Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3lvxing360/...o.html
windows7-x64
3lvxing360/...o.html
windows10-2004-x64
3lvxing360/...est.js
windows7-x64
3lvxing360/...est.js
windows10-2004-x64
3lvxing360/...ata.js
windows7-x64
3lvxing360/...ata.js
windows10-2004-x64
3lvxing360/...min.js
windows7-x64
3lvxing360/...min.js
windows10-2004-x64
3lvxing360/...o.html
windows7-x64
3lvxing360/...o.html
windows10-2004-x64
3lvxing360/...e.html
windows7-x64
3lvxing360/...e.html
windows10-2004-x64
3lvxing360/...c.html
windows7-x64
3lvxing360/...c.html
windows10-2004-x64
1lvxing360/...o.html
windows7-x64
3lvxing360/...o.html
windows10-2004-x64
3lvxing360/...��.exe
windows7-x64
3lvxing360/...��.exe
windows10-2004-x64
3lvxing360/...��.url
windows7-x64
1lvxing360/...��.url
windows10-2004-x64
1lvxing360/...��.exe
windows7-x64
3lvxing360/...��.exe
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 20:20
Static task
static1
Behavioral task
behavioral1
Sample
lvxing360/data/agentinfo.html
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
lvxing360/data/agentinfo.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
lvxing360/data/jquery-latest.js
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
lvxing360/data/jquery-latest.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
lvxing360/data/jquery.metadata.js
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
lvxing360/data/jquery.metadata.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
lvxing360/data/jquery.tablesorter.min.js
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
lvxing360/data/jquery.tablesorter.min.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
lvxing360/data/logo.html
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
lvxing360/data/logo.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
lvxing360/data/static_title.html
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
lvxing360/data/static_title.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
lvxing360/data/ticket_static.html
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
lvxing360/data/ticket_static.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
lvxing360/data/ticketinfo.html
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
lvxing360/data/ticketinfo.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
lvxing360/国内机票查询.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
lvxing360/国内机票查询.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
lvxing360/新云软件.url
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
lvxing360/新云软件.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
lvxing360/机票直通车更新程序.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
lvxing360/机票直通车更新程序.exe
Resource
win10v2004-20240802-en
General
-
Target
lvxing360/data/agentinfo.html
-
Size
6KB
-
MD5
890b55f3ebe8a81cc8a6f9add7851c68
-
SHA1
6ceae8c07572760d09bc8c573ef1aae46c321274
-
SHA256
17b3c369603395dbf328451382c51f792e22abff0b137a3247a885d94215850f
-
SHA512
7d5eaf8646429ca8c839ef3c40cd7038bbc7b1fcfb87a048f4d180ecb0686758695a8da4ea7441a2e27e273484ae228bba843bd12c1e7b61a4b7e67cd0c0f4aa
-
SSDEEP
192:cF4nFKR5+e5+k45+P0QVw6QQQQQQQQEQQQQQQQQEQQQQQQQQEQQQQQQQQEQQQQQ4:kVR5+e5+X5+P0QVzQQQQQQQQEQQQQQQq
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3544 msedge.exe 3544 msedge.exe 2456 msedge.exe 2456 msedge.exe 4332 identity_helper.exe 4332 identity_helper.exe 808 msedge.exe 808 msedge.exe 808 msedge.exe 808 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2580 2456 msedge.exe 84 PID 2456 wrote to memory of 2580 2456 msedge.exe 84 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3876 2456 msedge.exe 85 PID 2456 wrote to memory of 3544 2456 msedge.exe 86 PID 2456 wrote to memory of 3544 2456 msedge.exe 86 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87 PID 2456 wrote to memory of 4148 2456 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\lvxing360\data\agentinfo.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffc457746f8,0x7ffc45774708,0x7ffc457747182⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:22⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,1697393867349125303,13230114210531282673,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:808
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
5KB
MD58a76ab0af0c304c8e488f2c31bbb3d79
SHA195346dd091d044107dce9144f733fc01a446909c
SHA256f8d5b9b137ddd6960fa60545d6dfa0fb3749b47d2dc26c1c43b111e3a69f19a2
SHA512ded352f019baab6b0a5ac186e1327505ddd41de5c545fea43659a7a0f5dc2315e30f08c4f51f0bb908b7ebed4640072bd12fe9fcf34b7921d5e3be075971cc7d
-
Filesize
6KB
MD506ad4ff72bdcee259300401f1ccba7b4
SHA1789bf6b66b5c3645e8eadd3e06435a9f5deb9817
SHA256a022c4260b794a4b8a047f0d6facaeb55dbe4a8ddf5d463a747ef8ead49f12c2
SHA512346732ce86868dad8bd01b3b884f8fdd391d27ed7c4115acb6654b224ba25f48a488f6789bcd0f86603b3918ab0971ce667c102bfad8dc377c42680fc6d38766
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58f9773a3df0ed78173d6f564ea2f9893
SHA1c2bfe27472ecd43355552810d5f8f0669a34331b
SHA25646f7b4792688e4950db1f2ef186c6b0b19d5814561dd115f35c8cf3bea25506d
SHA512f21925e74511cb5daa9cadb089bd8ee4f461a73f7417165ca76ee758c67209a7b462c5f90bf76d9c2e2d690f737ca31bc4837b386461eea60384372e3b025ddb