Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    49s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 19:34

General

  • Target

    https://cdn.discordapp.com/attachments/1248462287212118017/1248478843015266304/Release.rar?ex=66ae4cc7&is=66acfb47&hm=71ec0f2343b780f1e8c2fbf599991de436ed318b6e1f418761e2affe429c388e&

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1248462287212118017/1248478843015266304/Release.rar?ex=66ae4cc7&is=66acfb47&hm=71ec0f2343b780f1e8c2fbf599991de436ed318b6e1f418761e2affe429c388e&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9937e46f8,0x7ff9937e4708,0x7ff9937e4718
      2⤵
        PID:4336
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        2⤵
          PID:3176
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4496
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
          2⤵
            PID:876
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:1612
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:1344
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                2⤵
                  PID:2540
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2116
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
                  2⤵
                    PID:2176
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                    2⤵
                      PID:3428
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3996
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
                      2⤵
                        PID:4352
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
                        2⤵
                          PID:1512
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
                          2⤵
                            PID:2296
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1338229924483615135,13664528094055816111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
                            2⤵
                              PID:1828
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1348
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4172
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:4320
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4380
                                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                                    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\Release.rar"
                                    2⤵
                                    • Suspicious behavior: AddClipboardFormatListener
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2764
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release\" -spe -an -ai#7zMap1388:76:7zEvent9660
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:3664
                                • C:\Users\Admin\Downloads\Release\Loader.exe
                                  "C:\Users\Admin\Downloads\Release\Loader.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:2056

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  f9664c896e19205022c094d725f820b6

                                  SHA1

                                  f8f1baf648df755ba64b412d512446baf88c0184

                                  SHA256

                                  7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

                                  SHA512

                                  3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  847d47008dbea51cb1732d54861ba9c9

                                  SHA1

                                  f2099242027dccb88d6f05760b57f7c89d926c0d

                                  SHA256

                                  10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

                                  SHA512

                                  bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  a3901e28d18c20131b209da72d9526a1

                                  SHA1

                                  de01794fcb015922db6f3e4cc3c39fd3e7ae1205

                                  SHA256

                                  b01e426002b9cc85b42976a290d4c33fac5c0b8fd829112b713af399cdd26d22

                                  SHA512

                                  0afac543a359b280ddafa8393aeead154e8021372f49e01bf98750466dff99699707f344ff1a2c3ce6889ac4a8a5130be81328263232a4a209a73481238d3d66

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  ea7fb7149d4f4ceece6e6ee9ebc9f78e

                                  SHA1

                                  c92bd5c2fda20bb75304e1195ef8503d1581629f

                                  SHA256

                                  419084360fb5d6111b7c3757a596ee24517ac4bdb69dda34c5fc36e095a7c41b

                                  SHA512

                                  595e68d9a475c2c45988bddaadb0ea2521fe4012481926027c41351935a682b10d4ec616ac58b1e78e3333e553bba67a7a97b15f4c4b9ae379a7b4c5ab1b9659

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  5fd2082db5c27b59d5d9c81a1b2d2bde

                                  SHA1

                                  f354966ea01595082da06f27b325c9f07f8eceba

                                  SHA256

                                  4faa644ec9d12bbc7e2bfe1232359afbe068ccb9a47c276e359be7efc69cfc16

                                  SHA512

                                  8b3ba781b02b69f069abc0833cb49feb15a7cbb500fba93456af6d89e307eefd812fdb77308c2c4ba7b8187e730555c8da0b22a49729a6189ddefe684ad4e8ca

                                • C:\Users\Admin\Downloads\Release.rar

                                  Filesize

                                  7.5MB

                                  MD5

                                  60b5b7b3dd0be0f2b75c71720fb1ee20

                                  SHA1

                                  86efc1fa137487f16669f69e27699492db809929

                                  SHA256

                                  f8a77b7aa936402f745791cbd5da9794acc1094f9297ce60fb345c6389183103

                                  SHA512

                                  ea2db1961cc58f5dd666271e37bd62220b12d7447cbaf7a39ea874db0829064b9ca04248b3bc117b314487a96a8752b65b832c2fee3b67c9007fb0569a7a723d

                                • C:\Users\Admin\Downloads\Release\Loader.exe

                                  Filesize

                                  6.5MB

                                  MD5

                                  d93b104874de87a9d8cc9df361eb9a97

                                  SHA1

                                  a5dfa93756bbafe9bb0c2ce5f136b61e422211d7

                                  SHA256

                                  7f273dcacfe31168241a1216de014d0b10073868134a5c95770378740548550c

                                  SHA512

                                  d11226524d70a5473e663d12b7e862b86333dd39f2e9bfb434e9697698da787c03240c20356e87dd65681596c4a8a8ab534bfaf1cfd9ff189fc2f577b25fecb2

                                • C:\Users\Admin\Downloads\Release\libcrypto-3-x64.dll

                                  Filesize

                                  4.5MB

                                  MD5

                                  a74d363d18da29e8ccfeefaf7f633827

                                  SHA1

                                  7e4b60ac065f2d9244ce50cf521b2bed4ee4ce0d

                                  SHA256

                                  8992146b37b97f2c2c33845bc90113aea6589e49a689245457274b3c5b7ef822

                                  SHA512

                                  c31ceaa3ba76d57d1e38f71aafee1da040b776f744006434ef061ce2db2bf597a8cd2b64f03cb381396685bc9b961252ecd7b4435bacc4710fbc33c1e8592045

                                • memory/2764-60-0x00007FF756C90000-0x00007FF756D88000-memory.dmp

                                  Filesize

                                  992KB

                                • memory/2764-61-0x00007FF97FFD0000-0x00007FF980004000-memory.dmp

                                  Filesize

                                  208KB

                                • memory/2764-62-0x00007FF97FD10000-0x00007FF97FFC6000-memory.dmp

                                  Filesize

                                  2.7MB