Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/07/2024, 07:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link
Resource
win11-20240709-en
General
-
Target
https://drive.google.com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 drive.google.com 6 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4120 msedge.exe 4120 msedge.exe 1248 msedge.exe 1248 msedge.exe 5676 msedge.exe 5676 msedge.exe 4336 identity_helper.exe 4336 identity_helper.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe 1248 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 2460 1248 msedge.exe 81 PID 1248 wrote to memory of 2460 1248 msedge.exe 81 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 5960 1248 msedge.exe 82 PID 1248 wrote to memory of 4120 1248 msedge.exe 83 PID 1248 wrote to memory of 4120 1248 msedge.exe 83 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84 PID 1248 wrote to memory of 2008 1248 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9eaae3cb8,0x7ff9eaae3cc8,0x7ff9eaae3cd82⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:5732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9700006989554161934,18109347070975678743,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5152 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6096
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c0f062e1807aca2379b4e5a1e7ffbda8
SHA1076c2f58dfb70eefb6800df6398b7bf34771c82d
SHA256f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca
SHA51224ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e
-
Filesize
152B
MD56f3725d32588dca62fb31e116345b5eb
SHA10229732ae5923f45de70e234bae88023521a9611
SHA256b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140
SHA51231bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1008B
MD599e3af0e387e99d8a799a2b262b08f3f
SHA12f20947072896d4665c66f2e0cb7e6795a6d30d0
SHA25670980bc6ce0069e857f6263202dde650751d1b93a9828367feea535905b5d109
SHA51248062a8c5ef9849e85a0b4b7f19995f5e3f75456e55aca8f2c3329d7150cf44322650776487c65b328dc6a7d5ac74e790b697c9592a17a47393d34aaa2a2acaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5dcee85ba31f10b9f270e61b00c4d7612
SHA1051e65d4b4c12935f6047207a6c8b853d805eb58
SHA2561c04a44cb92ac1be8b3056f77bc8125213cd720b71e905be33c21ee471356d31
SHA512e3b268cb577a1f241c8e545aeb0b8e3d10ffce9f7e6d27c11075a4ee30bc57efa2dce88811400c3ab9c8d798aade664a06f4ceb4bf0b4f6f8d847e904a54f200
-
Filesize
2KB
MD5bed70965834961c72a947724b2a799b5
SHA175bd482193f559f1e5635e9042126042640ad329
SHA256e689e44f81194c6f11e13d138a4dd294ea9393898e4dcfe01d1aeed800bb2321
SHA51236a22f872bbc5964725c721d4cc45c2df91ed44b2e2baffadbe9069eeaa3aede4c66e46971a0b6364043cc3b27252437f869667d0c76154fa24dbe9259f041eb
-
Filesize
2KB
MD5b45112123e499babec6fe52e59e838d2
SHA17b742b34e6b983a26a30b116c1e5f258a8b33ae6
SHA256ef4d6a63f181bd0d2dbc66422014d9bb0cec3543c0fcaf80a2c7167ab812e8f1
SHA512df313a4bd4b3fd6fdba9e88c41acefc152185c4b9e1b9c1ffe298be4a3b1c61c5142594ce7a585f789aa507771aa2ae452860c82d5b7f8eb7a4babbff6f86cda
-
Filesize
5KB
MD5dc3344ea96ad9f66c7c71a517e780378
SHA1d6fd30571fbe35dbef67d691af9b0098d5ce8b29
SHA256d6788c74769f3a7245429d5b4358b5b500850203fdb6a7071941b70625cebda7
SHA512f3477a3dc96349804a1df927b5095f6546c345e0315e79b5f37f14d29db7dc884429b931b1f61d4a09e60c9968f887ea9ee8e7804818f59d2763e29996cc4020
-
Filesize
6KB
MD543432a285280adab27645ab7fb7d0e87
SHA16a94442e9b7c397bb9b33d9ecce35a118fbd5c25
SHA256178de1ba91ce77545d2bb6ec91bd2250df4dcae6b8f14ae773dc0008365d66a0
SHA512cc3070e2853a403699dd13eff382465149290d2c4720cf510f2f0845708f60bc9ad21d22a237ca528d4f783deb9c2fba9bb0fbfc9c02420d69fbfa51d5ce9485
-
Filesize
1KB
MD5806b27fe0fc5b591e72a6ed10ccd4a14
SHA10f28510d153d1088154b6b8fdf15dd15885c1db8
SHA2564d95c2578863bf28e6bf87b6e7427e0f31c0e5aaf9fcb587a6fc0074dd6ebc47
SHA51236fb75f16be1c23fa323c3754a2f94a1baa509c75a7cb26efd4d12dab95d65b8bac4e604fecd777f5eb1e57354a1875f35b30128b69c36d6311a02c68256a5d1
-
Filesize
1KB
MD5da9061968069c73b5a2d0fba85dd9059
SHA1dabb79b3e3467fbaae0079de52af696fa6beab8d
SHA2560da0e1bf5d69a0be39df91653d54f32cca0c195a6c0ae13057a39db72184201e
SHA512e738f05ce3e2bf0a02419f1f3f5b45348587f60570e8f4d8ae1233aca0b9897a91589d45f2cb415019d324bff9ba3c945ffd8e3001a5e26291f0abd647c24d1f
-
Filesize
1KB
MD590a458d2bfaf920cf539e8e2ffa83740
SHA172166cb81bb1aafae32fe6c673f3c50f99d78044
SHA2564f2da34bc88160ed210178463253a0cab5f301084980e670f602f113a7896ded
SHA512888bde4bcd24dbbfb9627bbe986ceb7bd5b75307166b7d338c42ae016228f349813a0cda2e31f8675e8524230b205da1feeb0918b3c3d21c24e7d92e4c0244d0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD58d66e4d5c7b67f7f8ce8f2a97408afd6
SHA1eaabbff34553abe1788770ce229664bde6a33c0c
SHA256c048294abe043e280a8f6500c6f0732269faa86ea8f92eee98ea7f4080ee4f4a
SHA512b999b2b5dc9530ce97e1e804ce6a56d0bd790212dfa9ec4d88a7ef50652eeeb516146bff6382a16f7d7662ef7f91483299bfb578167f9116f8ed1df5dc45a43e
-
Filesize
11KB
MD569a1d2d8f91d641ed6d3c812150a9371
SHA1ab3a929a17a3b047f6e72ba173e2b2e9f43d7f54
SHA2561cb21116514b921f425eec7fa25f72f8bcfa27a685b69f161bb9699d3072e7ad
SHA512d3b20b60ac63b0b966f560bd218caf5f36f4d650bc6c5134d274de2ab2b959c472bbdd8a3cf9b9fcdd8a21a38d0aff88dea03650cb8ea890eb716acfc5dc1586