Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 06:54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://t.yesware.com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell.cornell.edu/portal/us-fed/
Resource
win10v2004-20240226-en
General
-
Target
https://t.yesware.com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell.cornell.edu/portal/us-fed/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4772 msedge.exe 4772 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 1524 4964 msedge.exe 89 PID 4964 wrote to memory of 1524 4964 msedge.exe 89 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4008 4964 msedge.exe 90 PID 4964 wrote to memory of 4772 4964 msedge.exe 91 PID 4964 wrote to memory of 4772 4964 msedge.exe 91 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92 PID 4964 wrote to memory of 3664 4964 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.yesware.com/tt/30e658b717b16cf6fb44d092466a8a43b50b6a78/24ce2ac9d1816ee7c06a20c85553492b/0e230038b341338bda259beefd648a30/ecornell.cornell.edu/portal/us-fed/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5cf146f8,0x7ffa5cf14708,0x7ffa5cf147182⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9374550031001513521,2235823017262027560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:3596
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3648
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
196KB
MD5813c1b41e435242e7365a4bcd7adcf23
SHA12d25e1564eaf93455640413b95646b3f88f9075b
SHA25670cb2151ee4ef83195855d29819491a23c5eafee2e72b7ffd9041b35363d1542
SHA512268c4fa1797700a205e37e716c1472592ad6242344645c703ab1ab8d4d68452c3ccce7cdc4d56a0b42d4061bdc793f1c79dffc397f038133387b94b2a1f4051e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize720B
MD59939cbc5927a1f96618fb58cf22e7033
SHA1e5ae81a57021c685cf01bb0be7e77e26996a1cd0
SHA2567fd1e5c21441eb66e71c37ddfb1fbeb7956d857257cf594e0b4c3d3798a584d5
SHA5126b40d0826440154801c03a90829d48b148885ac6ae152fbcf301860691fc98171c4f5cef96b278060ea3de156e068d383a52600008d17d3e36de37116051f614
-
Filesize
3KB
MD534d03f7bda259eb9db2eedc47ebd2212
SHA1933f22cecb3b377f411c86e686d17b70d5d649c3
SHA256009eb704839bc5dd5ce3f5fa6c3e9cbaa0245ac19ac4f0ac343f7ef1842613a9
SHA5122a21a01205ac53de333d58bcb03f6aacf9a5dc20c491e6c79b0603083b3506a280e7688dd652e871c4036eea9e3c3dae5d097eafbc31175262979f93c0a30589
-
Filesize
6KB
MD5038af599b272829d234bbb85d7def4fe
SHA1377432d305365faf7797ddd0cfd0262b2f9df4ad
SHA256afba1f1067551c1c2db6479daaa48e3e4370ae3ab536a0450d780d631e0e8ade
SHA512e0ca7256d01b591f11c1715f0028d02d224f195085c6ef76da9a84aba02e9fa95b50a68377e900ceec0705502ad0bf38a333329106d2281106b762bf291a17fb
-
Filesize
8KB
MD5c20e55af5aad5cd7736b1e96d952e27a
SHA1285c96c6d89a1b192a5e63444e223d08e7a8bd75
SHA256577d79e477e00dfcf3e18f5e31206f9f624f3a5b55b5c849aa823fc847a2d289
SHA512504da1f6d698909d4da77b7c652befc8441d9090a30c29c6f82fcf8be87f7338153d91ac3aefdc0f9780e4e53de6bbe795f1402fb6d2c16a260404611eff2235
-
Filesize
11KB
MD53e2559f6fd7cfed97189a9cc29624a22
SHA1990505ab344e70c0dada74fe7a9ff6924a59a71f
SHA25620cac941571c125542fafd92df1fb0e80f77e9846e67627677b67248ba22d3ca
SHA512b6c955bea5ae519e5006b6dafafc393f1d7c027863a13469a967c8c1f8c4b6cecd872ea94b08ec9bf28feda4cf2c6b4d56f6e7e82c0e481593542aa099bb6bb7