Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
28/04/2024, 17:57
240428-wjzr7ade6y 528/04/2024, 17:55
240428-whkxmsde4x 728/04/2024, 17:53
240428-wgpt7sdb65 128/04/2024, 17:49
240428-wd521sdd7w 628/04/2024, 17:43
240428-wawdeadc9s 1Analysis
-
max time kernel
85s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/04/2024, 17:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/vbgCjYjC#eij-04fdXqkI-45KpR26ov5_b79ZV-jVEuAErQbnw_g
Resource
win11-20240419-en
General
-
Target
https://mega.nz/file/vbgCjYjC#eij-04fdXqkI-45KpR26ov5_b79ZV-jVEuAErQbnw_g
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4028 msedge.exe 4028 msedge.exe 3164 msedge.exe 3164 msedge.exe 3068 identity_helper.exe 3068 identity_helper.exe 244 msedge.exe 244 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 3304 3164 msedge.exe 80 PID 3164 wrote to memory of 3304 3164 msedge.exe 80 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 3700 3164 msedge.exe 81 PID 3164 wrote to memory of 4028 3164 msedge.exe 82 PID 3164 wrote to memory of 4028 3164 msedge.exe 82 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83 PID 3164 wrote to memory of 956 3164 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/vbgCjYjC#eij-04fdXqkI-45KpR26ov5_b79ZV-jVEuAErQbnw_g1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858263cb8,0x7ff858263cc8,0x7ff858263cd82⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:12⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,8336053015822731403,10977008654481418287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:12⤵PID:3016
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3008
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57c16971be0e6f1e01725260be0e299cd
SHA1e7dc1882a0fc68087a2d146b3a639ee7392ac5ed
SHA256b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0
SHA512dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c
-
Filesize
152B
MD5bdf3e009c72d4fe1aa9a062e409d68f6
SHA17c7cc29a19adb5aa0a44782bb644575340914474
SHA2568728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc
SHA51275b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8
-
Filesize
5KB
MD568570302ca3a32232377000dff96a30b
SHA130721d17e7006ace2c4ae99388068fa33e107df1
SHA256f096492966e77eed6afbeb16889702610d89a2dd6e79ab99db8d9d7ba3fde693
SHA512d27d98a79c4c2b4c1652eec34bcfa3e074b871a69f2420fc9561f29cfe43ae0ab9bf10329ea78faced615737db564ea91d8cf08786e2573c8a2f97c1a54c0c00
-
Filesize
5KB
MD588f3a0143c766e36d892533e2c722b43
SHA11b9947376c0a6d3f7da56ab32c69016db5970574
SHA25681f8e29166981c054db253e005711b3e103c458942f61abda7e035c861281fe0
SHA5125254b2fd4d57884ad4aefbbe1055a6e424753b49008d89041137600d2983ae6cf5185dfea4c18cf12bd833845ce7dc1af57a7e2ea5c7688254fb86988c5e20d1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD57dcdac974ff8698209372ec0fbf60bf1
SHA14a7b109627a6a178472e24c271d78402da9c640d
SHA256d014ce7762ad188611022b25b17e311f618a8a169a9aefe26fe8b0e4cfdb66ad
SHA5120e43767052a96f984e76d822a25868d069eda20e87ea94c79d898fae3d2be21ba07d90695835b060490e680abe16287f2f1648630dabeecfa0bed1ba401f7159
-
Filesize
8KB
MD55d5bf55e50b35ddd847849f019af4b9f
SHA1852bdcca0042111f32f8f49b75195496b1a77e86
SHA256b8900c916463b7719f7f648c534b808711a61561660d77a2bd51227a288d4358
SHA512b54ef62a0d2a8b42ab723c97209200f3b46dfcd86fa3214cf62ff7d74387856b75eeddba7707d890866154e4252bbf471411ab59215cf50c763213945f57626c
-
Filesize
8KB
MD5ee8497920d768d3cbf70c6bfcd499d4c
SHA1dc869ef99d23be7667adbc94c26edfc924939b2a
SHA256aed33ee6790d547185a64d9c2084bc5db902678dc7a6142f314775781e35b815
SHA5120eb947adba6236f5b4f7e35b90fd4c0d6c482db2318ac67ff542b248027d18629dbb0db74471906c27a3f43d540f82b2a7ef1eb4294086d3e7a84453198ac8ec
-
Filesize
264KB
MD5fb42b0b8d353c142c58de28fb99ac877
SHA1b77ed8f34e84f4922940b974332911bf4292ffb8
SHA256b0c491c8cc439fb0132bba4d69fc4f05d843ddb3734e50d004ac2d8309207d3a
SHA51280220dd8d627e60ea20d25b4fd8ccd85c77763e37eefeb29e48cb9226be99a3b96c2b9c3c294ed9949127d32eaebb4b5a95d2d8fd63dbcb27191cec57da5eb7f