Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 12:01

Errors

Reason
Machine shutdown

General

  • Target

    https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura2024

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura2024
    1⤵
      PID:4452
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5680 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:1108
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3912 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:5004
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1972
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3876 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:4464
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5488 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3280
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=1232 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
                1⤵
                  PID:3828
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5276 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:2512
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6412 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:3872
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6460 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
                      1⤵
                        PID:3624
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6296 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:4664
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x510 0x500
                          1⤵
                            PID:4188
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:2304
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:1056
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:4028
                                • C:\Windows\system32\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Factura_6666eb127972f.zip\--
                                  2⤵
                                  • Opens file in notepad (likely ransom note)
                                  PID:1480
                              • C:\Windows\System32\msiexec.exe
                                "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Factura_6666eb127972f\Factura.msi"
                                1⤵
                                • Enumerates connected drives
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                PID:2300
                              • C:\Windows\system32\msiexec.exe
                                C:\Windows\system32\msiexec.exe /V
                                1⤵
                                • Enumerates connected drives
                                • Drops file in Windows directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2780
                                • C:\Windows\syswow64\MsiExec.exe
                                  C:\Windows\syswow64\MsiExec.exe -Embedding 18E6DD42406367B6484DE5C79758AD89
                                  2⤵
                                  • Drops startup file
                                  • Loads dropped DLL
                                  • Blocklisted process makes network request
                                  • Suspicious use of WriteProcessMemory
                                  PID:4548
                                  • C:\Users\Public\Downloads\Rar.exe
                                    "C:\Users\Public\Downloads\Rar.exe" x -df -y "C:\Users\Public\Downloads\7828C5B4-62EE-20FF-A7DA-E1E97FAFB094.rar" "C:\Users\Public\Downloads\"
                                    3⤵
                                    • Executes dropped EXE
                                    PID:3624
                                  • C:\Windows\SysWOW64\shutdown.exe
                                    "C:\Windows\SysWOW64\shutdown.exe" -r -t 15
                                    3⤵
                                      PID:860
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                  1⤵
                                  • Enumerates system info in registry
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4924
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ff88d9a2e98,0x7ff88d9a2ea4,0x7ff88d9a2eb0
                                    2⤵
                                      PID:2476
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2304 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:2
                                      2⤵
                                        PID:4632
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2528 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:3
                                        2⤵
                                          PID:3260
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2668 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:8
                                          2⤵
                                            PID:4584
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:8
                                            2⤵
                                              PID:1652
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:8
                                              2⤵
                                                PID:2904
                                            • C:\Windows\system32\LogonUI.exe
                                              "LogonUI.exe" /flags:0x4 /state0:0xa39b1855 /state1:0x41c64e6d
                                              1⤵
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4180

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Config.Msi\e59eba1.rbs

                                              Filesize

                                              48KB

                                              MD5

                                              f3f451b8920a5ae19daa92a83696b229

                                              SHA1

                                              4505adc31806470d8d2efb840cf4d0a5645e9e06

                                              SHA256

                                              6b32a6fab1391f70a57028066d086efd795f70ba157ad2107d716fb1baa8c74b

                                              SHA512

                                              3b0cf6a8ac33dbfe8d425763bdedeeb7745da6c319ebfe3509dba8fac67745320065adca9176492e0c188650d9b54e326ca0fbf841315b042e8fd87aa220f887

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              280B

                                              MD5

                                              2dfa02f087cb368f70e45fd442678c11

                                              SHA1

                                              0c0bb29b9d48d714634426efec1b7033589f1199

                                              SHA256

                                              f0521821cdd0c5727c9a3451dc51bdab6a6e997dd5fd4c8f327217ec5ba9aca7

                                              SHA512

                                              ac9cb00b935ebab619beb73aaff173444fdd101d6d39c2021a98d6db51234a16c2a69fa013f89bd699f75b4bb1425e6122457654ecdfa722ceed4c5c879f72df

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                                              Filesize

                                              2B

                                              MD5

                                              99914b932bd37a50b983c5e7c90ae93b

                                              SHA1

                                              bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                              SHA256

                                              44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                              SHA512

                                              27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                              Filesize

                                              2B

                                              MD5

                                              d751713988987e9331980363e24189ce

                                              SHA1

                                              97d170e1550eee4afc0af065b78cda302a97674c

                                              SHA256

                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                              SHA512

                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              11KB

                                              MD5

                                              040b2a8ecb88b92721ecc96cee9e93cc

                                              SHA1

                                              78aafe701c4371afd85a6a62852306ce14deaa2c

                                              SHA256

                                              0b4602f64cacceb875c82d54c04d15648b1a8fa5526336d842d8b5f3e72aa84c

                                              SHA512

                                              596971175a1cabf7ee18a61a4e3358be3437b3ecf1468188395931f2aef94076d66fa412fabfc85437985d4078fdf7d3512707fb54551245e04f8bd5afedecdb

