Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24/05/2024, 20:27
General
-
Target
Fortsense.exe
-
Size
13.4MB
-
MD5
1993f123a88ef213a06973075cc6d3b5
-
SHA1
776b0b8cb2a2e84e786ea0b3cbf4c2d5e8f84d5e
-
SHA256
cb4922def6592c8d142aba09ead69370b1619fe89c704111b76f698ae5835391
-
SHA512
9940fd00c9512b1a4bdedbe4f9de91977c7f00acb472a3d2af564c1e6ec32a2f13dd87b445dd772b8ddc29aa7e36953bf30a04879ddad9f5329dd69bdf6013f2
-
SSDEEP
393216:GkajSM7ZFn7ty5FjVsFjo9QXG38CcQGap:6jSAPtyDVKcQo0QTp
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortsense.exe"C:\Users\Admin\AppData\Local\Temp\Fortsense.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff85a4246f8,0x7ff85a424708,0x7ff85a4247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14027218065573016158,7701364451429100278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
230B
MD57750806677acc366f18d9f0b3e3a1fce
SHA1973b6e98bca2bdf5562dfa13061f60af4d3f917c
SHA256aaad389ad0a2e2cc8f92bef71d17d889cf20e51a4df2b0a98ee344bc62395d9e
SHA512c29b7d5492a4f74014714ea726357df8cc7cbb5e6535d24b35bfabf77bb56b1eaab154d3ec9ef0c403454b827d1f235c87d5132ba4ec793ad3b16259ccb7f62a
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
864B
MD51061e98d21097902662c129bb355beab
SHA1e743a81dc4c3125b5bdbc67f8d67d70a09a57d06
SHA256df0dc6e891554f7a73b8429357d954a5a01a72080aea3f47dd6bdd021daa490f
SHA512a54f14e747bcb794662a9a4c7bfbca0160e17b41c6dbae1bc99a0d6e45ea9b49e789e0708aff575ffd8542b2d55dcc85626083cf5e49a7691751c82514c0038f
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
3KB
MD53fc15e6731255345a1035962f93f2254
SHA127fd98543f895a165e5f6795e8195df2a36cdb4a
SHA256604c94191f58aea54414f801ef7d84f706e86590bb72d08d6c1e2706ab4f94cf
SHA5122ab0cefecf2087fe5fe87a34eb58d11ec392c78ea87abfac623e96bb611f7d1c0fa8650ae627392e8bbbb304ed3ca07af74f05d5a33cffc4e7b23612b27685dc
-
Filesize
5KB
MD5c472ca53681875fb3626562d921de131
SHA1be1fec750d78b9f909ade6d538baba6c5755223c
SHA2568ea66d055be12c054f56bac3916e8f71a598d84c1a4caebc38e0e7d62f21d98b
SHA512409fcdd635d91060f88c605cf62017db5f7be3b50aba6411384dce94a84195f78bda8568513111926f9298e29963b3c6924da158148d67b64acfdf4ea6896e99
-
Filesize
6KB
MD501dfb5595a2fb7bbbb476170b353f9f1
SHA1700245155df002fc6c41a03be4eab558773c49fa
SHA2561ec489ace8fb403e033188f320927e83efed7e541f95a8f7c38b882c5275829b
SHA512a4a8b954131f00a0e8126221c93474ee8c8c6389aec2b47451e6488bc1fffef37c17e62dda8d86d6880b6b2d01b734181eadd14a0d370ad64a7673cba187590c
-
Filesize
8KB
MD56296066f89b1b9483a683bbc5773a091
SHA17fa2468194e661adc7c32d506ee66492f6fa2f70
SHA256ee118cb725f6e1464e4da63ce2cf1be74c8c0d1c31fd6bd42375a7897241833b
SHA5125dbc88f8be20552ade6f4c1bc773a8dbb70e93bf59e4ed375cc55901ebdc6eac745b747bb58d63118f380f2a95f1b49a13fa4311bf4f4b0ae72162de4dcc3aab
-
Filesize
6KB
MD520d5af203d806d7593cb4bad0a3f1bc6
SHA19b1ead801bde79102b92f22f62209e89505ec426
SHA2567b33062f2d7d1cc775567e48daea3769c434283b01f32380b115fdcf9bae6099
SHA512007cfd50ad857891fee83f569acd361633c53eabb1e4fbec3bc68b82212c0cb075044f8988e186d2e3bb8e4f3da1e66fd114f8bebfa7efdd310888c57fbab76e
-
Filesize
8KB
MD55540a26416b0f09a2fe9aa9283443639
SHA1cd5215fa752e3c5f12ac325d8f3078e31763a031
SHA25638713dc2d7826d01708ba06308deccd88961f383e7a58ca8ec83b2803bc2980b
SHA5129d607e6e4afcd75f43e0eeff29a9158b4e89c086b722f1bb5c8f080d384022a95d12f26b37d71b10a8dc2fa356ce6a62ce80f3fecaeebb277d31110878b033ae
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5fb31d2b358410707dc86affe9eb95a6a
SHA106466b8b2402cb7dce16597bed743e0e201cb78c
SHA2560c32abcd05f7a5843c6316b515cede5231adc9e3cb13321aea5762e155db36ff
SHA5124ee17f7949498478a071a4ffc67c0c7cd7fc8bccd4c15d195977d6ca9cace5af59fafa9129e92230787fc2be1304a750e887bd59edc23e374218d545294f9ac0
-
Filesize
12KB
MD55d5805b5213decf570e75cb516b1cff7
SHA14b004b950abc5d8d20730a6f5f578eb94b201d6e
SHA25645276ae78abfc33a3553a1f01d3fb6d739cddb5f05326b7e8c161e8fcc767edc
SHA5121262e14ec6a90a1c0e0ab02bfa1d7a7149345f0307f95560533a11b4006296f8879da25a47f4ebe6f3e6863a506c4057f8d4c7a4d756881687d63dee574997bf
-
Filesize
11KB
MD547cdc42db06858219b2731460409fa4a
SHA118ca2f14215509493fff18e28dd5405f46801053
SHA2560cf30450b2c92e76b6cf03069ff990685215991b8f6f561b69caf1235c10e588
SHA51209281d40e41158b12b5f381d916e10544144377b824a8e6614e84c44cdaca78d6745db7d694f118a4f267efa72fdc0d9ecea8153133f4d1d9e372617f14f5300
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB