Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/08/2024, 22:55
240802-2v6b1aydja 602/08/2024, 22:32
240802-2gdd3atark 602/08/2024, 22:31
240802-2fdcnsxgqb 602/08/2024, 22:20
240802-19jacaxerf 602/08/2024, 22:13
240802-15fzessfml 6Analysis
-
max time kernel
68s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/08/2024, 22:31
Errors
General
-
Target
http://github.com
Malware Config
Signatures
-
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade9146f8,0x7ffade914708,0x7ffade9147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13237901880378877758,12423801702462892363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\dw.2.bat" C:\Users\Admin\Downloads\dw.bat"1⤵
-
C:\Windows\system32\certutil.execertutil.exe -f -decode "temp.~b64" "dw___.bat"2⤵
- Deobfuscate/Decode Files or Information
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\dw___.bat" "1⤵
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:autoexec.bat2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:boot.ini2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:ntldr2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:windowswin.ini2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\msg.exemsg * Why have you done this?2⤵
-
-
C:\Windows\system32\shutdown.exeshutdown -s -t 7 -c "Virus Detected, Shutting Down."2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3957055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
2KB
MD531addb95958094bd70e516d39274edac
SHA16e5af89059fc98395b7e76d117102268f4f63a71
SHA256f41aaa37dd453ee132f28609fdd0b82b1d29fd869dc3629ec70d61280ccaf505
SHA512bcc582752ef82144a3e25b32e6eeb64c51f90144fcdb5b33044b40e8c4685eed56184f9f958782cff93ddbc74db08fdb9a774901a9c993fc7ee2e23d9a0acb0b
-
Filesize
6KB
MD5a28fd5f0866fcdcca1c5092e41a408f7
SHA1f189fe2d67a696eb0710d934bf07cb2b44fb965d
SHA2561e38960968c688c78f13c67b51d2a68275909381ffe6a0105d97ccb558cd5237
SHA5128882fdf27a8a5545c497f598af77ef152c9e994b42134522156fc2484abf173b2c2a13255820bace8254cb2ef0a9c69c8e7582060f6491e35997ddfdc81621fd
-
Filesize
6KB
MD5fe0a515a6c49a4f08763b2371cf85b46
SHA1e8158e63e0751019ce4eeaa7ff97b6b092da3b36
SHA25676a8fa6a290f093f5458790cb946558e80067a2c78462aca417db31655fb3a17
SHA512e7bfca870b957128267448ec902537df2ef9552b72baa3b89a12f4bc13e3aec1bbc3846e8fb945f3726d796c14fd46f8b560e12fa59a67a0d4918c1d3a1c5aa3
-
Filesize
6KB
MD516eac01191a5080473dccab0d171fcdd
SHA1748089e6281b9835109d89101ede7022c7cdc91c
SHA2563f5854c73d8f5ff132563c311da5f30641ec83abd1df938fc262d5242c12546c
SHA512515f0e90a43c228a549bd3fffbbaaed48439dc3a4f8fef91e988559479a5f82880f04ef80e3df78b0b573646773f94e957531e2b188223e7482735fbf7c09ff1
-
Filesize
6KB
MD5ba7ab1f68fcc26dce6103ee689eb409d
SHA152899a53544c6d82a1a20b56c1bc885c6558d2b2
SHA256487c6d0574754c49d0926507718d6b283a9219325d8a40d83a97536ac4f5c6e5
SHA512ed25b5c3933ba4a1a108b52a90c9a95f602e7e017d00ceaf906f64109ee21bd33b4a7142701b46446ba7c2217830a5982bbf7580dea873e7fad4677d3ad539bb
-
Filesize
1KB
MD50d75eb666ab6571960accda5757edf1d
SHA1e260f54d283e6426e799410c19a3d3bfa6a961db
SHA256a1f23dc7dac4535b71a06702144eb7b2328fc5a76b35a486f80d49b4f234ed96
