Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
432s -
max time network
435s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 09:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing
Resource
win10v2004-20240709-en
General
-
Target
https://drive.google.com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 5 drive.google.com 18 drive.google.com 19 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1492 msedge.exe 1492 msedge.exe 2608 msedge.exe 2608 msedge.exe 1560 identity_helper.exe 1560 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe 2608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 4456 2608 msedge.exe 84 PID 2608 wrote to memory of 4456 2608 msedge.exe 84 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 2588 2608 msedge.exe 85 PID 2608 wrote to memory of 1492 2608 msedge.exe 86 PID 2608 wrote to memory of 1492 2608 msedge.exe 86 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87 PID 2608 wrote to memory of 4080 2608 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8104646f8,0x7ff810464708,0x7ff8104647182⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:22⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:3624
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1572
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD575c9f57baeefeecd6c184627de951c1e
SHA152e0468e13cbfc9f15fc62cc27ce14367a996cff
SHA256648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f
SHA512c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15
-
Filesize
152B
MD510fa19df148444a77ceec60cabd2ce21
SHA1685b599c497668166ede4945d8885d204fd8d70f
SHA256c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b
SHA5123518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef
-
Filesize
28KB
MD5bfb4ad144233248db8f0b493c9f53943
SHA175f204ac49008ca945d35db03568db5ffa2ee27d
SHA25657819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393
SHA5120f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5896fe912c7ac5aa1b1c02c6513c52f94
SHA18ed6aeae731ecdbfd8563c1a3fff4a7e66e2818a
SHA2561317c993938ef947e4d48ac1292577c5797b2cb58ed65d68efecdc2782c1a192
SHA512214f347329ef4181207d4d47b99327d5f87d32029dc2a840c4ed8c86664c72384145cdefc91167eff3ce64a67b2804b388724c96f439f969415f50c8042d6b5a
-
Filesize
4KB
MD5d4f6312da01e0496414aec0c52bad6b5
SHA17dcf6d2a2562a687b45aab09d3a69e17df2f0442
SHA256b301c122dcb0ad98faa9aa643e4c812232eac954a8ed0492be40b4f9cbf753be
SHA5121a36b5d3a0e555856fc9d61557a41ebc77f5f724e30269ad259749c509107d3f5a8a88b6d4770974313e19686baefcf4c667cac6c238435979d00b0a7d3ff78b
-
Filesize
5KB
MD5c6aea7bb73f333ac35d43a0e32d17532
SHA1653ccb035edcfc3559bc79d1d69613788806add9
SHA2568097bad29aecdea890797e1e5c443a09c720741f486b6ae6ae47c3bff7b88904
SHA512b414177337c3b5d44e92246dd9c6912ecec2cf574060d175dc131c227a6886d17abb3731c64432dd1fca1a0d6c4817960e6cb8db9be8f80152c990db1846433d
-
Filesize
6KB
MD5e9a25437ba8dd468922521c79b7e8880
SHA1bd64670a23eb51ca4dac774c1d0d221ace7bc489
SHA25686af000ab94870de94c7cde5d9824743b53710fbe8d2e5c6f2a8a259f2fc58e1
SHA51212e94ad69e74191c3c14d1308a0a85242fec6972cf2b96b612ee9ec5a742d9f61a7787d4b6d4279f7ad7e191226e9ae3ae0cd0508e4a57e398ab84eca4e55fdb
-
Filesize
6KB
MD552836c6ecb6ed0a0ff4af04e05784cc5
SHA1a44d65d6fcce7e44ff0235179a63d14187afd53b
SHA25608cc57b6dee2c9a18f8061bdc84908761ce4f684761e9f84e7986cbf12e6a22c
SHA5125b081ae1ca42c4b1b3ecdf3bea55ca14e49a45b634bc434c2019dc2507342fc6d92098783e0e210a2f5df6b742218e40bb4d4bd74cdc80631bb545dd15902e1a
-
Filesize
1KB
MD5e783ab6091affb0fda74a35c49a0797b
SHA1e7ec0c8cfa2df0eca6c18c1608d12ea89bc13b68
SHA256d0db3826a096ac76c36931818704ae42de5382d5664028f094d2981517928a27
SHA51278253bde8bf0ace17a207949c35b3c1c972076fe619f105622544744c1a500fcbeee850e4626ed7d7c693946b1b78321e9705d920c9c75eb5f17cb4138d33f21
-
Filesize
1KB
MD51b817a85e3e49bc3c4fb3dbabf516aa1
SHA1d6ff32d58b304cef793521961a2ea35e50dc4c60
SHA2569637c8c5f2a6fe8f1f4b839b312b3eb418b9da298763b2a6433185b0c7ee5833
SHA5124e0573cc2acbcee4713423c6760b5947638d7e4f3b3bcfaf3cb2f8544c43ce894f044d66f285b7b8e4a73de3430b8a1bbf90e54b090d46b4fe28fa99bbef5b95
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a6948d53872efb0d72c411992948f061
SHA1b9cae2900c1d97abf8701f0705a758e15b11383c
SHA256ed52739450f2ba0832c606609211f1c217171925baf321c335bc6f5e95752f94
SHA51213b3577cf9398dc876f58b19302464ae0c19ff87b1121e4d57820673c49a3a776d3c7f641dfc7bfdb11c1beac3bd35f3af414af2c98cacdcd5066b5c14c7bf46
-
Filesize
11KB
MD5792911b072528911304291e674243b93
SHA1c8708afdc91d3d579bfc3588a8b020705fd47f18
SHA2563a168c7e78dfb2e610a4991ae70ef21138f825aec0b72d1f314866f13737131f
SHA512ce80383d3f9a6d460b595539f28a8a253bd2caee0c92d3861b636595b3b1700072e85792c806971e8db617a56a6171e08996088cdc2d30b6bafb3958c830ef51