Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 07:01

General

  • Target

    https://www.mediafire.com/file/yo2igmbhgzbsjqk/PizzaClient.jar/file

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/yo2igmbhgzbsjqk/PizzaClient.jar/file
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff631046f8,0x7fff63104708,0x7fff63104718
      2⤵
        PID:3184
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:688
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3792
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
          2⤵
            PID:4980
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:2920
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
              2⤵
                PID:2984
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                2⤵
                  PID:1520
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                  2⤵
                    PID:2732
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:8
                    2⤵
                      PID:3484
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                      2⤵
                        PID:3204
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
                        2⤵
                          PID:1388
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
                          2⤵
                            PID:2044
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
                            2⤵
                              PID:4340
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
                              2⤵
                                PID:740
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                                2⤵
                                  PID:3536
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                                  2⤵
                                    PID:5052
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
                                    2⤵
                                      PID:2900
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
                                      2⤵
                                        PID:4836
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2404
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,9946856966846509755,18204382588074331889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7024 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5212
                                      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                                        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PizzaClient.jar"
                                        2⤵
                                          PID:5336
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2540
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4008
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:5548
                                            • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                                              "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PizzaClient.jar"
                                              1⤵
                                                PID:5840
                                              • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                                                "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PizzaClient.jar"
                                                1⤵
                                                  PID:5960

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  eeaa8087eba2f63f31e599f6a7b46ef4

                                                  SHA1

                                                  f639519deee0766a39cfe258d2ac48e3a9d5ac03

                                                  SHA256

                                                  50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

                                                  SHA512

                                                  eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  b9569e123772ae290f9bac07e0d31748

                                                  SHA1

                                                  5806ed9b301d4178a959b26d7b7ccf2c0abc6741

                                                  SHA256

                                                  20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

                                                  SHA512

                                                  cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

                                                  Filesize

                                                  20KB

                                                  MD5

                                                  6931123c52bee278b00ee54ae99f0ead

                                                  SHA1

                                                  6907e9544cd8b24f602d0a623cfe32fe9426f81f

                                                  SHA256

                                                  c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

                                                  SHA512

                                                  40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  68a6e2c0f9aad75892aa8592bc7aecb6

                                                  SHA1

                                                  57395e77ca94bed3d6ec8a2f62dc07d029758d88

                                                  SHA256

                                                  338726695602fe0c4e1656dba2c99d2099ed936482ad05131f91f9284fcfe6e4

                                                  SHA512

                                                  79b2ef701ec0c375275ee2c14d56c93f1fa16973de70bc9094e866595cbd33e1c229110602a135ed596ac1983d21b03b013bc2521772ab7fca0d03928d675a1d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  2fe29d21f329bbb657a3931d40d90a27

                                                  SHA1

                                                  6bf9d01f71a391487cdcca45ae8aa63be58e36ee

                                                  SHA256

                                                  aa79646f01061f212ba70616ad3761ef638d8558f551624cf4df7a890edaa0d4

                                                  SHA512

                                                  c3b56d3c2cae3630e20541ba210b6e8c4e5cb43c54df1210c8d924cf8fb104f90f382cdef38bea7c597f24aacce9ecf69e6d16b1779cea9031176e2a4cef3d2c

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  55723c1c1ac099243b85e0b2a23ed324

                                                  SHA1

                                                  12ae1eafd6285b83cf2a1e41fe2a7861faf69c83

                                                  SHA256

                                                  85fc8e7108cd6899de20565201e09a0fb858a3166dd3d04f1c549cd51bbe5a73

                                                  SHA512

                                                  70d5a7814af86c133246f5dc53138466af1bb203709c18fe20ee8896865a8ebebd4d22ec1ec02abf0fd9205be2e55473b5c5774493da2b45a7c2fba79084b814

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d90a.TMP

                                                  Filesize

                                                  534B

                                                  MD5

                                                  569f78519f6bd13b97cc24ae6270be65

                                                  SHA1

                                                  800d4b23ab25bff330d4a1e32216e6f089b63396

                                                  SHA256

                                                  64cbc0cb4567ba91a370dc76b06a1f372875cb0516b52ba6ab262a1910548f72

                                                  SHA512

                                                  49745a24baa407501450712aa851ea7cb97a03688a05a1553ec0ec8909f5651195d67a5a58dcf23afebe8d36d7f00158b9b8b64418e1daac8e992269b8c55988

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  dc5f056946f7b902bb28161a00a808df

                                                  SHA1

                                                  c762d8a0de0dacd8950babbbbd5ff88c827c549b

                                                  SHA256

                                                  664c23ba6ee45743b6cff6aec4cfc5de95a6a886e8dd18b89f989f18e6ecb419

                                                  SHA512

                                                  3e5d94020844093f1bd4bbbfce02dc621714c0779dcf984d67d12a31935cd2a29bb4e0f0149daf4a473a6e67f834a769c43d63d75cdffccbdd29fc6464313b5d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  4935842c8e2d6965275fa7db165a2253

                                                  SHA1

                                                  a84ed02490ec7b9deea6d76b954879505e55ad8c

                                                  SHA256

                                                  c4b333ec6fd9693c578ae1388ab876fd6fa8172ccdae6d1f2d253875cbd885d7

                                                  SHA512

                                                  ab8e59e72021164bcb21a4dd38458b174e5889037ae0fabdc4562273e217796d63dc7b2118f32b1728b1cfc73d40c127081c737454efa23d1d862f768a1c534d

                                                • C:\Users\Admin\Downloads\PizzaClient.jar

                                                  Filesize

                                                  26KB

                                                  MD5

                                                  da931bc7ebaece5949cd4563ce52ae2a

                                                  SHA1

                                                  9866bd4a88b832c90f656102ce73f29d7fa960ed

                                                  SHA256

                                                  a5cc4210e1416457f5727f5d5fa641c4731c12ad55ee496d2fce76f566737206

                                                  SHA512

                                                  7159ee8ceef9582b1ca5b2c0a219036a17d5eae0c5c6a50c0c92d7c103bbd6a8aa0ecdbccb873be97060ab2ea8c9c2f0323e3f126d6055838ae25fd5af127d3b

                                                • memory/5336-224-0x000002309E810000-0x000002309E811000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5840-279-0x000001D576EE0000-0x000001D576EE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5960-291-0x000002255D7D0000-0x000002255D7D1000-memory.dmp

                                                  Filesize

                                                  4KB