797c661946c5db81056ad9c4d5c6f16e008e54b410d5fa62498e608e792d4761

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe
552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4640	2732	Seven.exe	86
PID 2732 wrote to memory of 4640	2732	Seven.exe	86
PID 4640 wrote to memory of 2236	4640	msedge.exe	87
PID 4640 wrote to memory of 2236	4640	msedge.exe	87
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 2980	4640	msedge.exe	90
PID 4640 wrote to memory of 4712	4640	msedge.exe	91
PID 4640 wrote to memory of 4712	4640	msedge.exe	91
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92
PID 4640 wrote to memory of 2948	4640	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd389c46f8,0x7ffd389c4708,0x7ffd389c4718
    3⤵
    PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:5620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2595619961476554068,1245552127671172462,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc2edd0741d97ae237e9f00bf3244144

SHA1
7c1e5d324f5c7137a3c4ec85146659f026c11782

SHA256
dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041

SHA512
00f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
120a75f233314ba1fe34e9d6c09f30b9

SHA1
a9f92f2d3f111eaadd9bcf8fceb3c9553753539c

SHA256
e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0

SHA512
3c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f7f190cc576f52afe9614713d4b5f254

SHA1
5402502bf721c5563469e5faf30436c64a64482e

SHA256
93a7bba0ccff78cfd17d7bf13e3431623d406b076d9326e8022ddb836e56fa0a

SHA512
76cca318c927af3431ba1ca49c135d9aa7e12d5a58ebb5bd3bd3c222a9f20da3b74d361d1a58e1adffc093380c01026caf6d082e939af3f7974bb1d6ec9b31bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1f97715e592db6e12fb170ba9f497b8b

SHA1
f14647e29e544b4f889ee2259bd37630f26caabb

SHA256
b9c4fc94eeb8a382a0509669fdc25c15a5e1dd7e2764f60ebef90578d3209df3

SHA512
9a11afde94dd18681e54a6358acdc37b3175101b53b5586f567f42703637caef639a2e593a31c31b62bddf9a1be7c249e83c8f182b0c29710d49e8c756bb9bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b37358da53727a86105b0b37b21021dc

SHA1
f13657efcb7c6006df78c5c4c9d9686c05700847

SHA256
0f0cae315c177f7e70bb7de4be6d059c2408c839683665af778c3326c45aea94

SHA512
c71c9c280c77982fe770097268bcda571a704c9e8db3ded88ce689568b31b2a3b48190c7352aa29e9f8aeea1ee98eca63d1e896810807e21ba1e1a5f037609ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a5a84e8d185be7d0ba319dac9853676b

SHA1
c245e69ad99d726e6f60bab4a5ee4c280722d842

SHA256
5bcb9422b8108268be276d77d28e3b7a5ff10bc2ebdc2c26bb1366429615d31c

SHA512
c1577b8b922279445d92a746ca2aab3bc4e5a647c6797b0d4f2db39b500122082ebb95ddd851fbc19adae7e7d6ef94e78da7efdda3c46993b7ecc1854963d05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6b6d1da8f66217a166939e6a4c3fb25

SHA1
1c324b65f8029a276c573b4ac0802eaafa39301d

SHA256
b259f3559bbe0e66dbba83ab02cba5cf98d6f4fc417074e6e2a1e523ef76fdbe

SHA512
9ba22cb8b214d161b6135d6e8b83a6d742615131e5c50e2f6e5376f00ed747df55d3e06398ad882325eece65a7444b7786aa102ec21c76fbbf6ddf24be9d8d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce48706ff8865b1bd8cb72b2ce424d29

SHA1
2f7cbb9fb0e4bdc7a4233bf159420d71673c4552

SHA256
3879e231e14b7c62d3f2b048e816e642da6e8e63f7ecb88090d79a9f201431d7

SHA512
64a2fef71de296085aa6b9e7b9b5bb97bbd30354ea6c655d4fc52d2843464c2a8c5149ee045520f7f18cf3efadffdc65a5a47a7fd11c2d14a5b124d43ff32b58

Download Submit