Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19/04/2024, 14:06
Errors
General
-
Target
http://iplog.co/setup
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://iplog.co/setup1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd718c46f8,0x7ffd718c4708,0x7ffd718c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17845802326147417601,678004558780170195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_ver.1.4.1.zip\KInstall\Install.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BAF0176BA03135A4A67190300D4D0BEE2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Redist\Oun.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /RU "NT AUTHORITY\SYSTEM" /F /RL HIGHEST /sc onlogon /tn "\User" /tr "C:\ProgramData\Redist\Pun.bat"4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 0 -f4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3976855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57341ab34b067b1b96cbbba8ac1228910
SHA1c66b9c4b8034bf627533620d18ab3db84e8ca798
SHA256d6f784bfb5340e32ce2770b142ac17e45e0b3718d1f343c42f184da2cd8fc45a
SHA512fbcab32aac1aac1220355306022ef23b9cbe5d19b9a5000b54d357014a7c087ff3f1678e2a78b5395f261ef106802802fa56ff7dd7bd94a13026cac18b3731b8
-
Filesize
152B
MD5e168effea0a2a55f903db6686d633043
SHA152e237d3e7dcc9e0e818f7a19d0e2bf0a9fc2659
SHA2567998a5093c0daa12c6af30fde6f49ae7157deabd3cd2108f8629af7ad9878b48
SHA5121bffb3e63a1a7f0cf089763b235cadef4682abd5dc4a64168af4b08b4e2cff23bc5896ee6028a05cdf1c02edcd9369db85c87eaf5bd884570d305b44f15eca34
-
Filesize
719B
MD528bc19a7cc607d718102b84fc9f09871
SHA139d1445b8267f6c64398dbdc3b36cb8bf61779ee
SHA2562182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d
SHA512dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50
-
Filesize
727B
MD5cfc2e090dc4acc1fa127d913b596bd61
SHA1cc74af1412b8e53eda0978f5a165b23ce65eb06b
SHA256aebc115443330ac121ce385029aaca286cb88e8c9e71bc7b14d038bd3da484c0
SHA5129496bf8d7b9c6f8e528b080d46184329f5f95d58fd3fffbbe6f7e7126937e9ffbe8cfba0169a75c3d8fd93301bc5511b8ebb4e1a7b84bc6ec7772c17c2c747a8
-
Filesize
446B
MD50f733752674acfc208fc1d1c55098c54
SHA1d1988a8c6ca2144a83e33fbc8498809eed939f40
SHA2566d79047c1f291bede701d702f9e7614924857b3510641190e92feca764fe46bc
SHA512c419d8008a5c741d77439866bd58fca9c94f4d5fb38b0689f48d1a8e3dd73b7846cbb4cdc7f707c4524c3d3c1ac62841030ff2dfbec590c28b317d3a1ae76882
-
Filesize
486B
MD5e4734e740126a736f5fd740c21f71f47
SHA10b0e5e4c162766fa17a466a6c330ee3ebae0496f
SHA2561b3e8c2b2645f8150a7b5b8373cbf64cb95bd8dd47fb98664a16c8240a0eeea3
SHA512dab3b08d479430ea31e217782f7256616f7862d9e732cc1bc00b8e1c100b596e772a7e9be7d31355cd01556ab9b94d60b1453570aab7c6fe29c7a37b3e231ddc
-
Filesize
152B
MD57b56675b54840d86d49bde5a1ff8af6a
SHA1fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811
SHA25686af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929
SHA51211fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9
-
Filesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
Filesize
312B
MD548adc0da62f931705fa184be1bf1075b
SHA186726ee7c202ece333a7a1615599cde929702874
SHA2560ccb22e4fd1c6ef89bb40a2f45aba3239abd8b800d3eed67c4cb81efc6849ad3
