Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/09/2024, 15:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://wsw.youdaomiv.top
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
https://wsw.youdaomiv.top
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
https://wsw.youdaomiv.top
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
https://wsw.youdaomiv.top
Resource
win11-20240802-en
General
-
Target
https://wsw.youdaomiv.top
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4136 msedge.exe 4136 msedge.exe 1648 msedge.exe 1648 msedge.exe 4916 identity_helper.exe 4916 identity_helper.exe 4852 msedge.exe 4852 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe 1648 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 676 1648 msedge.exe 80 PID 1648 wrote to memory of 676 1648 msedge.exe 80 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4100 1648 msedge.exe 81 PID 1648 wrote to memory of 4136 1648 msedge.exe 82 PID 1648 wrote to memory of 4136 1648 msedge.exe 82 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83 PID 1648 wrote to memory of 4928 1648 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wsw.youdaomiv.top1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffbe96c3cb8,0x7ffbe96c3cc8,0x7ffbe96c3cd82⤵PID:676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:82⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14903470566925961207,2691019804022343747,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2984
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
Filesize
185B
MD5a51fc2b8eccea86a5f2f65f7757791df
SHA120e767f9cdf1a93fc0f3c40a8e43f4f4d9c96682
SHA256c08b055b5f53c091a0f4b4be382824d25e2406223cb85c8f138c5709e5a8d3a0
SHA512ccaa5ae785cd5765192c6a8e646c06bdbb49c8baf2512939874deb7a99177d3480f2ebebf947c1450633185f4d9a9892b374dc9dc084d402f0f6abeb0b89e183
-
Filesize
5KB
MD5e5dbdd0e64a7c060d33b1f419f4858fc
SHA1a854e46dbbb6ee03908d3aacf0cae9285d0ab35f
SHA2566f93e46de88699eaf5c5c7ef11c98e0f6c71f1f5ddd718f65f6d900785ab9daf
SHA5123e261a7f7f056c302255574f4dfddab6800a771175c27620a6820d07521882668ed19c4e38b11b6f6def7b7abcb015342ee7065256d3f88f00021049a6abd753
-
Filesize
6KB
MD51154033b9350ef880097fef7867c43b4
SHA10d247682bf16cfdcbdcd360737454ec181bd0b98
SHA256e18f04b8a1e9c10b74925c2f73a0c1cf0b06bd9ccf416571959c116c346ca9da
SHA5127e2208b7241543377a3c4f21792cc72239fd4ca1772fb6560aff8956273f3ca379ca8c59f56bbe71f70cd4eec49a58f0618678a5bf3c79cf7f935b14503b2be7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b685bffc01fc4cfdf44cf657440b6f55
SHA1dfed6087e43289723736d4ab39d75ecb88bece9f
SHA25670d8778027634bc0082017e964f38c912d18a6c019ab350e40834c73860cdfd8
SHA512a62cb8763cc846ee8ce6fd9341352cc3fc5734aef0a6c23c0170f5341ec24c31833a40c861c405b62471a55704c5b742c9d389e6560a2a506b32b0f8044cbd40