Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1799s
  • max time network
    1587s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/09/2024, 18:43 UTC

General

  • Target

    https://streamshare.wireway.ch/download/57h8kpypqj1dcotxjq4d3lr0acxxxnut

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://streamshare.wireway.ch/download/57h8kpypqj1dcotxjq4d3lr0acxxxnut"
    1⤵
      PID:2804
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:200
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:3756
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:828
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3440
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4948
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4396

    Network

    • flag-us
      DNS
      streamshare.wireway.ch
      MicrosoftEdgeCP.exe
      Remote address:
      8.8.8.8:53
      Request
      streamshare.wireway.ch
      IN A
      Response
      streamshare.wireway.ch
      IN A
      172.67.186.27
      streamshare.wireway.ch
      IN A
      104.21.76.28
    • flag-us
      GET
      https://streamshare.wireway.ch/download/57h8kpypqj1dcotxjq4d3lr0acxxxnut
      MicrosoftEdgeCP.exe
      Remote address:
      172.67.186.27:443
      Request
      GET /download/57h8kpypqj1dcotxjq4d3lr0acxxxnut HTTP/2.0
      host: streamshare.wireway.ch
      accept: text/html, application/xhtml+xml, image/jxr, */*
      accept-language: en-US
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
      accept-encoding: gzip, deflate, br
      Response
      HTTP/2.0 200
      date: Mon, 02 Sep 2024 19:55:07 GMT
      content-type: application/zip
      content-length: 595711457
      x-powered-by: Express
      content-disposition: attachment; filename="49bdb.zip"
      accept-ranges: bytes
      cache-control: public, max-age=0
      last-modified: Mon, 02 Sep 2024 14:04:55 GMT
      etag: W/"2381d5e1-191b30d8db4"
      access-control-allow-origin: *
      cf-cache-status: DYNAMIC
      report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1TFFnYExtHWBVFEXgDjxQ0HFAIuTcKO0mHxWHNIFzFLZ9h08GT1U8hpfcMYLVDBpibxqdTBzdy6sM%2FC3wy%2BS1VCpwJINhl%2F1GXf0MsKaODgdftIkRzxY2qkuC6shtkIjr%2BuTchbeai0B"}],"group":"cf-nel","max_age":604800}
      nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      server: cloudflare
      cf-ray: 8bd00e36fb124883-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      c.pki.goog
      MicrosoftEdgeCP.exe
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      216.58.201.99
    • flag-gb
      GET
      http://c.pki.goog/r/gsr1.crl
      MicrosoftEdgeCP.exe
      Remote address:
      216.58.201.99:80
      Request
      GET /r/gsr1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1739
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Mon, 02 Sep 2024 19:15:07 GMT
      Expires: Mon, 02 Sep 2024 20:05:07 GMT
      Cache-Control: public, max-age=3000
      Age: 2397
      Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-gb
      GET
      http://c.pki.goog/r/r4.crl
      MicrosoftEdgeCP.exe
      Remote address:
      216.58.201.99:80
      Request
      GET /r/r4.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 436
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Mon, 02 Sep 2024 19:24:36 GMT
      Expires: Mon, 02 Sep 2024 20:14:36 GMT
      Cache-Control: public, max-age=3000
      Age: 1828
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-us
      DNS
      27.186.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      27.186.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.143.109.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.143.109.104.in-addr.arpa
      IN PTR
      Response
      95.143.109.104.in-addr.arpa
      IN PTR
      a104-109-143-95deploystaticakamaitechnologiescom
    • flag-us
      DNS
      99.201.58.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      99.201.58.216.in-addr.arpa
      IN PTR
      Response
      99.201.58.216.in-addr.arpa
      IN PTR
      lhr48s48-in-f31e100net
      99.201.58.216.in-addr.arpa
      IN PTR
      prg03s02-in-f3�G
      99.201.58.216.in-addr.arpa
      IN PTR
      prg03s02-in-f99�G
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      161.19.199.152.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      161.19.199.152.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      57.110.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.110.18.2.in-addr.arpa
      IN PTR
      Response
      57.110.18.2.in-addr.arpa
      IN PTR
      a2-18-110-57deploystaticakamaitechnologiescom
    • flag-us
      DNS
      57.110.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.110.18.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      57.110.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.110.18.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      www.microsoft.com
      MicrosoftEdge.exe
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      95.100.245.144
    • flag-us
      DNS
      144.245.100.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      144.245.100.95.in-addr.arpa
      IN PTR
      Response
      144.245.100.95.in-addr.arpa
      IN PTR
      a95-100-245-144deploystaticakamaitechnologiescom
    • flag-us
      DNS
      144.245.100.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      144.245.100.95.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      57.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.135.221.88.in-addr.arpa
      IN PTR
      Response
      57.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-57deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      10.73.50.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.73.50.20.in-addr.arpa
      IN PTR
      Response
    • 172.67.186.27:443
      streamshare.wireway.ch
      tls, http2
      MicrosoftEdgeCP.exe
      1.1kB
      3.9kB
      15
      12
    • 172.67.186.27:443
      https://streamshare.wireway.ch/download/57h8kpypqj1dcotxjq4d3lr0acxxxnut
      tls, http2
      MicrosoftEdgeCP.exe
      21.6MB
      616.4MB
      457350
      456319