SHA5123ecc5d560f5d34d9247b732be3a266af6edcc1331709f0670d967e42bcfe831864ce7c6695e22e7b292cba117eb166f4c1966c5bc4189be1b172cecd103abd60
-
Filesize
1KB
MD58edfb71ad21f0f8f3871b63b1ead2a82
SHA11ed361ed0a986d4b18c395eae3f68c03d333dcdc
SHA2563c03982a0d58f24f40d8614699753b1cc847fdbe9dd8302c82e76b2167c0c740
SHA512b2a93288071f0be1c8fce2fce922f42a4f3547007397c1b150848d0c5a827d88fb52359590c13cc4c6d06fd47b579e404cf9241f945f4ad40bdca789cbc077bf
-
Filesize
874B
MD5190d573aa8cfe3fa6a7a3dba17a884d4
SHA19622c0142825d56483bc34c115514c241b1c162e
SHA2565bf9429ff1f7b13c481a792c0120e6749a4ff8665e9c5603396a07c29168fafd
SHA51273b589d05b4a0064e276e9fe726d1d3698b95931420d7791cc4a0e2d07956331907971c3b15a9d2cd57150a816bfa3a5b37ab535994fe335532bbecb85b65315
-
Filesize
706B
MD593aeef9ed9391b2b19fa69ae6a780e07
SHA17e6ec7b3a3984afd6c55bf7a19238ea1d911f90a
SHA256dc1b8dd932d6cd17dabf31f81ec685dcb5be08d24068a52f4a32c1fc04221d54
SHA51228d118fbb31bf0febb62fa6cb05699cb0f0c7e84b5ddc289f90a5365bf0b8b0f45a051ea53e7466914ef35c64416673c0f8cbbcd9e7183213e5a89584f20143c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD509d22d4541ec6c2bcd4433bf16de5b9a
SHA1c2ee159e83ca191ba47918c396d955166838a9d1
SHA256ae05c9d39acc300aec56a4d3c0213cdfc3f6c4a1b072eee2852afbffd4dad76f
SHA51211e95543161c050c4494f4d52b80779b0e2f953b1dba6ff90889437ee570212de000c322eaba8764b8c1fd988b427d3c6f52c485869d4b1a48f034343e780ec9
-
Filesize
11KB
MD5984c9295ca6c0d90337adbb68e643ffe
SHA1125af1d51aefe56d05536cea2016d0234a06719b
SHA256429c6b3d89e765f1b86d9698e4633380196dc202fca4c902e4e3fb4168566dae
SHA5126b339ed2b13dfad8d4d45570cd40c02a5c132f7f6d7200ef8eece280ccdc35e291b65c7a9d566a293613d8e6650c31a7753a47e1a2690f528dbe4f949313bc6b
-
Filesize
330B
MD58e12765b70d3c038a48302793cce8329
SHA1a90d4b96b3f250ade21627a401eb66763fac0135
SHA256939cecf539eb89f0d63101e99c5bbdfc4cb6fd2aec13e7799955650ac67e63a2
SHA51231e62054c930bba125c1ddd96b1ae1504e94f93e131ef6d43f0718de1c7479a022c606753b67fc7692dde20703f4ecc121911621f0a626987202f0337c4e826b
-
Filesize
296B
MD52bef33a50313586b83cf8e1faa129688
SHA17863081c9933a44af5d2f1bbba726d5b5be31acb
SHA256233dc6ad74a21661920117903a86d1b9688634de0c80ac75425baf228acb4478
SHA512ee5cd1616f344f93cebc12c6324368d29b3dfd833a11af6999754a910ddd0a9b6fd5b7445395dbf8fd3703bf2d8a5ef363924b10a2f4594d8f3dd259e4fb021e
-
Filesize
8B
MD50d7dbd96fe6d0a5f0efb4f55e8561e8f
SHA1839182cee3df6d5b2c989b4881b37d0a9c42f168
SHA256996a89fd6bfbaeaa1136b801d32ba387187a89862f7f00b1d5a6777da372f4ac
SHA5128fb3900ee7dd9d0196fe446426aa89997e4899ddb74f615b522b75100cd9970c73250126e6a1be83099be9bb1e9402149301ccd8e64bb2987a3a92cbe0f6ee6d
-
Filesize
304B
MD5d76885370e55b8f2520463a847b98bdf
SHA1305199a1d5394ed827cb802038a38aede5843437
SHA2565417b43d7ab307436715cd300087137159d43ddba98e24848c6552febd7e0d48
SHA51236a64e18be55095c17edc8fb873080eb057a7edd869077081590760d8cbe2bbbe5595761b081c90b22b4a413846c249b94ea9390fac82715a3dc7b4b55b43e06
-
Filesize
14B
MD5816cae6f87c10747e73011e19198f2c8
SHA101d9f01b57367c29fc2f9ede2ec625187773cf2c
SHA25682c8bdce355c14c90b32f8f4ad6def0cfd0b648e0e89b1657ce9436268c879a8
SHA5121a56a58c7bfab0f358d079da4135d162417abdadf8a023c55753ab43cd7518136b9b10624f750c8a4b3f94ba41cbd65d348fb4573a441402f653b7e4cc09b537