Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
20s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 18:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1170455662677991458/1265008723101745213/leavepaintblocksurprisemade.exe?ex=669ff2ae&is=669ea12e&hm=da86c2e2a9204afee210fffd6f037da8336950abcdd756383d1576ca10359ce3&
Resource
win10v2004-20240704-en
General
-
Target
https://cdn.discordapp.com/attachments/1170455662677991458/1265008723101745213/leavepaintblocksurprisemade.exe?ex=669ff2ae&is=669ea12e&hm=da86c2e2a9204afee210fffd6f037da8336950abcdd756383d1576ca10359ce3&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5356 leavepaintblocksurprisemade.exe 5460 leavepaintblocksurprisemade.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 292275.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 884 msedge.exe 884 msedge.exe 3432 msedge.exe 3432 msedge.exe 4456 identity_helper.exe 4456 identity_helper.exe 5204 msedge.exe 5204 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe 3432 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3432 wrote to memory of 2392 3432 msedge.exe 84 PID 3432 wrote to memory of 2392 3432 msedge.exe 84 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 1172 3432 msedge.exe 85 PID 3432 wrote to memory of 884 3432 msedge.exe 86 PID 3432 wrote to memory of 884 3432 msedge.exe 86 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87 PID 3432 wrote to memory of 1216 3432 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1170455662677991458/1265008723101745213/leavepaintblocksurprisemade.exe?ex=669ff2ae&is=669ea12e&hm=da86c2e2a9204afee210fffd6f037da8336950abcdd756383d1576ca10359ce3&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab55746f8,0x7ffab5574708,0x7ffab55747182⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:82⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1250110691824615245,7643643251170349625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5204
-
-
C:\Users\Admin\Downloads\leavepaintblocksurprisemade.exe"C:\Users\Admin\Downloads\leavepaintblocksurprisemade.exe"2⤵
- Executes dropped EXE
PID:5356
-
-
C:\Users\Admin\Downloads\leavepaintblocksurprisemade.exe"C:\Users\Admin\Downloads\leavepaintblocksurprisemade.exe"2⤵
- Executes dropped EXE
PID:5460
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2896
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5210676dde5c0bd984dc057e2333e1075
SHA12d2f8c14ee48a2580f852db7ac605f81b5b1399a
SHA2562a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5
SHA512aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017
-
Filesize
152B
MD5f4e6521c03f1bc16d91d99c059cc5424
SHA1043665051c486192a6eefe6d0632cf34ae8e89ad
SHA2567759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1
SHA5120bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e
-
Filesize
5KB
MD50fe394db9fdc1efa1ef2decc41546fae
SHA1f60edb13725fe057b11a1fcc767cb2b518a5fc9c
SHA2566f716df868565c2abf027c842aa44c84689051c45cdd446c179ddd925f2f4095
SHA512907f261f5cf2d6aa5aa3c61095047c212e8d72b1ff40aef61a4a8201030c1a479977ab14a768c86a53377e3ca42b67a54be561fdd5b68cb4d0c9f44181914d23
-
Filesize
6KB
MD5a2bd6c6de18963eda3deab913584f25a
SHA14c8b9e86017791e4b54aa0e018f0b4fea69d7593
SHA25633da274fd96640440123bf7725425dca86962824131c738cdb7dee3044eacef2
SHA51212d5e7bccb5e124c4607e56e50f55584e3b8d62ecb13f959214264546b50514cff4f58018a36019f1d2607db57a3085349394798c60cbc0cf9cd0b56492b1cb8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50a2fd7cd159f06e692ed68b006b94e55
SHA1507f57bb45678465069bb9d0cadb303e3852f343
SHA25660a12599bb58bb407440d62e27106b25efa77a436bb46366e841334a44658eca
SHA51219eb9166b87416bdabb3fb7cfcbafe8e7ef93ddc6fcebd3d8241a694312cc5a2d3ec99df312adac0bed624899ac0590081103913f7bec43164cd356e76e45998
-
Filesize
18.8MB
MD588153443f14e528ad7bc977c5caa19b7
SHA18649afb900cc720a0a3fb2c122fcf7d76c9a1ec4
SHA256da783a711b6c442b3dc74be553f42a0d9dae00640e01da0ac2c4499141269a80
SHA512d50bf61919a863b3cd86465472a3ce66b127fe1b5f653f31cc3a8baf004ec212173782ef78f05596b774e2a75b8629228889cfe953be1d75154b97cbe3485096