Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1806s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/08/2024, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
2BuVfqNL_400x400.jpg
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
2BuVfqNL_400x400.jpg
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2BuVfqNL_400x400.jpg
Resource
win11-20240802-en
General
-
Target
2BuVfqNL_400x400.jpg
-
Size
4KB
-
MD5
1308240a66224bde83dd2ea8a22828d4
-
SHA1
b66ad9628e14fe2e099e4aac6851f1316f46ec58
-
SHA256
67f9972005be1107407d1875f09086e779bc526a91ed18f95936eed046e600bb
-
SHA512
232e534c82a021498b8f28a601eb3b8d5c7d169b796b95fedacf49ede9d5d18972989881d563c2b14c1aedcf9e6fbe5aa7e36a57e12183e4c9ac5d4d13610f88
-
SSDEEP
96:b894vJh7WQiQaxFtFzoiJx5bL+nqYeuEnHs4L:IkizNLFzoY9zsO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4348 msedge.exe 4348 msedge.exe 3164 msedge.exe 3164 msedge.exe 2500 identity_helper.exe 2500 identity_helper.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4960 3164 msedge.exe 105 PID 3164 wrote to memory of 4960 3164 msedge.exe 105 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 2728 3164 msedge.exe 106 PID 3164 wrote to memory of 4348 3164 msedge.exe 107 PID 3164 wrote to memory of 4348 3164 msedge.exe 107 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108 PID 3164 wrote to memory of 928 3164 msedge.exe 108
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2BuVfqNL_400x400.jpg1⤵PID:3420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff816e43cb8,0x7ff816e43cc8,0x7ff816e43cd82⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:12⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10322815149496895923,9471091394460733887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:3972
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2564
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
Filesize
5KB
MD54214a11e24c1a76ce19d7bfd53d4504a
SHA1bf8da62d4455b48b1c488300278627161566a5cf
SHA2565940da25dcd6750441d31dc21758e57c373346cef37e111a4a8b59d984836d20
SHA512a14dce7a3219d3153d7d670a8152cca475fb3c34ac9b18d970503d2b13628035671a6734efa61e07dd8de10a8046e3f8b86f48f7fd640937677cea6bcc3dded6
-
Filesize
6KB
MD5c57020fdcfc59bbe62624877c350cff4
SHA12ef298e0dade31c3aab023740e4114c4ace1d709
SHA25697ea807a52870b423b7342a28a8c2052d3b8d3821bccfac3baed6bac3d5cec3c
SHA512b3c8a614a874d9b6306c5d32ed10d75176994fec14093fc4adc0c33a50e5b6d6795bc9339fa2da132a21a33261c37b9c260f558c8d5804fe823a34b31a4641ff
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54852bc57696a214a07ae03c9eb6eba5c
SHA1189b37b7c514136e363050978a77177c1e98e525
SHA2560639acdc516979d9cd24cbc2c7ffa27d7e4b81e79519ff75e5d1946fcb20e32f
SHA512cff2e8628dc2e4e0b49852d3ff6e3e358ace747f55b989d44ad633280dcb12452e9c3cee9a538e7cc428f9cea343ef8ed6988398ced8bdb5ea76244e641a1c4a