SHA5127349a8738f6cef9ed34228691814df49d3a41b95f17b83b2a09662545b04885037652b13daae8ec453864839a4bc118164d4637f4c573dcc49e84ad67f3db497
-
Filesize
6KB
MD53c13169ab398c7e00407d98b46ce4486
SHA1b0d1c2894b0cfe7dc9e8f611d2554a3730de8541
SHA2562053794c9576f38bbf82478fcd3838323f35ad635211874de12e98334a4fbeb5
SHA5123c01a2c61bd9a0a6655e58edd33537b55075ff07023fa14cab623535eb36bc83f330bac38ba8d55c59bbce7388279a37edf8b54d92ea8aed16ec3d0129b15202
-
Filesize
7KB
MD5b9540c701f47077d10241b86967b5673
SHA131a88b753018840b83c8da967adb8cf2b646849f
SHA256cc57ba4a64bee7adbdb6eb6fb70d49bc8beb636eda18a46518f348acb065edc4
SHA512e2f15360110229ac4c00363b3c79587f48491ec8cca254e578d69776be73f1186e08c7c23c6b63632afb8fa4949dfa82540fb5b9526bd94a6591fb3cb6e38d8e
-
Filesize
7KB
MD5728ca829b836449f86e0f26e30de67d9
SHA1c5e9c511d10b1ca3ccdc16e2f17a45a840891179
SHA256930d6ed15f85cc978a71f347494b258aa5d462111af4af061c237a4c17fa153d
SHA5128304848958a05a31c26aac91b1985371127fe480b45708542852f5fc81c55b18cb98781ccb5d038cb2a6b3574be8a55927e996a52819ddd0e5fc80e231bb2788
-
Filesize
7KB
MD5c22334164bf931bcf285f1c609be4cd3
SHA1d1aa88a2c6020bae999c23e08a97f0dec04f4068
SHA256b7fc6610bcd2ffdf61abd370374316bfe7e40c251036f139c945fa247bab5ebc
SHA5129412eac92600b102ab41a30cd9ba4e442e7daccb8cbeb4678dfe42b0b503dac8f8f95ec77c25cc4d5c60307689598a2425181f9a3301dee849c69647c00a32ec
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD512675f9a6a5a60e5f9b82cdda9801ced
SHA1e758bd4d2a6bdd7e85b2936d14ca5352df1990d9
SHA256531ac5c3b5570961953e4ea707ad352b65c4ff276e48b9b8855933c7b41f106d
SHA51259848eba0aaafe3c385d30580f89d58fbfdda33fdc4761b26792724035cd00a5b2310b2e34f83a2a206e36ac15d857bd41442bc3085ccd777c275f846b77542f
-
Filesize
11KB
MD5b9b100b290b29e5b914d23c387b516ea
SHA174eaf7ec877aeb3f10d2f1c951579ff8a4450b0d
SHA256cfcd6f36cd6246678713b53a3bbf7c60b4aa382291228870c798c2e4fad9d2ea
SHA51250a1637505d3edd0b12ab055a5ebc72a26cf726fa819a7bcffb92bf02b46c31cd5d0855d67a9ba8e363dcdc07a8c0a9d3b9a19c1240fee6bd5bec403ba93d494
-
Filesize
12.1MB
MD5899854e9ffe256f2a3d61a3a8ee6121e
SHA1f11ee617fd8de51874cdfdb48bb829ab810c377e
SHA2569198a07ddcc2a62f5e599b55e85c6f69716640ba431c85f6fbbd60dbf157ce9e
SHA512cd3d10e0a02c0b1ba42c8af7da582b5b133a843f9da1b5c7015d2488f1794d7e4002f6b1ff968476855d35085f745cc322578d172fa3d9d11ba39a3b32824a3f
-
Filesize
12.9MB
MD5902603f5f8f0c4e8a1972c168e0944b6
SHA119257352679e821efeee29a4d8768d9c7ce56fd0
SHA256172d262e0a866c759d39b766d269c95e0192c8c70b13eb14ee1aa2b567ea8020
SHA5124cb2767d0c15476756de91e8c6c7f3775aa2f33897c7127fae3a5e14ea757a3a53c2247bb25aa380da9ec4c4fc6e2bb594a8c41f703718ab6036fff333610360
-
Filesize
23.7MB
MD50e772b39d2837b642d42eefd7c5d2b05
SHA193a623894bec27e1dd2bdf9f32ae04b7e2732641
SHA2568bbcff2235ca3d51a67a80ddb873f9742f0af58e02957879c7c1162ee8047ff0
SHA5127e47f98e7c97de235c258a78653208f68a8b5b7dab3e215bbf0b31ca6a9ce53a5003fc4d13df589c7ca886a76c4ef44704cad0d5da96618b3370a2140d3102a2
-
Filesize
6KB
MD53c0a527a1b4f6074a65a506af0550180
SHA193d45e3a11a3a3db6ce6640709932a3219730d35
SHA256c0d6f04f28f4bf5c7d7dc052b61229715094260ac1e48938631c9ecf1e17208d
SHA5129136eebe3d8f27acee0157834977e00e25bd0797d5ca04cb8b4192de75c273b77c9eed53673019b792204d54cbfe3a0ae176fe7ff7f44ec392cdcaae5fb57499
-
Filesize
10.8MB