Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
bfc16809ab8b143b67baa1032f017ba6.html
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bfc16809ab8b143b67baa1032f017ba6.html
Resource
win10v2004-20240226-en
General
-
Target
bfc16809ab8b143b67baa1032f017ba6.html
-
Size
1KB
-
MD5
bfc16809ab8b143b67baa1032f017ba6
-
SHA1
94564307dd787d365c1308cf7b58461335fa63e4
-
SHA256
c2f19420145d084784694098da4cc1510ddc041fa687edde2a8c5d47226c95e8
-
SHA512
4a33b02bb8abf7355add6169ec9940519df65e1627e89b4cf67cceb21a6b95ba1dc289e2d9f1b5bac48fbbad984248ea39b5880bfad903a2ea258067ec4f5ddc
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2712 msedge.exe 2712 msedge.exe 3524 msedge.exe 3524 msedge.exe 4932 identity_helper.exe 4932 identity_helper.exe 2088 msedge.exe 2088 msedge.exe 2088 msedge.exe 2088 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3712 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2472 3524 msedge.exe 88 PID 3524 wrote to memory of 2472 3524 msedge.exe 88 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2080 3524 msedge.exe 89 PID 3524 wrote to memory of 2712 3524 msedge.exe 90 PID 3524 wrote to memory of 2712 3524 msedge.exe 90 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91 PID 3524 wrote to memory of 3564 3524 msedge.exe 91
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\bfc16809ab8b143b67baa1032f017ba6.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe134046f8,0x7ffe13404708,0x7ffe134047182⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:82⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8854123654758320762,15445447961720560733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5228 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4152
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
6KB
MD5d0c951a597987e18cfa4638feb48c7f6
SHA18c44cab2ca9e2b565ec444ae4002dba9a028f15d
SHA2563fce5c42de763634eb497c0b7e49c00ab4230ee22ef60a35e6b4b5064840e10f
SHA5127c61350a46a7604291ccf9024b212698519420e57b3c379293aeed0baf159dc05e1f407772fdb160cc43c1604c50de4728aa2296cd949581f52a9cf09b0ef346
-
Filesize
6KB
MD5db6cf110d7d490b91d48d76e0e4b9250
SHA1217b329c180528796ee681f9e9b18d8f9f28bfc8
SHA256ae56933690d07f6043a0db9e6cabd42839401ad910de883a053d49131bc76ccf
SHA51296053bf909684e897e4dee8152d63457c317b6f417f97ab95873f84964fc9098d8d329db2186568d9c46b5155e7d09093ef877067fce650b6ab1757e38c01f8c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD50530cec3de3ed997e9ee24f063db4813
SHA185e1395813360b31e9552d2854c142978c119d2e
SHA256ce6c4138d440909f86feb4af5049714f95bdd15fca97f5f9fd30a5caa93a2457
SHA5125e91e9c1fc928a9c72a3bec752409f5cba3082eb87b4a3b8a873e4470a69b897aeb1cec7db8b8ddd45bd4d113194cf1f1a1f07923968f23f62ac6f57f28f8c92