Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1159s -
max time network
1161s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/09/2024, 01:55
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240802-en
General
-
Target
sample.html
-
Size
4KB
-
MD5
dcbe0d3e08896e6873737b39283d1726
-
SHA1
e621cc955d521cbbf60c6e377cfcc059e626568e
-
SHA256
57be9b9e780a14ddd1e1c93119e59f0a5c238cb4a749b18f4222285803b268bf
-
SHA512
dd9b070b9cb2b2431543ed6ab8c09c57dedaea7ddc75bdee030b5f637e43c8f06efb71d2471e54092170889f48acef8e34d1e2c85db3a35055ec603069e92ceb
-
SSDEEP
48:t+gv2StsPx2UZtw6PoUD4ilDgtMmaKtPQUoMhhHtIcvvp0/:aZtf8t6KtddhLpi
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 836 msedge.exe 836 msedge.exe 3812 msedge.exe 3812 msedge.exe 6060 msedge.exe 6060 msedge.exe 4328 identity_helper.exe 4328 identity_helper.exe 2040 msedge.exe 2040 msedge.exe 2040 msedge.exe 2040 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe 3812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3812 wrote to memory of 4784 3812 msedge.exe 78 PID 3812 wrote to memory of 4784 3812 msedge.exe 78 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 1852 3812 msedge.exe 79 PID 3812 wrote to memory of 836 3812 msedge.exe 80 PID 3812 wrote to memory of 836 3812 msedge.exe 80 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81 PID 3812 wrote to memory of 1472 3812 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacdde3cb8,0x7ffacdde3cc8,0x7ffacdde3cd82⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:22⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,2247692669219072079,10949127385425445944,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5284 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5302c3de891ef3a75b81a269db4e1cf22
SHA15401eb5166da78256771e8e0281ca2d1f471c76f
SHA2561d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58
SHA512da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33
-
Filesize
152B
MD5c9efc5ba989271670c86d3d3dd581b39
SHA13ad714bcf6bac85e368b8ba379540698d038084f
SHA256c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3
SHA512c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7
-
Filesize
313B
MD5147cadadf2ac7f91d2b333f8e19d39b5
SHA1921281856a098d7ad72010490965fc049b465b24
SHA256c0b5796a101d152c153df3183a501f01ec404a3df209d375d7498e8217868f71
SHA512c399b4a970d7b2bf84922f1baef8ab522b15436e5825445d8e74caef4b546ba3cde37bb21dce36ca9e124eadfd381db8f17efb933890c0cdfd7cc00c68cbfad3
-
Filesize
5KB
MD5d98f369938a5415f428273b3ebdd8777
SHA1b31d57a94010b24ec0483999e9595dd868729a0e
SHA25615b219daf6b86059fddedf56173d674d2e440c67476053d68e442b0d34ddcbd6
SHA512d1bc79bb75dbc1a28030b8aebe58746276d9f0dde0dd80f075678a082c42c138cd6845547d20a2fd2fa84a0f6c14d7fc1f063e9ce90a7ae4080e54ac208aefb1
-
Filesize
5KB
MD5ce641048055081ecaf9509bfff18234c
SHA164b60953e25ce61b4c519c20505e2a0f113086e4
SHA256767a68f949676cf32583b45554005be563dc1a1fff83953678b563c1ec441c18
SHA512c09ce39eea39d743f5a2fbfcc5df3769bcaae51c5a6c1e7b28e9b41fb2fdb0c4892422dc2f9224b9ff73c7bf8332fecfc4646fd772da2175b2f99f72e1d364bc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a9ef08323d440fc9dc54b96e22f4091c
SHA1ec3ee29afb31f9157b46bff02676ea4f7136925c
SHA25663d20fbdaef9b61caee4b7886cf9e0d5b711532ffa8a5db0f030e764c768cea7
SHA51215438693be03bee97490673a7de6ec892d892d201815d2204a28c48cd17b205fd862a0335b9c32ac8f86e39ea59de5404e13a39d12184a1f4d6804544859c2d3