      HTTP Request

      GET https://streamshare.wireway.ch/download/57h8kpypqj1dcotxjq4d3lr0acxxxnut

      HTTP Response

      200
    • 216.58.201.99:80
      http://c.pki.goog/r/r4.crl
      http
      MicrosoftEdgeCP.exe
      648 B
      3.9kB
      9
      6

      HTTP Request

      GET http://c.pki.goog/r/gsr1.crl

      HTTP Response

      200

      HTTP Request

      GET http://c.pki.goog/r/r4.crl

      HTTP Response

      200
    • 204.79.197.200:443
      ieonline.microsoft.com
      tls, http2
      MicrosoftEdge.exe
      1.4kB
      8.1kB
      15
      10
    • 88.221.135.57:443
      www.bing.com
      tls
      MicrosoftEdge.exe
      1.0kB
      9.5kB
      14
      11
    • 88.221.135.57:443
      www.bing.com
      tls
      MicrosoftEdge.exe
      1.2kB
      9.5kB
      17
      12
    • 88.221.135.57:443
      www.bing.com
      tls
      MicrosoftEdge.exe
      590 B
      179 B
      7
      4
    • 8.8.8.8:53
      streamshare.wireway.ch
      dns
      MicrosoftEdgeCP.exe
      68 B
      100 B
      1
      1

      DNS Request

      streamshare.wireway.ch

      DNS Response

      172.67.186.27
      104.21.76.28

    • 8.8.8.8:53
      c.pki.goog
      dns
      MicrosoftEdgeCP.exe
      56 B
      107 B
      1
      1

      DNS Request

      c.pki.goog

      DNS Response

      216.58.201.99

    • 8.8.8.8:53
      27.186.67.172.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      27.186.67.172.in-addr.arpa

    • 8.8.8.8:53
      95.143.109.104.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      95.143.109.104.in-addr.arpa

    • 8.8.8.8:53
      99.201.58.216.in-addr.arpa
      dns
      72 B
      169 B
      1
      1

      DNS Request

      99.201.58.216.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      161.19.199.152.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      161.19.199.152.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
      106 B
      1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      57.110.18.2.in-addr.arpa
      dns
      210 B
      133 B
      3
      1

      DNS Request

      57.110.18.2.in-addr.arpa

      DNS Request

      57.110.18.2.in-addr.arpa

      DNS Request

      57.110.18.2.in-addr.arpa

    • 8.8.8.8:53
      www.microsoft.com
      dns
      MicrosoftEdge.exe
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      95.100.245.144

    • 8.8.8.8:53
      144.245.100.95.in-addr.arpa
      dns
      146 B
      139 B
      2
      1

      DNS Request

      144.245.100.95.in-addr.arpa

      DNS Request

      144.245.100.95.in-addr.arpa

    • 8.8.8.8:53
      57.135.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      57.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      140 B
      133 B
      2
      1

      DNS Request

      81.144.22.2.in-addr.arpa

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      10.73.50.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      10.73.50.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Q0HHSSW8\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HY0TTRD4\49bdb[1].zip

      Filesize

      267KB

      MD5

      8fd6f4398bf36bdc23348057daefa96e

      SHA1

      999034a2fb9e81efcde53c1aed3cf5b7b0e5ffb6

      SHA256

      eb353903eb03bdcfc2a94ce89b92854832883bcc2c34ee49f5dd0c001dbbe76f

      SHA512

      aa51eae94447852b41428452221fdf114d38753ebc06ba570a18cc0ffcaac632c781cfea557c7b79ea995392c786ebff1258a5eaa3bda4b9bd67622cbbf3cdba

    • memory/200-0-0x0000021A25620000-0x0000021A25630000-memory.dmp

      Filesize

      64KB

    • memory/200-16-0x0000021A25720000-0x0000021A25730000-memory.dmp

      Filesize

      64KB

    • memory/200-35-0x0000021A22BB0000-0x0000021A22BB2000-memory.dmp

      Filesize

      8KB

    • memory/200-103-0x0000021A2BEF0000-0x0000021A2BEF1000-memory.dmp

      Filesize

      4KB

    • memory/200-102-0x0000021A2BEE0000-0x0000021A2BEE1000-memory.dmp

      Filesize

      4KB

    • memory/3440-45-0x000002743F700000-0x000002743F800000-memory.dmp

      Filesize

      1024KB

    • memory/4396-75-0x0000022737CD0000-0x0000022737DD0000-memory.dmp

      Filesize

      1024KB

    • memory/4948-62-0x0000020B6BC20000-0x0000020B6BC22000-memory.dmp

      Filesize

      8KB

    • memory/4948-65-0x0000020B6BC50000-0x0000020B6BC52000-memory.dmp

      Filesize

      8KB

    • memory/4948-67-0x0000020B6BE10000-0x0000020B6BE12000-memory.dmp

      Filesize

      8KB

    • memory/4948-60-0x0000020B5BAA0000-0x0000020B5BBA0000-memory.dmp

      Filesize

      1024KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.