Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3LinearWhitelist.exe
windows10-1703-x64
7Linear_Loader.exe
windows10-1703-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3LICENSES.c...m.html
windows10-1703-x64
1d3dcompiler_47.dll
windows10-1703-x64
1ffmpeg.dll
windows10-1703-x64
1libEGL.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1resources/elevate.exe
windows10-1703-x64
1runtimebroker.exe
windows10-1703-x64
7vk_swiftshader.dll
windows10-1703-x64
1vulkan-1.dll
windows10-1703-x64
1$PLUGINSDI...7z.dll
windows10-1703-x64
3Analysis
-
max time kernel
1799s -
max time network
1689s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/06/2024, 15:08
Behavioral task
behavioral1
Sample
LinearWhitelist.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Linear_Loader.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
LICENSES.chromium.html
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
d3dcompiler_47.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
ffmpeg.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
libEGL.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
libGLESv2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
resources/elevate.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
runtimebroker.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
vk_swiftshader.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
vulkan-1.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
LICENSES.chromium.html
-
Size
6.4MB
-
MD5
c3528648bedbde1223a2faab1a3f9af3
-
SHA1
934d3c8f184258338ff380964ed89053ce69ac5b
-
SHA256
57b8e5a3f2cd62805001aefca035c7348b4d1abac157e6df3d798bb31f2ec3d2
-
SHA512
3e3cc0fd7a55f67ee0afff9696beef33bdc9524375bbe9d8e8f7660fd408c756c1156ca0b02ecccdc22799c7b8e74dbde012732ad6b3ebe0a3cfc54ff5132b35
-
SSDEEP
24576:d7t05kvWS99LVoFIUmf2p6y6E6c666r8HHdE/pG6:RI8j
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642342231770372" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 824 chrome.exe 824 chrome.exe 1684 chrome.exe 1684 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 824 chrome.exe 824 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 4764 824 chrome.exe 73 PID 824 wrote to memory of 4764 824 chrome.exe 73 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 1736 824 chrome.exe 75 PID 824 wrote to memory of 2704 824 chrome.exe 76 PID 824 wrote to memory of 2704 824 chrome.exe 76 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77 PID 824 wrote to memory of 3996 824 chrome.exe 77
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffca65a9758,0x7ffca65a9768,0x7ffca65a97782⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:22⤵PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:82⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:82⤵PID:3996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:12⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:12⤵PID:1204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:82⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:82⤵PID:2584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1820,i,7775342320972300174,17686802084407325791,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5e351d62ec0438a6a117b7010960e5a00
SHA1ecf7c6a8a94f6052d1cf967ce6a4faa6f51ed17a
SHA256b5ba4679c9a44290b8560a018251d760dbee3ba7a4acbed949635b4fcbde8f5a
SHA512ea09cebaaae78fdfc61e202fd20a5184b11e24b5ff9abd539a7f5f170d289574b6f67b9993b9bba30458affef16cef498e89fdca804bcdd6b8fc63e9c30a7f9e
-
Filesize
5KB
MD5f7f86801c3934c8bcad0a0f30488a2ac
SHA1c17b7d5f2f540246be698f67a77b3134f2050076
SHA256ecdcac763ddbac1b98f1fd575f1e6ff111a633be163c6ef17bab3770461c97e5
SHA5127a8d0d27a9eebaba8358ee074ecf52e1c153781fda28c5919567fb7f4284b5c44caee71787c4bd9e68746fc41813c26df199f68dbb7c1b43683805178767207f
-
Filesize
5KB
MD55434ea3894ae1e79f74593a94e96117c
SHA1dd829a8dba135e750cfbca1acd902c35cb1fc989
SHA25679017463a348742979f250b5d20982da2714383f448cfa8aefb892ff4ae216bd
SHA5126f917a6085fb193da83115603128393cd703ea8938f0ff369aa48f562d3d277b627139c8269fde89b7546d38bea60a572d1f7b4cae79a34dcb773bbd63e6e111
-
Filesize
136KB
MD5f294ca3bd33e0e6e58bd97d60e10a3a9
SHA14746a4d48b35553543d04e318b8959a32f39fc2a
SHA25658fc96274a71c392f4a374945de6036909c0d24bff85361e29778ff2b565a0ca
SHA5125c750ac2129bac56d0886fac8519edde6f3b5823d5cb7559f033046c9fef5a59a906ffd89de75617d79fd27fe4471200f1d328e4b2fcf7e87db2406db4b384ff
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd