Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

URLScan

urlscan

1

https://reformedtund...

windows10-1703-x64

5

Analysis

  • max time kernel
    68s
  • max time network
    93s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/09/2024, 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://reformedtundra.itch.io/windows-12-exe

Score
5/10
discovery

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 55 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 20 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://reformedtundra.itch.io/windows-12-exe"
    1⤵
      PID:4604
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4636
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:4116
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4596
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1496
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:1428
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1120
    • C:\Windows\System32\PickerHost.exe
      C:\Windows\System32\PickerHost.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2916
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:664
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4668
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4304
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      4KB

      MD5

      1bfe591a4fe3d91b03cdf26eaacd8f89

      SHA1

      719c37c320f518ac168c86723724891950911cea

      SHA256

      9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

      SHA512

      02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml
      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5F66SYHP\bundle.min[1].js
      Filesize

      111KB

      MD5

      5367c161f00ba356d8b143ede4d78591

      SHA1

      9dbfc6218a65e8dbe0be21eb46081d9d8fe02c65

      SHA256

      9da2294cc3da6275d5b88076abb0cb068f9a7b5a18f62a564ecd3a1caba920c1

      SHA512

      eb1e3d4b05105768ea24b13a4fea5ae5baec71b476175ea27f8b139d9858186c0f011989e10f55aeb7cdbdcbe25b85d532f61d49df79a3259fd9dcd4be860eea

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5F66SYHP\jquery.maskMoney[1].js
      Filesize

      22KB

      MD5

      50ae60d621c698f2993752e5525a7791

      SHA1

      579534d05690d381130410e3caafccc1a4569da1

      SHA256

      526a6d6740bf408dce3e6671745b3cfd5a953c8632faf523dabd38d068087360

      SHA512

      f348d52cc85c769dbe943ef7de58513c5082b1d84060ab94b706b78b9f379a56d00f69207414e20ca0f21e405ac5386ad379ea0702894ae0cbe726f9f8191165

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5F66SYHP\js[1].js
      Filesize

      275KB

      MD5

      5da73cd27fb5b7f608d9ee21f88cea72

      SHA1

      cb066afbe562a8e024c2f60c2ca77efb3b1107ce

      SHA256

      f682b6b630d27f15c9c16d5539d1c56bd03646b635162f4ee42f90a09884c124

      SHA512

      83f494cae9714c57eaeafcc477ebb2cdb118f6ed9ea9247443ca6d73e3ac9978383e195385587334d5d1a96084ffb302dfd191a53e47525ba206ad4c1ff4ed14

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FBF6QYDN\lato-v14-latin-700[1].woff2
      Filesize

      22KB

      MD5

      7fbbfd1610770d594aef639cfefdd0b0

      SHA1

      e8e478141c6bea23ed8f1b52b7062eebbafb29f0

      SHA256

      ead13ccfbdea5462c3af37aa6ae04e64ed65a31c33f76e46da5e86ec85c52064

      SHA512

      0b4a872e56961cdd20208fd631dc45175fb7b0475c2047a9df9297be87dd050cd980fbb170b09a144839c20900456b8837374954cd53efefece7b9fe05b2ddbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FBF6QYDN\lato-v14-latin-900[1].woff2
      Filesize

      21KB

      MD5

      f2de2c6ec69b0c11f1bc44c5348c2f35

      SHA1

      35380c04729ff2041e192756bea3052e7de2c5d0

      SHA256

      abde463ef27458713d91e9be883fdd389298ef57411b601cab5f66db609c508d

      SHA512

      847a73f219b215d03fac4335720d7be8ed6ec479e4a83d1c2d5e980f3572a54b8d2fff5ff117be6575c3d982c6e20ee01564dfae0290e70576ee0acc2b998259

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FBF6QYDN\main[1].css
      Filesize

      543KB

      MD5

      35734e32bdc368e334783651eb578de5

      SHA1

      1440e6752807f2a1579d66485a90479d704907e6

      SHA256

      b6289cded72f192a300ff93332b5671d754c4bf98aa326e9f180b3f2d2347b88

      SHA512

      27c9514a4c2f5f9f60eb80f79d2aae8137ae7a9d9e65803bc36daed3e4c747d1e53bc4b3f29dbc798044f8572acdb8193724018d6643e4a2bd3f2c17bd458b75

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QABK4CGE\lato-v14-latin-italic[1].woff2
      Filesize

      23KB

      MD5

      b45e52f342dc29c8553f51a99f924871

      SHA1

      84ffaa7306ce72dc9dce975454298b91dc4d00be

      SHA256

      88f15027c3aadf50ab39cea089b1f8aa3a18da7c47b30569c1f7489470c05292

      SHA512

      d4eaa02b2b16f047658b14250f1531e1b90f3575bc7a084f06ba772c24e1436be4f223dfe784b0a5956d039ba385f2b7c1697d51c8d3a568d1bc6ebc9c99a726

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QABK4CGE\lato-v14-latin-regular[1].woff2
      Filesize

      22KB

      MD5

      f1a4a058fbba1e35a406188ae7eddaf8

      SHA1

      e5e25503a9a6976e3ac4b1893a767c8a7a72eba0

      SHA256

      1670565574aab8aa0a287a4cd8f49cf0d8b0959ebe344f90ca8af696ede9c23b

      SHA512

      c0f3138f59034f26f89a7bee8a3a0af749c4dd119997ca121121ff19a35e690098ddd6e4d022d86a81783837fea39aa66d47cac1b19127cda5a0b1355714fa75

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T0QUH3P0\lib.min[1].js
      Filesize

      124KB

      MD5

      207451926a991de4adc16e6c64aab430

      SHA1

      60cb4c06d1714eab643a99a56fbb890a1aba421f

      SHA256

      0451ab174857156c1abb1a91baa9c569591defd2ca5a20fc4f8f78f4f6b1320e

      SHA512

      50f2f4a8d717cd4c13dc88611112d91079cf6b3d59e449bae7bcad0dca019070e1bf6b6849c2de072b9b6db496e0a7c7a43fce2d668d8e36c0bfbb57f0c5d15d

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KJDP0KW1\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\MNHG4VVI\sNGgws[1].png
      Filesize

      2KB

      MD5

      9f1421643d651ffbe419cc07534ae63f

      SHA1

      51ee1eaa853ee699c0499df5b227b294f46dfd62

      SHA256

      7a71b0515807f3b7f2a7067bbf2e369e61e708257c931f5a17aceaf551be8b8d

      SHA512

      b636516921f72eb5c709f5e20f9f5006927c3cf1b4bd125b8fdad4f7bea43ee7b5c5d4fccc956d403662af10c22b70e9192ac1f9da107a47158f9c5b6f797538

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZCQ80MXN\favicon[1].ico
      Filesize

      5KB

      MD5

      9a3fe3a8b81bbf459c98753295394945

      SHA1

      0549a475c5fce345669877802f80eeffadfa6fff

      SHA256

      f5392ebf26bc5e9599340a9e5cef6644629b2b43bdbeb5c03e8382aaab7ef165

      SHA512

      1e4978397370430859b3c3c8f18015ec040fa8f1e15ea5086ffba069bacd537255c7ec9409117a2a27fd401c6b90a27f586183360680915dbed75cdf57a430ec

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T0QUH3P0\Windows 12 exe[1].zip
      Filesize

      524KB

      MD5

      afae8c18eef5d9a0c49f3bda845575a4

      SHA1

      a3c615b2f57357f45ad141264dd5d0d4278012c6

      SHA256

      82f45f430f9d5d4821c528d51ee45948456e274593747dde2c5af8257dac15c9

      SHA512

      161f8bbbf22b3b382f4d7abf3e1193645875be6652da830853e6cda3f74bb5ddc4d14535771da6523d2d83039e877cc04b7f241c60b16b45a5398a87cf266312

      Download Submit

    • memory/1428-394-0x000002BEF8820000-0x000002BEF8920000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1428-569-0x000002BEF5500000-0x000002BEF5510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1428-64-0x000002BEF4E00000-0x000002BEF4F00000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1428-103-0x000002BEF6AE0000-0x000002BEF6B00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1428-114-0x000002BEF5D80000-0x000002BEF5D82000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-108-0x000002BEF59E0000-0x000002BEF59E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-395-0x000002BEF8820000-0x000002BEF8920000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1428-116-0x000002BEF6420000-0x000002BEF6422000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-118-0x000002BEF71B0000-0x000002BEF71B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-124-0x000002BEF7690000-0x000002BEF7692000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-126-0x000002BEF76B0000-0x000002BEF76B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-128-0x000002BEF76D0000-0x000002BEF76D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-567-0x000002BEF5500000-0x000002BEF5510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1428-112-0x000002BEF5B50000-0x000002BEF5B52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-577-0x000002BEF74E0000-0x000002BEF74E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-576-0x000002BEF5500000-0x000002BEF5510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1428-122-0x000002BEF71E0000-0x000002BEF71E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-120-0x000002BEF71C0000-0x000002BEF71C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-110-0x000002BEF5B40000-0x000002BEF5B42000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1496-45-0x000002004C280000-0x000002004C380000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4636-0-0x0000018B8FE20000-0x0000018B8FE30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4636-167-0x0000018B96BC0000-0x0000018B96BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4636-166-0x0000018B96BB0000-0x0000018B96BB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4636-35-0x0000018B8D1D0000-0x0000018B8D1D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4636-16-0x0000018B8FF20000-0x0000018B8FF30000-memory.dmp

      Filesize

      64KB

      Download