Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10/06/2024, 12:01
Errors
General
-
Target
https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura2024
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura20241⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5680 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3912 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3876 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5488 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=1232 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5276 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6412 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6460 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6296 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5001⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Factura_6666eb127972f.zip\--2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Factura_6666eb127972f\Factura.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 18E6DD42406367B6484DE5C79758AD892⤵
- Drops startup file
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\Rar.exe"C:\Users\Public\Downloads\Rar.exe" x -df -y "C:\Users\Public\Downloads\7828C5B4-62EE-20FF-A7DA-E1E97FAFB094.rar" "C:\Users\Public\Downloads\"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\SysWOW64\shutdown.exe" -r -t 153⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ff88d9a2e98,0x7ff88d9a2ea4,0x7ff88d9a2eb02⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2304 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2528 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2668 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5f3f451b8920a5ae19daa92a83696b229
SHA14505adc31806470d8d2efb840cf4d0a5645e9e06
SHA2566b32a6fab1391f70a57028066d086efd795f70ba157ad2107d716fb1baa8c74b
SHA5123b0cf6a8ac33dbfe8d425763bdedeeb7745da6c319ebfe3509dba8fac67745320065adca9176492e0c188650d9b54e326ca0fbf841315b042e8fd87aa220f887
-
Filesize
280B
MD52dfa02f087cb368f70e45fd442678c11
SHA10c0bb29b9d48d714634426efec1b7033589f1199
SHA256f0521821cdd0c5727c9a3451dc51bdab6a6e997dd5fd4c8f327217ec5ba9aca7
SHA512ac9cb00b935ebab619beb73aaff173444fdd101d6d39c2021a98d6db51234a16c2a69fa013f89bd699f75b4bb1425e6122457654ecdfa722ceed4c5c879f72df
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
11KB
MD5040b2a8ecb88b92721ecc96cee9e93cc
SHA178aafe701c4371afd85a6a62852306ce14deaa2c
SHA2560b4602f64cacceb875c82d54c04d15648b1a8fa5526336d842d8b5f3e72aa84c
SHA512596971175a1cabf7ee18a61a4e3358be3437b3ecf1468188395931f2aef94076d66fa412fabfc85437985d4078fdf7d3512707fb54551245e04f8bd5afedecdb
-
Filesize
30KB
MD5d59ba4909d110da5f17714abb33d506b
SHA1c26dcc53fcfd3d9d91cea60c8e963887d3e360b9
SHA256f21130f4f12e7f6f12d10edeaf616c4baccca9db67e25fe51024aa38244abb5f
SHA512b418358120cda74b9af7cfb3c4fcca5c5f9ddbcdc08d964fe34491ded0084d8a75eb90f83a7e988c9967f4d55bcc92095f56dd8c01e020100cc923f573baf345
-
Filesize
64KB
MD5a74394a7bc48e02e6e387d5de314bbd6
SHA160b9170fdf508aacc9aaa2117a969fe0260d4bf2
SHA256045a5e58eab15e468e4729a7074d197a27d2ab7a1866b59c3b0cf1484ff9c32e
SHA512d341cb77d15235957a56b9e40da45b3cca47832bf488da1663d8521c0585477c99154185f3c153434ebe18d6c573a23975f0989f880eb29ff45d52223bd0fabd
-
Filesize
74KB
MD56e1b27c4887cd9a4e99a6a4b35a3625d
SHA11e231ac6039eb5cc497037e07ed53183a8ee36ee
SHA256cf5ac5177ea433cd01931c3a61ad045ba5cbf353b3d2f2ff216427bf48b1c55d
SHA512cdec267939b9a125ba2f026d80884713c7bd40da8b283d275330e30d613d8ad94406c9cd15c4dfe9d02ddb8df846d475cb9709fc5790e35de2a30b41f643ce26
-
Filesize
257KB
MD5e2aa16dea2984fee5657f54ae620d9aa
SHA1ab66151bdd2a31ae406cf2651215675d9be7d251
SHA25683ca041a6467b5596b8b77610e194cdf6963035f1863c9a96cef38eb80e25069
SHA512e0f2cc2146b205a4259cc871d2113bedc7b62c335de806a8adef5ea6ff5754c3b646eedf872a42e9aa9c637433825ecd86a771eb02182b0db6798fa0fa69504b
-
Filesize
2.0MB
MD5a1af079a1b77f777db103e8a1f20eb79
SHA19e19884b953f3f344cfea572fc59cd4e89af1111
SHA256ea9c863ae314a2bb70f6ae41d0c42a41e51b9cc84f9fef7da12ba2a8ab2878d2
SHA5120823646eb9b04632dde36edebf93c83eadd7811cbf46ccc80c6ec541bd34abe77081c6b6fa777bf1a24e9c2c69bcbe3d9ed94dbaf0235c3e5c256642b03e649c
-
Filesize
737KB
MD5e7e3b05028ee28e5e968f77c2931cd4d
SHA1632e78cb1c9caa091d4d657e44d576f208f75f8c
SHA256c30bbd342e068425c8433e17a4d8c0965e3f48a9b0e0fe983321e92b7a2df08c
SHA5122bc2746b89972adc380048a84a514faaad5930d33eb42c2866e8b35dff84483bc704e06a3ae5584ad28a210df05b31bf348defadf40c90e4b636fff2ade114bc
-
Filesize
744KB
MD516659ae52ce03889ad19db1f5710c6aa
SHA166b814fe3be64229e2cc19f0a4460e123ba74971
SHA2560b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
SHA512f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519