Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7EAC拔苗�...58.chm
windows7-x64
1EAC拔苗�...58.chm
windows10-2004-x64
1attachment-22.js
windows7-x64
3attachment-22.js
windows10-2004-x64
3attachment-23.html
windows7-x64
3attachment-23.html
windows10-2004-x64
3EAC拔苗�...ac.exe
windows7-x64
1EAC拔苗�...ac.exe
windows10-2004-x64
3EAC拔苗�...me.exe
windows7-x64
7EAC拔苗�...me.exe
windows10-2004-x64
7EAC拔苗�...nc.exe
windows7-x64
7EAC拔苗�...nc.exe
windows10-2004-x64
7EAC拔苗�...et.exe
windows7-x64
7EAC拔苗�...et.exe
windows10-2004-x64
7EAC拔苗�...P4.exe
windows7-x64
7EAC拔苗�...P4.exe
windows10-2004-x64
7EAC拔苗�...c2.exe
windows7-x64
7EAC拔苗�...c2.exe
windows10-2004-x64
7EAC拔苗�...32.dll
windows7-x64
6EAC拔苗�...32.dll
windows10-2004-x64
6Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 06:18
Behavioral task
behavioral1
Sample
EAC拔苗成长指引 v3.58/EAC拔苗成长指引 3.58.chm
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
EAC拔苗成长指引 v3.58/EAC拔苗成长指引 3.58.chm
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
attachment-22.js
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
attachment-22.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
attachment-23.html
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
attachment-23.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
EAC拔苗成长指引 v3.58/其它/FLAC encoder/flac.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
EAC拔苗成长指引 v3.58/其它/FLAC encoder/flac.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
EAC拔苗成长指引 v3.58/其它/MP3 encoder/lame.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
EAC拔苗成长指引 v3.58/其它/MP3 encoder/lame.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
EAC拔苗成长指引 v3.58/其它/MPC encoder/mppenc.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
EAC拔苗成长指引 v3.58/其它/MPC encoder/mppenc.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
EAC拔苗成长指引 v3.58/其它/MPC encoder/wapet.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
EAC拔苗成长指引 v3.58/其它/MPC encoder/wapet.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
EAC拔苗成长指引 v3.58/其它/Ogg encoder/P4 CPU/oggenc23P4.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
EAC拔苗成长指引 v3.58/其它/Ogg encoder/P4 CPU/oggenc23P4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
EAC拔苗成长指引 v3.58/其它/Ogg encoder/oggenc2.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
EAC拔苗成长指引 v3.58/其它/Ogg encoder/oggenc2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
EAC拔苗成长指引 v3.58/其它/外部接口aspi驱动/WNASPI32.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
EAC拔苗成长指引 v3.58/其它/外部接口aspi驱动/WNASPI32.dll
Resource
win10v2004-20240802-en
General
-
Target
attachment-23.html
-
Size
5KB
-
MD5
4c19737bc0a2e918d25d084bf4376cc1
-
SHA1
bd750b51f68b71d7c1dabe8c4ad21560c6890900
-
SHA256
e63f4c7e86f65b8d8e45345375d71ca73f490bc060e27c840712bced9675ae51
-
SHA512
c10478f6d4d31709e8c954f71aaa8b752a54e62d4c6e572792e1ac14909d1272f4dccf433a530a44be2394bc9af09349a8cec046c747f0404f4a8515c4ff83bc
-
SSDEEP
96:7iYYJ86taItfXJ8yd8pf4zi2fHQfEfXJ8FJfXJ8v+huOFaO2OfEnyTOlOdCfEVy5:7+H/WKEM+13QfCg6a3QK2j2ZKQXNREyj
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 872 msedge.exe 872 msedge.exe 2324 msedge.exe 2324 msedge.exe 2192 identity_helper.exe 2192 identity_helper.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3108 2324 msedge.exe 82 PID 2324 wrote to memory of 3108 2324 msedge.exe 82 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 4228 2324 msedge.exe 83 PID 2324 wrote to memory of 872 2324 msedge.exe 84 PID 2324 wrote to memory of 872 2324 msedge.exe 84 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85 PID 2324 wrote to memory of 3444 2324 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\attachment-23.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x44,0x108,0x7fff88fe46f8,0x7fff88fe4708,0x7fff88fe47182⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10512578758104148447,6618367621289671827,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
5KB
MD57dc9e7d7e0c8864377838812b9efa47d
SHA1dca46c0fdb19d6baf1e4bbcd2f99a586b2df3abc
SHA25615d7f080b7aacfb5d7888416c2e2619505db79d090beaa49ec0313fef3c804e7
SHA5123d33ae83667b673b8774e98b4ed1da7861d8f8327deb51fd9810b4f5bd311c80daea500f25da9aac140f2b7b0e6a0b98cb1ea9ea957d0de14a48250f4ab9be80
-
Filesize
6KB
MD59ced4021797168e9c83e7207d461afbb
SHA1c989ccee52841e3dfa066e85db1f365f63d8c27e
SHA25621df2a9aec9cca6612ca5211904a7a0d984ba9b2a694bac005fde44f713bd933
SHA512a792294c4cc1f77f7a248dcd3bb4efcbddba3cd360ef2c9e49e934514aa39ec8dbe5599581b9ca76cf585dbf66ced1a6c328d03e637b2695debc5e43e4390dc5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f7189d1ac5e7c10ec70469675e38c671
SHA129edb9c5ca78b81611ab88aa0c8b591f3984e09a
SHA2564eb1d72fa67c7196421ca97ab1d032e5ad74bdd25af46a356655f16420306b2e
SHA512a891d2ca549596306918c8a906e3171931c4d2802936c3b278c1f9297e9de83353a5ae8b88869e99a009da7afb8573d3ebdc7591573aedfe883a2723abfbd581