Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1152s -
max time network
1155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 20:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Satanaelcode/Crealstealer
Resource
win10v2004-20240704-en
General
-
Target
https://github.com/Satanaelcode/Crealstealer
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 camo.githubusercontent.com 31 camo.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1116 msedge.exe 1116 msedge.exe 1740 msedge.exe 1740 msedge.exe 4936 identity_helper.exe 4936 identity_helper.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2760 1740 msedge.exe 82 PID 1740 wrote to memory of 2760 1740 msedge.exe 82 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 4940 1740 msedge.exe 83 PID 1740 wrote to memory of 1116 1740 msedge.exe 84 PID 1740 wrote to memory of 1116 1740 msedge.exe 84 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85 PID 1740 wrote to memory of 4640 1740 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Satanaelcode/Crealstealer1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88a7846f8,0x7ff88a784708,0x7ff88a7847182⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6313596662225106336,9452750625972396695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1308 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2984
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5210676dde5c0bd984dc057e2333e1075
SHA12d2f8c14ee48a2580f852db7ac605f81b5b1399a
SHA2562a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5
SHA512aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017
-
Filesize
152B
MD5f4e6521c03f1bc16d91d99c059cc5424
SHA1043665051c486192a6eefe6d0632cf34ae8e89ad
SHA2567759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1
SHA5120bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f5137d84bafbfe1c4bdb04f2ac21feb6
SHA114c6c22e81c936cd346a4f60c09033eec775005c
SHA256b05853f1683bee79be44b075f0775360c9886debe39b6c4351a30d970a932775
SHA51280d4c7e1d7da415d2f50b495842582cb623aa2f3f13633834d1a7740500aa946a9548caa237ffe14cb481eeaf2710d79565a200ed666e678489059e99905418d
-
Filesize
580B
MD5d4305c3993d0f27893ca3069f2c3cd3b
SHA14be9d9cacd91df869880b95b5e6ed81f0cac56e7
SHA2563f84ca13bbde91f446495ebe7e7ce116607704bfc4aca4284fb7c27a882f4be0
SHA5127b31c706bcc1bf7a41da090e0eeba4bfb930b948dbb84896a27cbc9657ae5821cf9d125e8ec54967e3eaaa0ed6cf485f708a15379ecfdfaa8fd084e4d7d357a8
-
Filesize
6KB
MD593249f9a43bdc0771653622f73eb933f
SHA12a4facffd5d04c85555b034968222988bdaf902e
SHA256a190b5a9f715523c71a8c171dacc3f629ce74b839ea46df8de61a44d2d0c3200
SHA5127d3a77d4daad63ae18fd613d97c2c78b01e507bf3a7d9581798ef5cb3adad874f61158046c82580c170c7911ad75275a4043a38b9e32581cb914c13bf4f76835
-
Filesize
6KB
MD5757ad5595eae42029e7d00541f06fdda
SHA1375bd65ebd663876daba8ee18582bcf7c233fe5c
SHA2567554fd89c0ed7a85a0166138753aaaefb20cd5af1e1a7d936b99ec0c25e84d34
SHA512f9b6470a896f5944966733a729581cc05751f3c2a9ec3c9ee250b728ff2429790be2e16ffbe14f44d082953c35ea3fbc18aa8e5321afa887a8f7d2bdd141ecdd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a333fee75572d3ce29145fc306853445
SHA1bfcfe3d298749f341adcd3164a3d72605ccb9291
SHA256a7b8ca40e865c768b32443e7418eb28cadf4009b3304803c88e5a8ba540b9c93
SHA5127cf0cb8b4c3038b2b1a4af290b3806a746dafb36031bf6f0353f6b520dd5f6e449fc9cc89ee5d4556bd900e32dfe1792234664178d8e0f72809889a6a0b549d5