Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/05/2024, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
3.txt
Resource
win11-20240419-en
General
-
Target
3.txt
-
Size
93B
-
MD5
d18bd9a959e561cf9f69b72b0104b652
-
SHA1
4abe872f62ce00466f2461c2ec11992a3603da8a
-
SHA256
252b0e7748e5d18e3e3fd98339058091a58732bf5108d2725d3720b30afc61d4
-
SHA512
832f84fe093cf109b888220eed64980b6c2b68c12e7dd148ccf67da547ca0a2f5de4cac5596f20a5dd6b43e3779dc0cb7a9e205523190db92e2fe7abd1d007f3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1916 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3352 msedge.exe 3352 msedge.exe 4848 msedge.exe 4848 msedge.exe 3932 msedge.exe 3932 msedge.exe 248 identity_helper.exe 248 identity_helper.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 1916 3132 cmd.exe 80 PID 3132 wrote to memory of 1916 3132 cmd.exe 80 PID 4848 wrote to memory of 744 4848 msedge.exe 85 PID 4848 wrote to memory of 744 4848 msedge.exe 85 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 4820 4848 msedge.exe 86 PID 4848 wrote to memory of 3352 4848 msedge.exe 87 PID 4848 wrote to memory of 3352 4848 msedge.exe 87 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88 PID 4848 wrote to memory of 1556 4848 msedge.exe 88
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\3.txt1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff828843cb8,0x7ff828843cc8,0x7ff828843cd82⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,11680900966360851706,18056383979143331834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6076 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57c16971be0e6f1e01725260be0e299cd
SHA1e7dc1882a0fc68087a2d146b3a639ee7392ac5ed
SHA256b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0
SHA512dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c
-
Filesize
152B
MD5bdf3e009c72d4fe1aa9a062e409d68f6
SHA17c7cc29a19adb5aa0a44782bb644575340914474
SHA2568728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc
SHA51275b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8
-
Filesize
5KB
MD5469345b367e079b21dae6864e4fe9945
SHA1d5f23944fc0fedf298261414a680087646baf343
SHA256197402150068909e12cad687aa83b7c208b1a150d7dca7b777049fbd23376777
SHA5129848eee5b4e0325de102a384f572a437f355a02b3b6d098261922e522f540539bcab03f1c73030e9960a30ef2580e793aab455744b7a6d0778f0e2de5ec68cbb
-
Filesize
6KB
MD534347eaa67742ac656ff4a355978c02f
SHA1852585cb4e363344a9f567696c6c7e45509ae3ce
SHA2566c5179ba2ceaaaa840a4c7b05e635074eb4df6fc717880f5b376a38086794f18
SHA5129b20d3f868230c6166e6f6e78b5f26bf17dc4897018eabe7a60cbf5873c4f008472f5f5072223581154749be840a63f67a86799e3f7874d54e19e3dd44542e80
-
Filesize
5KB
MD55a67b0d89a906526be76ea81681d7624
SHA130ebb998741419d7e93241d1b3aca5c2741f2a39
SHA256b614017eca7ce1678c05f2f35a486baeb965846e2b4cb8afb9e0eb646d7ebacd
SHA51250ca67187432d190e34de77d52326f5fbaace130cad80e5538a91b24be1772198b8f8f797eff48d01f8487bb1c84e01b62f685f2ff7f630039792a721e66f22c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5beb60ddf23574ce6bb8d6c08f7ff3645
SHA163bdbd944723105a85e7e67adeb9a0b3a7d27814
SHA256b2742ead3f8083d5995d73f2499417338c275829b70b46a4835197abd344c0c7
SHA51213e28fbd99efd1b998613f9299ca973cc6746b696923b498626b598969ad1c870cbcd3f4cf47530ab018e3031f3bfb73cb4b0757c1e979199418b3a493fa3949