Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 19:52

General

  • Target

    https://github.com/mategol/PySilon-malware

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/mategol/PySilon-malware
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc8c046f8,0x7ffdc8c04708,0x7ffdc8c04718
      2⤵
        PID:3400
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        2⤵
          PID:2864
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3540
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
          2⤵
            PID:1176
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:2040
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
              2⤵
                PID:4104
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
                2⤵
                  PID:2056
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3508
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4068 /prefetch:8
                  2⤵
                    PID:752
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                    2⤵
                      PID:4068
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4428
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
                      2⤵
                        PID:2144
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
                        2⤵
                          PID:568
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                          2⤵
                            PID:1876
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
                            2⤵
                              PID:4344
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4020 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1660
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3996
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3696
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:1680
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5668
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5736
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5824
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\README.md
                                    2⤵
                                      PID:5876
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\PySilon.bat" "
                                    1⤵
                                      PID:464
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\PySilon.bat" "
                                      1⤵
                                        PID:2084
                                      • C:\Windows\system32\OpenWith.exe
                                        C:\Windows\system32\OpenWith.exe -Embedding
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5208

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        e4f80e7950cbd3bb11257d2000cb885e

                                        SHA1

                                        10ac643904d539042d8f7aa4a312b13ec2106035

                                        SHA256

                                        1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

                                        SHA512

                                        2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        2dc1a9f2f3f8c3cfe51bb29b078166c5

                                        SHA1

                                        eaf3c3dad3c8dc6f18dc3e055b415da78b704402

                                        SHA256

                                        dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

                                        SHA512

                                        682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                        Filesize

                                        2KB

                                        MD5

                                        77e3644e95a021fd178f8265bda7205e

                                        SHA1

                                        68326c77e74f45f79feda842fc6807d36137af0c

                                        SHA256

                                        586cd4f6884ca98250b29a3e4e7fc95f7356f8208d9c04271863a2ca0f049873

                                        SHA512

                                        a3e3a984e2030b12384f39147d9021a8231abe8134e8400598cea3145e680f085ac36c153b6166d8b473d3ab8681419d5be4942ee173775603f36b23d72840a5

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        748B

                                        MD5

                                        91d82624fc52f23ffa3832f67b61cd70

                                        SHA1

                                        1dd90403702abb7ce80bb4c08387b9046164b225

                                        SHA256

                                        f5bacce4418597a9bf5bc4731a692686557e14564939d59810e053cb2d393869

                                        SHA512

                                        2c65642689e377064ef0f7b5faf2e396d983b47270963c73dc9920a4d8981a0c91d7b69701a752a517f6c12c41f21cde11dab408529c0ceca21784e10f841570

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        cc36add3c758266e893a109d6e3f097c

                                        SHA1

                                        ebc0f51d5ea4c09a8857e359e39514efe17c59b0

                                        SHA256

                                        8a26af0fbaa066c286eb5217f2d053e549741f3681e04f710c34e4786191b46d

                                        SHA512

                                        b5665ddfd2733c748f8e3416561e6093bc8107fe2d5dc557726ae67937bffb4625b2f1b0abe79c27efeb5cee124e8958c4cd4bcdb2738fbdac31f80cd24c1876

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        3a875902c2134dec56f7fa99c89805bf

                                        SHA1

                                        798e3b5d7942a796eb1c0ae326408c5903974281

                                        SHA256

                                        24d754bddf0f68a7b286254e28c5ba512d5e60912f63f99ba89a32130c4487ba

                                        SHA512

                                        d953578a5aee59d23ee589a2df4fe91dc023347df37c25530320ca32e383a72faf975891ec8bb6c628949ef809148ae6b0a7d9b84559a3aa19488b57db9968ff

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        07a7e3d878d6c1edb126e0ae6c327f49

                                        SHA1

                                        a931e75c7c8abb2c958a415f92f218a417050eca

                                        SHA256

                                        6bf1963a5614bd8754b179fa8bfa8860c7c0d97b6c5cdae5f77d9f48e95e463a

                                        SHA512

                                        69a5e24e708c1f7ff1fbc3bca6062fdd68f641f197934002b61b21ec96a0216d52d4e3cd633228e2c765e7073575419bbfd886712248d030299cab40c9894056

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                        Filesize

                                        1KB

                                        MD5

                                        545ed7645151eb7e6992cc174bf78167

                                        SHA1

                                        978c985e6adf5d08596ea530c6cb0ccd89a0d68c

                                        SHA256

                                        8357990b8cda23dd58e61732f6f79d9a04dc8bc9efac6433abb89493be9c9963

                                        SHA512

                                        2563854aba6c10cb015ecfe7286816575e59428f84c92ef3b2717480f98a3da7bf5d9b379a3c22b6278953aba812e91d4216fb1eafbf1c9e1e8388dfd1d3d2f0

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e484.TMP

                                        Filesize

                                        1KB

                                        MD5

                                        25401fa319958b59b863426801fd8046

                                        SHA1

                                        5f76b08343c2704ad7e687901468c9e9561e8690

                                        SHA256

                                        543f87334cea36f5360c3848aee26d97216ff4b1fa519bc84744c95a53541a02

                                        SHA512

                                        e452f9d60f56a92c44ba54e9471cdcfa3ff2d0431f8556ffa5b6a6463ab8cad44d0a5985e60c1c20504200b54c05595f6a3223ec8f163e2c0e0efcd6680e0ad6

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        c5c6e3dfcd1d91b4fbd732fcd53d0370

                                        SHA1

                                        3a5e4263e577c093337831d4fa8f1214988a19f7

                                        SHA256

                                        cff4658e712bc68ea23d71c73071ccea8992889e451f78505918e185b5dc0d42

                                        SHA512

                                        c9eeac7e17c4dc902685eabd2182ef69117dbb3fa3412831ab558c33cc8ca4f32d3e8d7b7dab5852fe8f23eaec391bfd5e629bf51f390f169c3fcfed82049d19

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        b28d29b8caa90c05c0006c24d08bdbae

                                        SHA1

                                        911e3a7c37eb9bb879ffb50fba2c7856df81f5ef

                                        SHA256

                                        78dd8f892a7b2b3917669e4d5fc7729e3b6150bdf8195059bea3c424e4591fed

                                        SHA512

                                        3641d84a663db31e10223ed28874cfe20d0c83c4d101031cfc3f2eb5f9e9070929643decaf65494ce4e5383baa2cd61055b3c91e6c4a070fbee6f33b50c00db9

                                      • C:\Users\Admin\Downloads\PySilon-malware-main.zip

                                        Filesize

                                        2.0MB

                                        MD5

                                        4dd99d359a4113d284bb4f8315a96e2a

                                        SHA1

                                        4cb3a11eac95e4716ec722dae0f02510255dfa14

                                        SHA256

                                        a9ccafa9381d1c3efb451eab4bdc476e113560d155587957dc78c7c86a8c8754

                                        SHA512

                                        468f2b55578ce2e4f39e06d4ae559f13f73dbd3ddecdf00c13e28a417275552b55f4050d0d41ca66074478ece36a9a2b6b4b117b59563556200025bd012b7d51