1

                        81f335c186794abbfa21f2aee2a1ba1066088039

                        SHA256

                        681279d65dd24fcd07576dfd54bb1be68c091d568b10c4b640a8a46ff6d800a8

                        SHA512

                        0c14847e64ddab1f5fc6d2a5d2f0a51cf059fbf8ab8ad975a49e2f9f3c3194258594de975283e8bef4fa5584dae336db149e48b0c44efff4a77f9aca895367c4

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                        Filesize

                        2B

                        MD5

                        99914b932bd37a50b983c5e7c90ae93b

                        SHA1

                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                        SHA256

                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                        SHA512

                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.