Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/08/2024, 09:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://bigrat.monster/
Resource
win11-20240802-en
General
-
Target
http://bigrat.monster/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1784 msedge.exe 1784 msedge.exe 1336 msedge.exe 1336 msedge.exe 1324 msedge.exe 1324 msedge.exe 2256 identity_helper.exe 2256 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4584 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 3952 1336 msedge.exe 81 PID 1336 wrote to memory of 3952 1336 msedge.exe 81 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 2528 1336 msedge.exe 83 PID 1336 wrote to memory of 1784 1336 msedge.exe 84 PID 1336 wrote to memory of 1784 1336 msedge.exe 84 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85 PID 1336 wrote to memory of 1936 1336 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bigrat.monster/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80bb53cb8,0x7ff80bb53cc8,0x7ff80bb53cd82⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14606645107760758762,9082432530905591616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:3224
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2264
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4528
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59af507866fb23dace6259791c377531f
SHA15a5914fc48341ac112bfcd71b946fc0b2619f933
SHA2565fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f
SHA512c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7
-
Filesize
152B
MD5b0177afa818e013394b36a04cb111278
SHA1dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5
SHA256ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d
SHA512d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db
-
Filesize
471B
MD551ef93e02310f93f6e44242f8e82fc17
SHA1c804f6050d5594a1a10352673f2fc78c46e12791
SHA256ffbb3bfa1df3142c0d89d0d0de80194e941f2e6aeadc42d1e9e3cf56f2fafe0b
SHA512899cfe1e780ebd0e4931a05a33e61c2492020e5a40cd8c5edd4aef80282062950bd2179c2c70e83b492b65ae32362bc11a960efac3af1049d85e0e3f150c5803
-
Filesize
5KB
MD54543582bee5908fd216b80041d55e212
SHA14fc328b9d99d7af6d6440eb0f9cd4e55c56a2e82
SHA2566c603787351e2c0af9eb834372452d8d0f304596293a01a240abd3062a95da32
SHA5124424772e8114559927f76a6bcb2a9d7bd14ed53e250ba98e94522ac05162e1abdcf080fb45c3f0441566022e25f0c8b6ba54de137db1173e142cf5834c36d64e
-
Filesize
6KB
MD5815f18200f88860cf93162819203cb78
SHA1292086dd567e0d637340740e4c608233164c4b28
SHA2567a7d5f90f1da44a5c30c7d508a52c4825bb0aa6edcacb38b9ce0cf515e8a4d4e
SHA512fd7b8fc10b65160e16eb28f3b17c4f1b32be1ab69790e9976479cceab26494337630e0359336ec99367f4cae21a52d2def8a374774c07c235401a42f0c9d9b35
-
Filesize
6KB
MD51b6a3268353821bf9268b3072249761a
SHA1797de1a3b981fd4b20b9f0519ce2845d0e90e054
SHA256d6ad92b38bb5abb4a390062bf79dd4ddd126955b4fd82b6975532ba4a9ddcaef
SHA5128ca05d6434c0e295f35351f83a8b83a0dcbecc9f0d09c9fda29451699f416e3fd56754f071b25afeb38f48a7f5456e6454c138bba383eafabde3c1ab90ba201f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5715b19590c95173f6bdd6e3fd771fc02
SHA154a62ff093f8412530740dbc1615704216e4d63a
SHA2564d996deb7d1c935988df6afa258505f49931e6b15153104468b56d8d7004f4e0
SHA512e55f559d6643eba7c86bacd7e1ec9f61d2054be24a3cf49c1ef77e5e2b14aea10decf753b62d070afd1ef7483a7c515bb094138b1a5b05cbd3d92ceeca0e70a9
-
Filesize
11KB
MD57f5e221cbbb62037f450ebb9d6593083
SHA10378b9887f104f2405235670ab8f21c77a0a2999
SHA256b71ab4874023f40d114a89e4b8d05cf495dc35d52c3d938509b10adfd1ed2d98
SHA51232ef8b1c5fc8ebae9b0760dc7a802c086b6d897966d28d03e18e5bdcd46c928c9e9a0d2e311b8a3cccc98f9f5465116662d743a0bca9cf400af40a6908d9fa56
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD530f9f69bd4cb3ca8ed4af465e6bf3b72
SHA11f7bf3625d683c1af38485d1eb39152949648749
SHA256fbb114871abc3901711a5f204cb370f1cc1602ad89fa0c8155288ec72e4eaf36
SHA512ae96746716d0b47912c191ca52db48ee40aca9591444c1f0ffbc913346be1fff1e9f71c6e66cb4c175fd308e04a504367dd56bf84920f94c65142cd8508258c2