Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 00:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1y0QLVfOgAby8opT5NGnJ-3jpiicf-6Uj/view?usp=drivesdk
Resource
win10v2004-20240426-en
General
-
Target
https://drive.google.com/file/d/1y0QLVfOgAby8opT5NGnJ-3jpiicf-6Uj/view?usp=drivesdk
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 9 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 3056 msedge.exe 3056 msedge.exe 3608 identity_helper.exe 3608 identity_helper.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe 3056 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 692 3056 msedge.exe 82 PID 3056 wrote to memory of 692 3056 msedge.exe 82 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 3916 3056 msedge.exe 83 PID 3056 wrote to memory of 4800 3056 msedge.exe 84 PID 3056 wrote to memory of 4800 3056 msedge.exe 84 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85 PID 3056 wrote to memory of 2128 3056 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1y0QLVfOgAby8opT5NGnJ-3jpiicf-6Uj/view?usp=drivesdk1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff968ca46f8,0x7ff968ca4708,0x7ff968ca47182⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵PID:944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3323103851494880568,5953576594535474584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:908
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD505dd891dd323fee10b0c45205a96177f
SHA18fad46bbd4b55e363d9bd19820e4721d5674699d
SHA256117124931afa29d19e6251dad44c92df98f78b48d8da7cffaabebce9e74ab6e5
SHA51292115a3252cac7a1295285bf7ccc559e4f07d87d0753a7b0aeafc944f72ee9387f7f4cf71e0f8eb81b1904fa3222525a986d7cd9bfc2eda5231575c146c491b6
-
Filesize
1KB
MD587f62a41a0b46753531d1249e5dedd05
SHA1dd6de493a923d6d81ce8ecba491b58de4d05e4bf
SHA2562a09d5dbc74b874c2996c54625b6c80c07c12d11651931c0acbc91666ab9d16a
SHA51214c9497c625f72de0bdb41ee8a4a9d556481771f6d06a08a61b9930ff153ba7024ab4d3aee71370ae00c5cac4532b0e5502f346b159bd202925ddd36e1d2db21
-
Filesize
1KB
MD5583689fd0c987bd75675db00ea040dcf
SHA15ccbd7987aa1e789e26a03be69e3e7907e75318a
SHA2568f48d40e246d5ca3af3f39b39c9ca9f37943939bc642e0905a173eb0f2bfde31
SHA51244f7b53ee8ffbcbb5404320a4516ba8a262a3829f691d482166804cf90f1ba5ca1381072f64d6a19b33741fb219a7a4b49ae61a73a101baee94dfe793304d8b8
-
Filesize
5KB
MD5f57863f395e5ac4de9bfb95787daaa21
SHA1acf7a7aa62b50cd4e7b9266483e991c68a5ce1e5
SHA256370696a2ef8c1e04afc4d749e16f217eee7412182645600d5ddc4cb0401cbcd2
SHA51219c310d2ace666edb8540ee5721bb9092382a7a4c019412a74009617b08eed4ad6f2cda1b8a5742a66dd7402b871bdebb60350a131e256993855183d55babe0d
-
Filesize
6KB
MD5475cef7f9734aebde5923d296d0ce336
SHA193ff6495cd220e8fceb22ccc89c7e8b73a77f424
SHA256a20ce422e8f7b257596c5f2f65979abb3297040ae401eb0114e16cb3f59b63a4
SHA512961d371607a1a092684d4482b3a429d05ac4e572de870911843751eee69095388b6da61b58061f0a8cc1ec89a78bfb45d24a8ec02adceb51aa9102113d9a1f93
-
Filesize
203B
MD50e3e109060a676dc6ca4df49bcf1120d
SHA1ebaf6b2d117f5e8cfac90c5041b128762f20dbe8
SHA25615666427d175b85027e0227fa982984d2cf1d79acd347f82894ead84202d5f52
SHA512d0ea0b6378223f90a44859a7c38530941db2bdade7d933e3f43ea1df1c7d4101b5bcfdd46b7faa5a6eb945c1506f056864fcca37148da5ba7fbb242c3bdd29c7
-
Filesize
203B
MD525861daf988be005d99633398f4303e0
SHA133eb0788ab621167979234bd94e0b9fa64b5622c
SHA256313bcb8c5dc793cd7b47e01f264f7a7c6d9044bcfa1bfc33eabe369bdb3a0740
SHA512d251b77c192ac7aaeccafa8a23f78fd9f0efcb9ffb778ed922be4c475e882bf26947594df8921b7d3f0e050db73af4e30a5b2321277a1273d0dce09b7b8ac368
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD581451f8d5cad565be67ae31353fcbfe4
SHA1c8ec566959a4636f019970a70a1e0fe36276d4e6
SHA256227148793d47248930548feac6416a1a2f89023e9e1e755c7fa112b441c6d87f
SHA51276cdd71d983f7ff6caefb6b5373751fb68b748ddddbc687dd19e598a58834264aeb21a2bb6c957c576e38155a9edf98b9c27849a7ed631453329b0f98ba43053