Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
204s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 23:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Auormrion.com/vag/may2018/march2024/16hrs/daymin/9/10
Resource
win10v2004-20240226-en
General
-
Target
http://Auormrion.com/vag/may2018/march2024/16hrs/daymin/9/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1280 msedge.exe 1280 msedge.exe 4472 msedge.exe 4472 msedge.exe 2620 identity_helper.exe 2620 identity_helper.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe 4472 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1612 4472 msedge.exe 89 PID 4472 wrote to memory of 1612 4472 msedge.exe 89 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 3408 4472 msedge.exe 90 PID 4472 wrote to memory of 1280 4472 msedge.exe 91 PID 4472 wrote to memory of 1280 4472 msedge.exe 91 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92 PID 4472 wrote to memory of 2148 4472 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Auormrion.com/vag/may2018/march2024/16hrs/daymin/9/101⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce5c646f8,0x7ffce5c64708,0x7ffce5c647182⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:82⤵PID:608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:12⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13700719724844920937,17686304374272195515,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5816 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1676
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
6KB
MD5fb3d753bd9381ee95bfb296e7446eb97
SHA155f6d6e131ebb57b8962b2ec304f8665af79e9e8
SHA25667aca74e496663bffecbf6f9f7ed71cd8c2cb2457c96c907bc1d8f35c108315c
SHA5123c9e61d6cdbce43e00389b1b8c16fc67792feb8bad44c5cb46416e5f0c8d3538c6f68a265cdf10ecd5a68ea93fc682ba52e221fa922b2c6d7db6a548ed7d5b55
-
Filesize
6KB
MD5e7361a40db79e4172ccfa446477f3120
SHA1a90960fd0136ce752946bcae86c5a1c88e92c1da
SHA256e4f0a4941de529fb91553f5bddb1b1b256bbe47e7802c1b14c1acd154b5affeb
SHA512b165f1b4b8fb00d369d94dc449c201bc216f7a2817c1fbd98362af31454b64f294d97db71c75f1b633d27915833516cef86edf3756a5f5af470f442e43e36f63
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59d818fb0dad48219a1aa5b6e53c4aedc
SHA1c73ed4fa4f5f949eb5feba0b179fba1a40295016
SHA25681a88ad665ed3f7fcabfa4ec59e42feabd720902270a45f5b618c91c1dd10659
SHA51289eee9d51218acefeb443f6fe01130bd7296088991dd330a987bb8491388447cb91e069433d71340b7abec8f50318e60072e6e3932cd6e7a446f0f52472a886c