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                              Filesize

                                              30KB

                                              MD5

                                              d59ba4909d110da5f17714abb33d506b

                                              SHA1

                                              c26dcc53fcfd3d9d91cea60c8e963887d3e360b9

                                              SHA256

                                              f21130f4f12e7f6f12d10edeaf616c4baccca9db67e25fe51024aa38244abb5f

                                              SHA512

                                              b418358120cda74b9af7cfb3c4fcca5c5f9ddbcdc08d964fe34491ded0084d8a75eb90f83a7e988c9967f4d55bcc92095f56dd8c01e020100cc923f573baf345

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              64KB

                                              MD5

                                              a74394a7bc48e02e6e387d5de314bbd6

                                              SHA1

                                              60b9170fdf508aacc9aaa2117a969fe0260d4bf2

                                              SHA256

                                              045a5e58eab15e468e4729a7074d197a27d2ab7a1866b59c3b0cf1484ff9c32e

                                              SHA512

                                              d341cb77d15235957a56b9e40da45b3cca47832bf488da1663d8521c0585477c99154185f3c153434ebe18d6c573a23975f0989f880eb29ff45d52223bd0fabd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              74KB

                                              MD5

                                              6e1b27c4887cd9a4e99a6a4b35a3625d

                                              SHA1

                                              1e231ac6039eb5cc497037e07ed53183a8ee36ee

                                              SHA256

                                              cf5ac5177ea433cd01931c3a61ad045ba5cbf353b3d2f2ff216427bf48b1c55d

                                              SHA512

                                              cdec267939b9a125ba2f026d80884713c7bd40da8b283d275330e30d613d8ad94406c9cd15c4dfe9d02ddb8df846d475cb9709fc5790e35de2a30b41f643ce26

                                            • C:\Users\Admin\Downloads\Factura_6666eb127972f\--

                                              Filesize

                                              257KB

                                              MD5

                                              e2aa16dea2984fee5657f54ae620d9aa

                                              SHA1

                                              ab66151bdd2a31ae406cf2651215675d9be7d251

                                              SHA256

                                              83ca041a6467b5596b8b77610e194cdf6963035f1863c9a96cef38eb80e25069

                                              SHA512

                                              e0f2cc2146b205a4259cc871d2113bedc7b62c335de806a8adef5ea6ff5754c3b646eedf872a42e9aa9c637433825ecd86a771eb02182b0db6798fa0fa69504b

                                            • C:\Users\Public\Downloads\7828C5B4-62EE-20FF-A7DA-E1E97FAFB094.rar

                                              Filesize

                                              2.0MB

                                              MD5

                                              a1af079a1b77f777db103e8a1f20eb79

                                              SHA1

                                              9e19884b953f3f344cfea572fc59cd4e89af1111

                                              SHA256

                                              ea9c863ae314a2bb70f6ae41d0c42a41e51b9cc84f9fef7da12ba2a8ab2878d2

                                              SHA512

                                              0823646eb9b04632dde36edebf93c83eadd7811cbf46ccc80c6ec541bd34abe77081c6b6fa777bf1a24e9c2c69bcbe3d9ed94dbaf0235c3e5c256642b03e649c

                                            • C:\Users\Public\Downloads\LISOFSRT584WRK

                                              Filesize

                                              737KB

                                              MD5

                                              e7e3b05028ee28e5e968f77c2931cd4d

                                              SHA1

                                              632e78cb1c9caa091d4d657e44d576f208f75f8c

                                              SHA256

                                              c30bbd342e068425c8433e17a4d8c0965e3f48a9b0e0fe983321e92b7a2df08c

                                              SHA512

                                              2bc2746b89972adc380048a84a514faaad5930d33eb42c2866e8b35dff84483bc704e06a3ae5584ad28a210df05b31bf348defadf40c90e4b636fff2ade114bc

                                            • C:\Users\Public\Downloads\Rar.exe

                                              Filesize

                                              744KB

                                              MD5

                                              16659ae52ce03889ad19db1f5710c6aa

                                              SHA1

                                              66b814fe3be64229e2cc19f0a4460e123ba74971

                                              SHA256

                                              0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

                                              SHA512

                                              f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

                                            • C:\Windows\Installer\MSIECC7.tmp

                                              Filesize

                                              816KB

                                              MD5

                                              aa88d8f40a286b6d40de0f3abc836cfa

                                              SHA1

                                              c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

                                              SHA256

                                              8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

                                              SHA512

                                              6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519