Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 20:40
General
-
Target
https://github.com/l3c1d/star/releases/tag/v1.5.1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/l3c1d/star/releases/tag/v1.5.11⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9870346f8,0x7ff987034708,0x7ff9870347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\msphack.lisa.exe"C:\Users\Admin\Downloads\msphack.lisa.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5596 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\msptool.exe"C:\Users\Admin\Downloads\msptool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,14896649761796904004,4824515497425391750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6512 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5de1d175f3af722d1feb1c205f4e92d1e
SHA1019cf8527a9b94bd0b35418bf7be8348be5a1c39
SHA2561b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924
SHA512f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734
-
Filesize
152B
MD506b496d28461d5c01fc81bc2be6a9978
SHA136e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa
SHA256e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507
SHA5126488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91
-
Filesize
1KB
MD5f9be52ed262822ac6057e17dd85d5ec7
SHA116715742a128273602ec063a3c3141ee448494be
SHA256d39df7fe0aab716aff1a033880c2e232377e5a33617c3c413e885c84af458917
SHA51205c77cfaf1c72550c25144203c0506afb5f542d2001a02675d5aff7b6ca5c483a9c5631dab33b49367268fb5c215b607e06804f21c34bac90fbfdc9c36def6ed
-
Filesize
496B
MD51b92794633aaa7d8ca83e408ef516a36
SHA14ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6
SHA2560ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0
SHA512698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb
-
Filesize
6KB
MD50a74b87902449e4223218162a1b3a07e
SHA13754f935ace74394d8b78514a8c23df14e143a69
SHA2565c47fb85f852a3661d5d88544c7a2811173c1aec7a81a5c6d9d447e308ad8443
SHA51287f7d40f60cbb0f17787ab85e1acdbab4d549272e7b48968842f903446eff76506392267552b31f4b5128082ab3152e9ef7608162651f9ae69b2b544dcc6b447
-
Filesize
6KB
MD5b2d97b1e8bae1b124dc6a285f7338274
SHA17fa6dc017a40deb3bd0cf1d3fc88713387753afe
SHA25688d8e366843f5530519fc502379b590269a32cd5aa3d6e059697b415d6c2cb78
SHA5126822ad70b134e5cf6b3f80eb42461645c1b9c2666d2b8b3249ebd9f5c8994239a7098aaeb2ecbb669555dc6da8be7fcfd6cfb271cf6c0c7625e6c549ce84e1d5
-
Filesize
6KB
MD56b97ecf89e84c2e598b02c045b1857c4
SHA19898cd1271bf2cf36ad18f945e6091a9b93087d5
SHA25653cd85f72ff0149bf90b2839cbfa78b153d65262d57e85f07dfe2188773becb6
SHA512497c036a7540ba091c709ce66415bf382bb4c6c96d4e124c173097b0e48adc07759dd22724221628b7e67ec29510e9b58e11890d2e0ca737c9934910ce6c0dd5
-
Filesize
874B
MD5020b082e23a335205a65097303d6c471
SHA14ba6ebba3f9f6ad25b82e2234f207c3a1cecd2aa
SHA256611b96bbbb974c95f68496a665a8c6b3f6dd5b3cb56469b6ccecdfc78843d722
SHA512cb474504312a888502d83ee4493115346565f743b489e8b4d0b3bc7a3c1e54493c29efa74344de159dfbad3f4bc9800a2d48f4c39bac4602b8e7bb21a8fcec5f
-
Filesize
874B
MD5b972758ec74f3bafc9b7846a42d2c89b
SHA113734a85e0d5b5f2709aaa500e9b1862199e189a
SHA2561a6712015b1a569dd236e95a678c4642e0671f08cb4dc60c49bf7abf105e5790
SHA512d1c23dee1b595b259002972e78245e24f9383f8dd383c95421d6000939e2fd8683013f468c3a37e189c2fcfb5ef2c5c1618b11c7dbc20ec65df94ab2a2c8e2d5
-
Filesize
874B
MD53985f7579fc294e2f7b0f00a8cfb2576
SHA1cde85b5922d2976702fb6d21576c57bf33a57b03
SHA25611e8639bf127a5d17c0dc948b796112e69d3e59bc8f3852902fbd3f372897d1d
SHA512ebfe3d230d8acc65808d818a95287183327678124d790fa194c3460903e28e0de0a5571198c950385d833694d12391dd8e2a7f27c7954e0cd240d0aa4639eeaa
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5db1dba2553620219865c735d9ae10ba9
SHA1971ebd217e1ef1c87cf2b6488ed827bfd9d6b9d7
SHA256d452cdac5c8e7944fe43923b576770f33515d6d1594283d55d7720d2c13437c5
SHA512ae2a52d3893be0ef09206f3cebec64d721579e811c52d911f7ff9fb3f6861d976402895bcc438d2a74c0cb6f9a7e5a6ba2a7e94103fe179aa704b35c14d82a16
-
Filesize
12KB
MD52d2d9fa509b6e8b7cc0286173e43baf0
SHA1c30da2a3f0e5391c72ad4e5c2400e7d82572da0c
SHA256288e3564862465d6a3266ae131962a39082207ef1771be3062adbf4e605e40d2
SHA512d3ead63e94166b55ef001797940ecfe34b35b54f5991929e7c54b1d0bd7eaca27b2c1ccb7f68abb3bc01872edf038825ef61f3596a5242c674f0fd11bdd0d49b
-
Filesize
11KB
MD5bad5c46d5a5aa79e0da06debbf08ee69
SHA1225214c68fc767070bb2253d1c0a13b43341e2f5
SHA256678f724e8f264c45cd2c3ee3c1edf0ecddf05de348cf1910a6f1d63a8edcdf00
SHA512bf79cf60d2bbc19a65da9877446c4a0ddc6196fdf983489c76b6dd5de49f904f18a5bf1e66b86b724cd24634a04503e1d74ff2d55e28934061e921a912a5abcc
-
Filesize
20.2MB
MD53a9985460fc111d0d64c1f6256526aea
SHA11940a112dbe3230f57160ce34a3e05b24d208220
SHA256e39c720a795f2f88337c0589d5fbd3c61cc55dcbc351e4d26029aba253ca7614
SHA5129d2b481adc03d7936c1420bd7b197dde2fb2e2dd865b5fdfb19a3bbd93c5ecf0740896c8069dee30ea092d871a70694f14bb372160082e6bc2cfb326aafb0c11
-
Filesize
2.1MB
MD5942216a6afd41e6d251ab7a961fc9a6f
SHA14a80b405196d1bab3b606b7ff803145ca4ef860a
SHA25647883bfd6d7e2168a26a07be49e3706653ab630545d0fd60ef9857d73e328b37
SHA5124e8952c92171694dee5a92b5b772c595022fcec32b342aa4bb485495ed4e6afb10d101c77b2fd9e4fba81b615bdeb5111f26b6af5fce693d0eac74fab792dd67
-
Filesize
120KB
-
Filesize
2.1MB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
96KB
-
Filesize
472KB
-
Filesize
744KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
20.2MB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
472KB