Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/05/2024, 04:12 UTC

General

  • Target

    http://www.builderclub.com/web/js/jquery/jquery.scrollTo-min.js

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 5 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "http://www.builderclub.com/web/js/jquery/jquery.scrollTo-min.js"
    1⤵
      PID:540
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4040
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jquery.scrollTo-min.js"
        2⤵
          PID:3064
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4588
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4308
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        PID:1240
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        PID:3684
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2028

      Network

      • flag-us
        DNS
        www.builderclub.com
        MicrosoftEdgeCP.exe
        Remote address:
        8.8.8.8:53
        Request
        www.builderclub.com
        IN A
        Response
        www.builderclub.com
        IN A
        88.99.192.59
      • flag-de
        GET
        http://www.builderclub.com/web/js/jquery/jquery.scrollTo-min.js
        MicrosoftEdgeCP.exe
        Remote address:
        88.99.192.59:80
        Request
        GET /web/js/jquery/jquery.scrollTo-min.js HTTP/1.1
        Accept: text/html, application/xhtml+xml, image/jxr, */*
        Accept-Language: en-US
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
        Accept-Encoding: gzip, deflate
        Host: www.builderclub.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.10.1
        Date: Mon, 20 May 2024 04:12:29 GMT
        Content-Type: text/javascript; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Content-Encoding: gzip
      • flag-us
        DNS
        59.192.99.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        59.192.99.88.in-addr.arpa
        IN PTR
        Response
        59.192.99.88.in-addr.arpa
        IN PTR
        builderclubcom
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        79.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.190.18.2.in-addr.arpa
        IN PTR
        Response
        79.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-79deploystaticakamaitechnologiescom
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        www.microsoft.com
        MicrosoftEdge.exe
        Remote address:
        8.8.8.8:53
        Request
        www.microsoft.com
        IN A
        Response
        www.microsoft.com
        IN CNAME
        www.microsoft.com-c-3.edgekey.net
        www.microsoft.com-c-3.edgekey.net
        IN CNAME
        www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
        www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
        IN CNAME
        e13678.dscb.akamaiedge.net
        e13678.dscb.akamaiedge.net
        IN A
        23.55.97.181
      • flag-be
        GET
        https://www.bing.com/cortanaassist/rules?cc=US&version=6
        MicrosoftEdge.exe
        Remote address:
        2.17.107.105:443
        Request
        GET /cortanaassist/rules?cc=US&version=6 HTTP/2.0
        host: www.bing.com
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
        dnt: 1
        Response
        HTTP/2.0 404
        cache-control: private
        content-length: 53049
        content-type: text/html; charset=utf-8
        content-encoding: br
        vary: Accept-Encoding
        p3p: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
        x-eventid: 664acdee459e42e88852bbe8111885cd
        useragentreductionoptout: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-error-page: 404-custom
        x-ua-compatible: IE=edge
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: C0E89C9B41F740938A6BC0D4770B776A Ref B: AMS04EDGE3316 Ref C: 2024-05-20T04:13:34Z
        date: Mon, 20 May 2024 04:13:34 GMT
        set-cookie: MUID=33C14B62827362FE3B465FE7839E63F3; domain=.bing.com; expires=Sat, 14-Jun-2025 04:13:34 GMT; path=/; secure; SameSite=None
        set-cookie: MUIDB=33C14B62827362FE3B465FE7839E63F3; expires=Sat, 14-Jun-2025 04:13:34 GMT; path=/; HttpOnly
        set-cookie: _EDGE_S=F=1&SID=3D8CF1B49B0161270D44E5319AEC6035&mkt=en-us; domain=.bing.com; path=/; HttpOnly
        set-cookie: _EDGE_V=1; domain=.bing.com; expires=Sat, 14-Jun-2025 04:13:34 GMT; path=/; HttpOnly
        set-cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Wed, 20-May-2026 04:13:34 GMT; path=/
        set-cookie: SRCHUID=V=2&GUID=8D2C5C58F0A44C29858CD48E2EF02B91&dmnchg=1; domain=.bing.com; expires=Wed, 20-May-2026 04:13:34 GMT; path=/
        set-cookie: SRCHUSR=DOB=20240520; domain=.bing.com; expires=Wed, 20-May-2026 04:13:34 GMT; path=/
        set-cookie: SRCHHPGUSR=SRCHLANG=en; domain=.bing.com; expires=Wed, 20-May-2026 04:13:34 GMT; path=/
        set-cookie: _SS=SID=3D8CF1B49B0161270D44E5319AEC6035; domain=.bing.com; path=/
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.656b1102.1716178414.68245127
      • flag-us
        DNS
        239.249.30.184.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        239.249.30.184.in-addr.arpa
        IN PTR
        Response
        239.249.30.184.in-addr.arpa
        IN PTR
        a184-30-249-239deploystaticakamaitechnologiescom
      • flag-us
        DNS
        105.107.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        105.107.17.2.in-addr.arpa
        IN PTR
        Response
        105.107.17.2.in-addr.arpa
        IN PTR
        a2-17-107-105deploystaticakamaitechnologiescom
      • flag-us
        DNS
        181.97.55.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.97.55.23.in-addr.arpa
        IN PTR
        Response
        181.97.55.23.in-addr.arpa
        IN PTR
        a23-55-97-181deploystaticakamaitechnologiescom
      • flag-us
        DNS
        29.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        29.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        84.65.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        84.65.42.20.in-addr.arpa
        IN PTR
        Response
      • 88.99.192.59:80
        http://www.builderclub.com/web/js/jquery/jquery.scrollTo-min.js
        http
        MicrosoftEdgeCP.exe
        684 B
        2.4kB
        7
        6

