Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
28/05/2024, 18:09
240528-wrsc3see4v 428/05/2024, 18:08
240528-wq4pqaff53 128/05/2024, 18:04
240528-wntrqsfe48 1Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28/05/2024, 18:04
General
-
Target
https://www.lookoutnotifications.com/1/?utm_source=TW&utm_campaign=2854360d
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.lookoutnotifications.com/1/?utm_source=TW&utm_campaign=2854360d1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc752146f8,0x7ffc75214708,0x7ffc752147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15907998619353242133,8245342428235129066,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Documents\ClearUnblock.potm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\HideStart.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
96B
MD5126a95f0f380978bbcbbd1fad3c6df1a
SHA1ee62e8f1732dae36f7ebafc769924a1ec67c8103
SHA256911f2a3c4cd0c188707bf2e9eb8701a864e38ebe532063c522bbf8d0f525565e
SHA51201a953a5e6bcadd95f914f75097fa9b9c33e47c2e2a82be3e295eb19cadc6d2a87f402df054c3521ca10c15c6b37d00e29d68d9ff2d7dbd219b9db2112ce43cb
-
Filesize
444B
MD56326b97a048695c97cb6e26d436f5b55
SHA1811a44f3052cb03cc39a47b7aaa982d7cf90c0d4
SHA256c698fca84e7b42e685d303e180104539642abd000527aa40364bbdb4abf9b4f1
SHA512aace799edf06f53064ea8ef56eed388251d636f593880300e4d8770eec726eaeedf4095faae6e7da0b3243592d29fdc04b334fa92c90e7118ce477e25d2caa88
-
Filesize
5KB
MD59db1bc9377e728b384bc5441a4f83593
SHA1179b24c15f1b78d16644c9dc890f1835e0972caa
SHA256d1e7a5c1475ded1972803935d36a3f94f50596141e173dad53de36bdbad3c301
SHA512a6fc9a9a452a2919c835bba5d4bde30de8cba5c190cd7412e4022fc9fc88d74f7d627d267797bde8834aa7be470879155a1e4bd00f249e90feee3c96f636b02b
-
Filesize
6KB
MD56d66a3a44f36c23c379597bfff6478bd
SHA1a160ddcc6a46d4324aa0be0e1c08e79b1e578a23
SHA256022ff9c005e6941473679f5ed6f997d61696a176e149b741b10bb5fb859c9f45
SHA512e586d00fbf20146623e53f63cd434fa31d5d0038b1d65ae9bef7b250f6d8165e6fc0d880cc1484d81034f7d4dd4c99ca642705efe7bae7b97c239ac348aad8bd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b9e2832c877272b69f3291b71a75d4b4
SHA1193517d66f6676275adc62aa1c4bfd50f25680af
SHA2564b45cbbb5dbcbb2b1bcc029176af8e0018bea142e2b7f2b0615bed97622ce1c1
SHA512b804b30e35cd5d20ffa4410dfc46536b2bee46444f449a6bb2f6b42d65cb430536cf935be20c21733275c78cf62e86242bfa3f419ad803eaa607481435b110f4
-
Filesize
12KB
MD5b31470aaac5b8644d3e53dfe217c30ee
SHA1769928e0853b523242a5d2dcc2b6b96974252f3a
SHA256ad4f19511687114a57a3d86f138d2e707baa2af706038fddcdb9ced1c96060a5
SHA512d8411ebad37268505234374285b183d346835b90e5a1cbd42ff345a3f2193934e49415448414c4ee41eb7e0e014250ceece799edcc63a1b29a835225c9d83808
-
Filesize
11KB
MD5eb61e45003b2315f2242ef516d5df669
SHA1fd378d3d627cae6478ad0deb85938e6dd9f2bbba
SHA256999dfa5922c0b177ade6e5192765903695e852c564ba32205772883f2900e859
SHA5125bcbfc21587e62b4d68da12f381f46c85fd31804065bc7f041e6272faa4a0dfa4d5f74e55e5ab5821694ea880f3ae11cabccb826cd8478fd527adde141283977
-
Filesize
161KB
MD548fe9f9b9a455806648de04dd7d339fd
SHA151066fb82b0c691976d44d35a86af3a18eb6c444
SHA2567a6b331c537261a68a70cda855456a8497871013610ec1a36b3d4c68072d8361
SHA51235bd28c6d89424962efa7d3547716c035e5d11c4ab71297adbddab39e1994d79700ba8509dc16098357120d2be37b848c926753722cb25461e2f106071c79606
-
Filesize
372KB
MD570b5473b312fd9668a64a5c6884f8b49
SHA1f853e17c23ff03ac98e08b215fbd7f038548c3bc
SHA256666459ed16a451d55482fac8108ee0e2dd81029ae4fd4d3d399d23c237aaff02
SHA512493d126a1f5cb8e2c83c8afb99f2d8c5f4dfc91b4c03fa6b27d627aa25a1afd3574273e7ec146854d3b718ef67eb2a8cea658d7ed354270e3487c59b7a44726a
-
Filesize
24KB
MD5a6064fc9ce640751e063d9af443990da
SHA1367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA2565f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA5120e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0
-
Filesize
2KB
MD5fbcfef74fe92c57716d48a330c829dae
SHA1be1f8c58ae2830efd1e02a659c2911f4b334a24a
SHA25649f524a19fd796efb0a8b5a543ba62cf624423937e47836a37400037afde9bee
SHA512e2468823d1164b1728f23ec45419820cbeb038e5f38b07cd50ebe59ca3c5a17ffd2d90ef5afa591da834e156e20ce2fbac4ec87977e94b7b14efdb38859c44e4
-
Filesize
4KB
MD5fb2cf4b0f67dde90ef26d35b5497ce8f
SHA1cf71f765c3e233fc0714c81d4369243c6f38bfb9
SHA2561d7cdc95f79c03d1f3effc44ca5b9c0f54ddc09e27c248fba6e5fc36f1701391
SHA5123036c898913ffe1a9eb7a850a64abfed8a899ebd9c854038958aba10a922b89c403cdc10b7efb205228cb9527081ef48ba668bb2e7094734decc3272a2b30671
-
Filesize
4KB
MD50bcf65c8d2a81e32fc850fe5a297c426
SHA1cc47e79b84f84556d37649b179fc0341963a06a9
SHA2567733419f4a034972b26544c5ec32a48f9dbea5b8ab1a3cbed8002a25ce017f6d
SHA512e8fac957930e1ceae7dad37dde0f46da801b79f6402fd0ab8dad6a8289098df02c4504b57dc28468d53320ec03a81c36b78e96e38441ee6b56002f9a50d47e1f
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB