Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 00:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cloudflare-ipfs.com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319.html
Resource
win10v2004-20240412-en
General
-
Target
https://cloudflare-ipfs.com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319.html
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 cloudflare-ipfs.com 12 cloudflare-ipfs.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3204 msedge.exe 3204 msedge.exe 4508 msedge.exe 4508 msedge.exe 2592 identity_helper.exe 2592 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe 4508 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 772 4508 msedge.exe 89 PID 4508 wrote to memory of 772 4508 msedge.exe 89 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3736 4508 msedge.exe 90 PID 4508 wrote to memory of 3204 4508 msedge.exe 91 PID 4508 wrote to memory of 3204 4508 msedge.exe 91 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92 PID 4508 wrote to memory of 3976 4508 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cloudflare-ipfs.com/ipfs/bafybeigtwr3ontibnus3p5zn3echnujiu6x2mkmlck2z254a26h6ye7s3i/myscr673319.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c86a46f8,0x7ff9c86a4708,0x7ff9c86a47182⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9821755829920017276,13106814380385583217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:3464
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3784
-
C:\Windows\system32\charmap.exe"C:\Windows\system32\charmap.exe"1⤵PID:5320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a9519bc058003dbea34765176083739e
SHA1ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53
-
Filesize
152B
MD5cb138796dbfb37877fcae3430bb1e2a7
SHA182bb82178c07530e42eca6caf3178d66527558bc
SHA25650c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD501200b0803cc5582fc19cb8d30949ec2
SHA1d02c82ddeab4e0d8b87a1f372828b63a6179287b
SHA256fb6eefe5ed386ddb7efafa96c2b0aa7600731ead2b9d02d81a3948221d56c223
SHA5129ae57fdb7ea2e87ebaf8b67dbf9f93706767c1c75039809ebeca7e4136133ab5f727f2f21785a40edf91fd62d2abc6f201130a78393089fc84565cc82873d879
-
Filesize
6KB
MD51901c1dcefec0a3a4659687dfd8d52a6
SHA1b5e7e49e9978f6f798645b09418cc9fa4fcf5a37
SHA256ae0ea2570705bf1671cc4ff17a68c2166aedbded491575aea2e752aebf3c63fd
SHA5122f0c542a0d69382860b0e010ec0e37b6f0c40140e30fdb91dbd6981f84dbd6c3ded9befdf71d0b10b158e14994a2d398e0385f063923a4962d6d20f2b87d3e8d
-
Filesize
6KB
MD588b2a508bda66cae7ce985505cd71c1b
SHA1c80c09f4565ec5e31decd1bd39edf4f1ad46de93
SHA25616deacf73035ed84165e37c3d52fc62b7e45c26247dea001f7e89f02cef86bec
SHA5127b9e0f9f3036f91f3f0148b0b99b4a2d212d165468e98416a71a50621c97cc3d68810c7cf141f0fd9a0910f0bf6fc5667c0df25926861d4b1d0d360f801a80e1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD587d6ef9dcec9ff8f8e439e53078dbe67
SHA139a1f34dad68a2ee42c891991cb3dad1cbb5f700
SHA25660e42bace05c0bfd0d5ee13748aa4c212574623f538f1b8282950c14626a8ec8
SHA51270c4801ceea6476cc8f5d0c789bb0fd2102bd20a56a8c5cc00eecb768e2171a7af79acf31a3ee86b1345de78f630d05e99d5d699385b00557abca3f2a912bd4d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84