Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2024, 23:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://l1ve.bendlegal.com/ppsecure/post.srf
Resource
win11-20240412-en
General
-
Target
https://l1ve.bendlegal.com/ppsecure/post.srf
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4200 msedge.exe 4200 msedge.exe 104 msedge.exe 104 msedge.exe 2580 identity_helper.exe 2580 identity_helper.exe 2712 msedge.exe 2712 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe 104 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 104 wrote to memory of 3756 104 msedge.exe 80 PID 104 wrote to memory of 3756 104 msedge.exe 80 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 1508 104 msedge.exe 82 PID 104 wrote to memory of 4200 104 msedge.exe 83 PID 104 wrote to memory of 4200 104 msedge.exe 83 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84 PID 104 wrote to memory of 4368 104 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://l1ve.bendlegal.com/ppsecure/post.srf1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac2fc3cb8,0x7ffac2fc3cc8,0x7ffac2fc3cd82⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:12⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13593492309892159649,998211376281507987,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4720 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5db6f3e04e8d0e847b83d778e43552540
SHA16f58849131e27b05ba16d1e001fcab3db510af9a
SHA25674058d1dab7f6c19b598835bdc3050a9b8afa46b17095cc5bed4687ac2384948
SHA512b12bc4a12511611d35e426d17a0bc3e99f3045ad7246deacb4fd50aa74f5e2da3f336c972b52a8a48821f1fdc3f85ed12666f54ed1e11a61e23926285014bc1a
-
Filesize
152B
MD5dc3fe6b634c77522eec8ca4b8d4434ea
SHA1f8da22ca5d5f4788078f5ed52f7f12baef619b4b
SHA2560fe3ee7f209b5350c0876b6dc7c571c2af5db80964e37835b6e7279cd311d31a
SHA512c5cc2251985ae5aec6082a8a4e4dea1f1a8bf72c4ccf199ad4a3e17509a4f7152ae60b1bf84d77e843e4d7043bd2f0da63d620cbdb8ededa94fa4606d016ec69
-
Filesize
5KB
MD50ff5f65996a7f75918b0f989b28f48f4
SHA11d3d45c49b7249abe2a94157b5f7d3c53e86a2c2
SHA2568b9b15fedca7e9135acef59fef41ce06de3fa7f4f02fc24199ac50275175fff4
SHA51249748ad1b37a9a95e25e2566d523e57a7650c04be479195c55b7cc4c0a58fb5aa0684319e52f724c865c04cddf2617548450eb0a5e5ffc360e606861f4e9bf41
-
Filesize
5KB
MD5193acb74d466de73cdc9e9dedd1611ae
SHA111e962532d1c911bb65f9a1769e92ecfc317ba4b
SHA2566e7fbfe04e22af0dbe498d13b5af425b141a4a078d4f2769523e04623ac9ab59
SHA5125b8a0cf6c06d9f638c1433b40c001c012f408f02c0fd36d13596bb6ccbac3c3459763f2961b9bb2c01326b7aec8f3b9d1dd2a684767bb8c0703b2cbe4aaa7ef1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5d2ebe55e8aadd994317d9a81afdbd6a7
SHA117240939184edaa190995333416df34c6622dea2
SHA256b02e8c91c645d93537f137f22e9e097877dc94f21fdc199dddce87d4c7a7a036
SHA5129d073baac0b4e2a64a6acff478877794475fbccd0fd31cd8d27f2588be01fc6c511002b12e786aad489ff9e6db7307a1cde7d5c3253c65fd24373a235b8f38f4
-
Filesize
11KB
MD512b408fd51e4f3e0559ea3c4afadfa1e
SHA181a688cceb99d3560e42d44a1dbb7cb76d1b7ae9
SHA256621bf2e2abe8c1138bff9116cc259977d40a19322e148528286a2da71336ecf5
SHA5124eb49377b76aab0203e70b69b347962d5fbb553690cb9453fcae22a6fb123959b7c54b91a4f06307f94f95e68280e346a432835bee0d35d356e786fff86781d2