Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
36s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
19/08/2024, 19:39
General
-
Target
https://drive.google.com/file/d/19Kz9FXnoFZ9qaPhB7R1wTAkvipMibFnT/view?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/19Kz9FXnoFZ9qaPhB7R1wTAkvipMibFnT/view?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd6bbd3cb8,0x7ffd6bbd3cc8,0x7ffd6bbd3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8139499292715034856,10087957336861998332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
408B
MD55e846a8f9be5c2fabad8ae02ac1eb2d5
SHA175d0aa3e86d5908452635db3401c92dd6468aa24
SHA256408a00292757841bf094cc27d76b66c266e03dad8822a4c48b576d8ba997a676
SHA512ddb80159afde8618431d598d22a69562bddee661a33fbde7c456aaa0859e6b5e31fe2f048911cf2f77e42e94ac1ad617f5cb8e16214c648cec7c301a2ac02f7b
-
Filesize
3KB
MD564dee14b77500ef1e58c4069c28f7751
SHA1161f73c4c745ce5f45259db0dd280861f3df54f3
SHA2567365c102377156c6524e38312db991b4d26a9bb75660d1e9c7c53f98675c2fd7
SHA5120ac8157d13751cd8e0e389cc8da133ef146040d75e490e84a9e57ab870663ec8a002fe9f975d3e63d3690a8a8df14831a55ee9c944135bcd2f85c4e5e4d68712
-
Filesize
6KB
MD5c38b8a3ba0dff06b9314099307426015
SHA1571b52ecf41a789bb98f0eb7fb5f9f2f21646a85
SHA256f4c6a396f376578362965271fcac848431ca573f5c89d437cbe40980bd4406fd
SHA512df13bf9460fe0b15ed84476a59adb2a5f684bb480fcf2d8fb1736fe05580decf1164d454d4b7180d6faaed4a30b2581443ea9932ab1cc49a4913bddfc2af2086
-
Filesize
5KB
MD50d2e5e7788dcc1ab5f0bdc36f6ece375
SHA18bd75a21f1e8f916ff59931621a4bd859d915b17
SHA256e81bad2f7408e6307ffc2c50b55dac663d8dbf30592b067330b8558b6cfe0e96
SHA512115eab6ae9b477277373ffbbe820aa0c41f89e6a075dafa01fc8ff23d4549d8afca1b77b39c92ccee44ffb613ce806621b6791f02a23b875867c9d0858e9a666
-
Filesize
6KB
MD53d7bbb94236f3024d2fd711ab50f595e
SHA107d723d2463585393243816249cc73381e89fe17
SHA2569bc6cddb9cf6d36cb85938a165af75a95e0c8e24b425be2c0dc935298673fff6
SHA512798921573f37f85449e455ad45d6a54a408692c93471a9cd8af3e9b9d1f966123e47ac675a9adfd2513decbc2edae21303c83fd05dc754fc0ede97ec7dc9c593
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5050e272c846d03120dbd47b0eb6adeb9
SHA17840f9cc056a7b5a62ecdcc66fd6fc8ee97f2b17
SHA2564adbd5fe3a8ed3ba09c0b0ae9de377d702491d9e6e86df31d9d955deb712cc53
SHA5128b3141fe64524bcff71d8c9113a3813e98cec1ee1a26829088a8683b059632688a2fd0809f6b1c1186f3e43e9e43d21ad3b1b9d92036413f117c02eeb54da31a
-
Filesize
11KB
MD5d581faa24a94905effc4d34d7553349e
SHA14514f3e392e4e937ee71d00224330b4b1320ca0a
SHA25605ee0080dc184ca3c5964754c793a9407d66e2bf5aa715f77bc2eb8bcd474e3c
SHA5123895bbca7811d4d928a0ddf035c1475acfaee518c98d732ff8889a3b6631ec289c28150464903a070557bd7686b07726773f3f55e5a2d2564055857a1769a584
-
Filesize
186B
MD552ac4e6f1d38b338aa3d003486883c6d
SHA142355aa0fcaa8aa444a70537db68ec51d56e66e5
SHA256a728d7e44365391ee602eeb829802890b53ebabad2f503510eb2f38dc57ed4b3
SHA512ad105d17bb2fc459bffdc6d2c72ebfd6542dbe5fc115da3dd57e63df87e53da122aa3b8c1f35ed94c4ac919b6dd829053882e0491b33ccef7ae9015c9944c191
-
Filesize
291KB
MD598c98c6c39b50619e67295d991545679
SHA1b7ff2540eeb12921c5834fcbd5f44909c1068fcf
SHA25656b71b67c7b8b07f7a599be6472a47e6d9e4c61eaa63991a92380b5e2a50498c
SHA512f508f06a23137c1fb0e95edbbcab5fedcf662ad29ac010efce78bf7309161e0d18e2d51e3727ae481f825aa5ac31644b874fd7820544aa4c4925b6842d66fe7f