Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/05/2024, 22:37
240512-2jyg1sbe36 612/05/2024, 22:36
240512-2jmerabe33 112/05/2024, 22:34
240512-2g3nysgd3w 112/05/2024, 22:32
240512-2f8htagd3t 112/05/2024, 22:27
240512-2dcclagd3s 1Analysis
-
max time kernel
71s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 22:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.luckypatchers.com/download/
Resource
win10v2004-20240426-en
General
-
Target
https://www.luckypatchers.com/download/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1172 msedge.exe 1172 msedge.exe 4912 msedge.exe 4912 msedge.exe 4692 identity_helper.exe 4692 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 4080 4912 msedge.exe 85 PID 4912 wrote to memory of 4080 4912 msedge.exe 85 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 5088 4912 msedge.exe 86 PID 4912 wrote to memory of 1172 4912 msedge.exe 87 PID 4912 wrote to memory of 1172 4912 msedge.exe 87 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88 PID 4912 wrote to memory of 2308 4912 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.luckypatchers.com/download/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd329346f8,0x7ffd32934708,0x7ffd329347182⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:82⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:12⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,13009226744779588995,4433430713450286352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:2064
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD596a4ea952064cd8992dbb7a7fdf09af2
SHA1c008984c5ac2d0fe232e08033f61e7a9d71c0b21
SHA256c4ed54fef9764acbc91801bb83c28742bb1bf70d923c95aa50a2023038fb539d
SHA51280ccdc8f30cc5e3d3815729873166747a0d88f4330e2b66f1dfdc45c4989d80d5e3766cff10d0bf6e98a876b51940a959c2616b82f910677875cc397d0d20b7a
-
Filesize
1KB
MD58f017d23eca35757dea90c2b7ac95fab
SHA145c3ac6f455008abedb3a7bcdf9ec46250d47570
SHA2569981cefc6c265dea0ba2edc0fee4059e0326c6ab31e9020d078739f3e4e2073b
SHA512745ca117b743e206cad271c66cfd6f245bdcdee752976c998b8f43dda73d2fd0b39b26036481192bdd3b3910628bf8483e42d8ebc8abb944d815284bc955d12b
-
Filesize
6KB
MD5d1dd081520a149edbf6006407b11a670
SHA18a39a73e4665cba3d4f169772767de7536383fba
SHA256f6b83726d2623294eb79991849918b184a747b99f6e94ed7ac6cca737da4dde6
SHA5125885e8f684e563315b92ff65084a1630826e2a5d95c49e473323f86c9fe3a15f1ba2bf0f110f4004d01edf6e825e3b8e7b8a4de6373b55adceb02e1ab98949f5
-
Filesize
6KB
MD50bbd40d22abe05463f3706c4a98772fa
SHA1be615fb0b1416147c5b4e601fb88628a7e954e27
SHA256c507fbd31be4c5852c72a0420ee6b9d9ce0a85a7a8886b06c1244e72a8b1d261
SHA51210e513747e97bd60d70bcf18be316ac86845ba4a08847c89be9a0a132798424c5caa64d80f7d7028ba8585a6e9ee5582db16797e749c7226eca63978e2bc96fd
-
Filesize
5KB
MD565928094c497d0fc16886915228112c6
SHA158265243cbac9252fa7a5bc8eb409f58a4fd4af5
SHA256ca9c69e50c4a1519c10e7aa0874a9a8915145b6ebf381506809a863b3523f710
SHA512e6062ad2bdb61042bdcc5ade153f427574ab398e9d38da679c8ad0ccd14cc356f781bd048bbb9ded8ef2a5908e7dcb307399a9db6f9a397c65f17318d84a90f5
-
Filesize
874B
MD5eafcdfc6a8114911a1afcffc82e8ac80
SHA1d84928efe6702ede5d2049eff350bedccef6c64f
SHA256843c82d2207047637b98d2c74b1786df034ed9fe594c8f68463fee27e7a434b2
SHA512d71034aac859b72d6f9c6d4c8d6e5f7d4664af62220a13fce6640191a9a695f708968c9fbfb5ea74aab755c459661d5ff323004e9311af6bc57410ae9c63d6d3
-
Filesize
538B
MD5c6d1be353d6806dafbd8de3e72d3eea4
SHA15af610470ee0ef69b6898e38ceea053015f0efcb
SHA2565724f7a2921d82530f17b41579cde98eab979ca95d80603169999c024e86a9f2
SHA512f261e8b1819e6f4b380d7b12d2566a7f7d9bb927bf1fa1e976894113e6f2f2988c9212259554f83724259912f9ef86e969f25adaa124f0b8c71d7cd3d5ebce97
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55c50126ccb6e89b53a06a45073ad7cae
SHA141f682db884176619824eec19a89f6b9fd41f8f3
SHA256bf469f1ec98d5a138ab277da7f3c390027c99af309364fcb06fb8e9739dc430d
SHA512a1ac513f372d460d17cc8d32e9ae48ffb84241df9b65ae2ec2a676109c06d30e131adc195042e8962fb5d0d88e48ede7ba00cff51eea321ae56c40c0b2f2624b