Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/02/2024, 18:40
240224-xa85yabh9s 624/02/2024, 18:37
240224-w9kqysba67 124/02/2024, 18:36
240224-w8437sba55 424/02/2024, 18:35
240224-w8dagsbg7y 124/02/2024, 18:34
240224-w7wensbg6y 124/02/2024, 18:31
240224-w58l8aah54 124/02/2024, 18:28
240224-w4e9aabf5x 4Analysis
-
max time kernel
1723s -
max time network
1690s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 18:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1210890454485442563/1210890781221720074/file_release_2_0.rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File.zip
Resource
win10v2004-20240221-en
General
-
Target
https://cdn.discordapp.com/attachments/1210890454485442563/1210890781221720074/file_release_2_0.rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File.zip
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 4076 msedge.exe 4076 msedge.exe 668 identity_helper.exe 668 identity_helper.exe 4496 msedge.exe 4496 msedge.exe 344 msedge.exe 344 msedge.exe 344 msedge.exe 344 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2448 4076 msedge.exe 84 PID 4076 wrote to memory of 2448 4076 msedge.exe 84 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 1512 4076 msedge.exe 87 PID 4076 wrote to memory of 4368 4076 msedge.exe 86 PID 4076 wrote to memory of 4368 4076 msedge.exe 86 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88 PID 4076 wrote to memory of 2152 4076 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1210890454485442563/1210890781221720074/file_release_2_0.rar?ex=65ec34eb&is=65d9bfeb&hm=4003e820e2652713a56076607a66a4561ed3da1ea58d34f2571fc81549450d2e&?space=File.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc78d446f8,0x7ffc78d44708,0x7ffc78d447182⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:22⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:82⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,13129219994541547170,2279448939375522430,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:344
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1176
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
Filesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8410b05d-29ba-4c7f-837e-81b7a51d94b1.tmp
Filesize6KB
MD5fcb361c1bb9bf401709aa927399f8cc4
SHA1bc724242e03d00e225bc51857891e127e81f69fd
SHA25659b672cdf8ea2be94d229036a9e07ae058c6492c7ab37d8e426c09dc517a3cc1
SHA512629afc1e8d277b31dbc47441a64e45aa0357988cbf1247bb4336aca62151c83bfddaf0ee758cebf4b4a58cad4de163e45c06ee161ca10bedf4fb78f4125ee90f
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD529706951029de7919b59e3fa294dbe3f
SHA1b951d9c9f84111342259b2a4ed17ddd29fe657b6
SHA25692eb438a443c5ddee98546d809acee47ada5d7d3abef8e72f98230c101bfc920
SHA512950373e31710752a1d463aff3f23d31bd58d1396233bde86c83a8b0c0c65aa26e5f4acce79aad636a2e8c3277144b82337ed13bece9f94ba338da1f58cee115f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e3a9f64b50a010cdf69102b8904f9a38
SHA1f6ffe7d301a4c54db74fd23a9cfa5033a99c6077
SHA2565078a3efe6835bbfe63a9d67d5a20952f004b9c012d17e1c28edd8f9ca5cd666
SHA5128ba893e08c0d9ca68cc6001cccf134c9dbedbd5fbb2841fa6e6f2ebfa799e8ae08abc14af7450334afe16b780505d25ab16b1e53e6887d0f6852ca162d812786
-
Filesize
1.8MB
MD508373ae995ae6fda1edd1e30ff5eea28
SHA1ebe60dfa9ff5cf2c91c09c25a43700f83e361fe3
SHA256383c55c952179dd1ee79e3810f2e478e35be5dec76a084da3eb6602f02b07d44
SHA51241731a16b00c76a87043903afd6227a168882c7aa943ff79b7b35f4fe8c0151df611e0f9b609d1acfe6dcb6b9c0a203c07eea4e24f8205142416b2ed3df89e85