Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 18:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbVBjT3UyRmk1a0t0a2tDY0xEeFFrYkpkWVV3QXxBQ3Jtc0tsdE50Y05hdzhRLWVXM3RsRHVMV3BkZFFqZVlhY1c4YkZJTmJfQTNhdEZFaVJiRXVEX2RadzhmNFJVbmUxT1BIUmQwMWY4X0lodVp5M2xFUFFfR1gxamhMeXRiTTA2bFRKM2RsbnVuX2xMSHBhRWwzWQ&q=https%3A%2F%2Fwww.virustotal.com%2Fgui%2Ffile%2F5bc59de013e0a1272c43bbd82179a60314ae2dfdcda13ee03140e730daeac230%2Fbehavior&v=GF7oK-Z_Sao
Resource
win10v2004-20240508-en
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbVBjT3UyRmk1a0t0a2tDY0xEeFFrYkpkWVV3QXxBQ3Jtc0tsdE50Y05hdzhRLWVXM3RsRHVMV3BkZFFqZVlhY1c4YkZJTmJfQTNhdEZFaVJiRXVEX2RadzhmNFJVbmUxT1BIUmQwMWY4X0lodVp5M2xFUFFfR1gxamhMeXRiTTA2bFRKM2RsbnVuX2xMSHBhRWwzWQ&q=https%3A%2F%2Fwww.virustotal.com%2Fgui%2Ffile%2F5bc59de013e0a1272c43bbd82179a60314ae2dfdcda13ee03140e730daeac230%2Fbehavior&v=GF7oK-Z_Sao
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4812 identity_helper.exe 4812 identity_helper.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 372 4804 msedge.exe 81 PID 4804 wrote to memory of 372 4804 msedge.exe 81 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 1976 4804 msedge.exe 82 PID 4804 wrote to memory of 5100 4804 msedge.exe 83 PID 4804 wrote to memory of 5100 4804 msedge.exe 83 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84 PID 4804 wrote to memory of 3812 4804 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbVBjT3UyRmk1a0t0a2tDY0xEeFFrYkpkWVV3QXxBQ3Jtc0tsdE50Y05hdzhRLWVXM3RsRHVMV3BkZFFqZVlhY1c4YkZJTmJfQTNhdEZFaVJiRXVEX2RadzhmNFJVbmUxT1BIUmQwMWY4X0lodVp5M2xFUFFfR1gxamhMeXRiTTA2bFRKM2RsbnVuX2xMSHBhRWwzWQ&q=https%3A%2F%2Fwww.virustotal.com%2Fgui%2Ffile%2F5bc59de013e0a1272c43bbd82179a60314ae2dfdcda13ee03140e730daeac230%2Fbehavior&v=GF7oK-Z_Sao1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc19cc46f8,0x7ffc19cc4708,0x7ffc19cc47182⤵PID:372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:82⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:12⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13678286396849385855,9243011931229464610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:4912
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3008
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
5KB
MD5e4d2e1aa1aeeca141f607124502dfe57
SHA104523c4f5a2566ef2470f0ffb85f6664eb09b7ed
SHA2565bf0572ead1ba9e3461a45c3b25c4551ceb924bfb84b63cc99b5e6262c8ec322
SHA512e5f98483be61a165cd0e3ad7b1b970bca989881d0bbd54f6ff7bfb0c598e0cef5ababb2f0d3968d0f01e535091c6834d7ceac98f98799a3a983da6a583c53786
-
Filesize
6KB
MD50035b71b8f6c4c2ca70b0b8bdea194a3
SHA1f775d115db33a9abe890e4a9609b6023f4134860
SHA256e713e0bb16645f005ea2661bfb974f328f51e115be56c1707202f48b4c0a5364
SHA5122c6aace63c9dd23d71bb147cc71d37fd7e2455eebcf5efb34d23661a24a2ab41eaf318198c8d85ddbd1facd70688eb2bf2bb42297d1b18ca0f916947af291bed
-
Filesize
6KB
MD547fb9c04c27cd3fe58be4ca569dae1d5
SHA1c50b8e187297c248263b78aa3a3070e5610d3ec4
SHA256fa2cae3abd07aeb26232138b07dc36ea5a2b60585ff3545e335d77a4b6177aad
SHA5127e62953fa6604d662ff9e00966d328b54de9898c2520531ee812f8789dab7e878c6659169509bb38b2ffa6e202b27ab752e4c07764ec2e638331a664a3041999
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD53d0b20bd3a12ad8a5978ad95eeb055d7
SHA192233d8f974ba8a5443832fd9ecb3d6fa626c916
SHA256d0247b7630c9c3eef3e1fc42875080603a94f2e53978fdb6f753078c9b5245fb
SHA5128da7665480d5bbad61f5d644e1ec2a8daf8610a0d0faff28bd0bff88c4f616f010bf02da1613be9f9c27c12e45bf0b2b42066d9fd567e6c50978f60c6e770085