        HTTP Request

        GET http://www.builderclub.com/web/js/jquery/jquery.scrollTo-min.js

        HTTP Response

        200
      • 88.99.192.59:80
        www.builderclub.com
        MicrosoftEdgeCP.exe
        190 B
        132 B
        4
        3
      • 204.79.197.200:443
        ieonline.microsoft.com
        tls, http2
        MicrosoftEdge.exe
        1.2kB
        8.1kB
        15
        13
      • 2.17.107.105:443
        https://www.bing.com/cortanaassist/rules?cc=US&version=6
        tls, http2
        MicrosoftEdge.exe
        3.2kB
        61.1kB
        56
        51

        HTTP Request

        GET https://www.bing.com/cortanaassist/rules?cc=US&version=6

        HTTP Response

        404
      • 2.17.107.105:443
        www.bing.com
        tls, http2
        MicrosoftEdge.exe
        1.1kB
        4.8kB
        15
        12
      • 8.8.8.8:53
        www.builderclub.com
        dns
        MicrosoftEdgeCP.exe
        65 B
        81 B
        1
        1

        DNS Request

        www.builderclub.com

        DNS Response

        88.99.192.59

      • 8.8.8.8:53
        59.192.99.88.in-addr.arpa
        dns
        71 B
        100 B
        1
        1

        DNS Request

        59.192.99.88.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        79.190.18.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        79.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        73 B
        106 B
        1
        1

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        www.microsoft.com
        dns
        MicrosoftEdge.exe
        63 B
        230 B
        1
        1

        DNS Request

        www.microsoft.com

        DNS Response

        23.55.97.181

      • 8.8.8.8:53
        239.249.30.184.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        239.249.30.184.in-addr.arpa

      • 8.8.8.8:53
        105.107.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        105.107.17.2.in-addr.arpa

      • 8.8.8.8:53
        181.97.55.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        181.97.55.23.in-addr.arpa

      • 8.8.8.8:53
        29.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        29.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        84.65.42.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        84.65.42.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7BUKSPQ\edgecompatviewlist[1].xml

        Filesize

        74KB

        MD5

        d4fc49dc14f63895d997fa4940f24378

        SHA1

        3efb1437a7c5e46034147cbbc8db017c69d02c31

        SHA256

        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

        SHA512

        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5OE8VQ35\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3AM86EZ9\jquery.scrollTo-min[1].js

        Filesize

        4KB

        MD5

        fbab3fade9ad2e86a4c27a535a1a1c86

        SHA1

        fa6b7ef7cf793eebae01b204f3fd6f50af11d8bb

        SHA256

        549796e64048fbf0f92781482e16023f772e11941706433d88317e316440ce83

        SHA512

        ddcf58c8e98565bc74e63ea74828f352af22b0f277029508af55a9f4e1b7e22354ba58987a05976d776c4f7c1d3b00f5ede50c9cbef63453cbca8ace9343f07d

      • memory/1240-49-0x0000018DC53E0000-0x0000018DC53E2000-memory.dmp

        Filesize

        8KB

      • memory/1240-52-0x0000018DC5610000-0x0000018DC5612000-memory.dmp

        Filesize

        8KB

      • memory/1240-54-0x0000018DC56D0000-0x0000018DC56D2000-memory.dmp

        Filesize

        8KB

      • memory/3684-70-0x000001DAB1000000-0x000001DAB1100000-memory.dmp

        Filesize

        1024KB

      • memory/4040-66-0x000001F9D0160000-0x000001F9D0161000-memory.dmp

        Filesize

        4KB

      • memory/4040-65-0x000001F9D0150000-0x000001F9D0151000-memory.dmp

        Filesize

        4KB

      • memory/4040-16-0x000001F9C9C20000-0x000001F9C9C30000-memory.dmp

        Filesize

        64KB

      • memory/4040-88-0x000001F9D0B00000-0x000001F9D0C38000-memory.dmp

        Filesize

        1.2MB

      • memory/4040-35-0x000001F9C6DE0000-0x000001F9C6DE2000-memory.dmp

        Filesize

        8KB

      • memory/4040-0-0x000001F9C9B20000-0x000001F9C9B30000-memory.dmp

        Filesize

        64KB

      • memory/4308-45-0x0000015C6E540000-0x0000015C6E640000-memory.dmp

        Filesize

        1024KB

      • memory/4308-44-0x0000015C6E540000-0x0000015C6E640000-memory.dmp

        Filesize

        1024KB

      • memory/4308-43-0x0000015C6E540000-0x0000015C6E640000-memory.dmp

        Filesize

        1024KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.