Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
-
submitted
08/04/2024, 22:36
General
-
Target
https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1162561795836350564/1212999733283651604/TS.Desync69900.exe?ex=66220588&is=660f9088&hm=e5885b948aaa94102025fa51938350617b34897ead5cfd568e6a0a5b3d251c5f&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffc032d3cb8,0x7ffc032d3cc8,0x7ffc032d3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
-
C:\Users\Admin\Downloads\TS.Desync69900.exe"C:\Users\Admin\Downloads\TS.Desync69900.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6697069170038233843,16359876399368828644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ec7568123e3bee98a389e115698dffeb
SHA11542627dbcbaf7d93fcadb771191f18c2248238c
SHA2565b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75
SHA5124a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5d996adb4b3f42fb7d5530665cf885cbf
SHA161666e084f213e1b6aece3a9191b6bd1fcacfd42
SHA25644f7e691c2c839616cca77341395292b1804d8268c09baa20704b20826f45f56
SHA5120f731ddc1f60ccb2993e583310dfcfde53c94b6984aa01aba8ef80cc17313d654024c6a22619ffeb020a01d3f240b4cdc9c68cea9e0053a71618e1d59fe776fd
-
Filesize
5KB
MD56c78ac585214d41e9c65f7728d4d7bdd
SHA1447a0dcb31be603cbea831770f2142d0bd0d5bb9
SHA256c795e0480dac15b5f0e51095e7ce63cdf1df1db7c7edc4ee7aca0536a7456958
SHA512d7aea2bec53003956ac681296109dd3ad9f99ec2ecd964e72dfe0092d6546d43a6c7e2b2bf3e714b35c2e94af6b299099ea4175ff66f6c8f5c847828da3e736b
-
Filesize
5KB
MD51836792eac3ea8f3e05b533ba2db5b67
SHA12419f34b7a52ef66ce81700d4057fb1a65c52da9
SHA25671d447f0b255f4848e153444b224e0068b9f47d57f5832307dfc6124b466bcb9
SHA5124d598515219da976fa315ed1863b583c412d08474d65a3905727d93ae75aba48976d9c823df3fb26c2d3f34ae4e6a13e90dba75ccb71a1acbbdb6e877aaaaf36
-
Filesize
5KB
MD5cb17ef86373f1cf6105e8e0737a6faf9
SHA14bd61b82c5506a9fe0acd9494bac9ed0d5fdd90d
SHA25693e854ad97190d71c536a52c7707a480f84f5b922fd948c16e7b5f27a848d586
SHA51275b44480dd738323eb63112530488074fe55625ea90c73606dff5221036624399801216daf6629e19a3bb3696eff3d375ac60a7faf38964dbc29c8d30a4ba8b7
-
Filesize
25KB
MD50ba15f72ffb0a37243558588d3e78221
SHA1814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0
SHA2563d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a
SHA51202b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57560fc9a05d2b83c3e62857556102201
SHA168b8f0441772f383f98fe6261d03d0330e9c0fe4
SHA256003d15e69cd20e149a4da3cbd5ee4e4e11fb882e2ae9c7e99cbc64c68aa823c0
SHA5124d85d3b08736c1e5bbeb6f3a27740c47094884fc25bbb6136648b7d6b7481cede9a65218587a817f06db983cf2e36e04d20933584ac4f011ed617fcc27547fb4
-
Filesize
10KB
MD5295ba1afdcfb8603c8713554b1c347e5
SHA177fe6b02cf85379c5b1527b0a863531d0e6ade56
SHA256ee322be3a38817a49ed95ddc13b977ff8f0c3c0d06418f6157f03c87aebe90c6
SHA51211a5d42ded86463bfec04bdda4b9d0125816f519a091e49384bd293f6a487fc33bbf0d00038dbae4bcc643f91029f44f9a74201ce64cef7e47b86674bd82a4d3
-
Filesize
11KB
MD5e3b6a0110df2c31bfea0b9c962b5931d
SHA1dd63409db214a27374a41e3e5966e3768e991488
SHA256a32cf451972383871afd3a27103036c96f29848612e39436441e023fdd22c28d
SHA5129e55495ac0c179cf30cc0b563958bda98e15dde4eeeb61f600a59a09ef3fbc8eec959bc7792f876bce43ac0e252f9b3a83360e503c1cf012d795243a21134161
-
Filesize
11KB
MD53c0b1b1f6326a3e62d45ca5721f8ff7d
SHA17eb8620130617d3efaab96ee505d1cfa3252e4b6
SHA256f5dad65983772d2e7732adf38262d3ebd1ec0bc0fa8b284fc37c0be671496d69
SHA512802b390c1888f9192a6256c399aef5602c0b7eed264355ee302206ec51c64d5d1bd60743f213572c2f946cc03ed873fe614988f4e583c0ba563ca705f75399dd
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.5MB
MD5aaf1ba15541f90afc068bd08b2ddc456
SHA1a6add5aae8cc0eeda7d0d5417ab978608d9e7a6f
SHA2563ae209c4dc4c7b42db3e1fc3081e302b30c346cba789e5a0aa6f1be26d775779
SHA512cac7b4526133680a2bd8f9ec3cdc3dc72d928798f5e9d997793a8796cadef1f30f02e87e1bc09acaac9cce6458cf903a788f9a042f877d562f6e56038463086e
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
1.5MB
-
Filesize
64KB