Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
ASUNTO_ Llamado urgente rendir indagatoria carácter obligatorio Bogotá 1 de octubre de 2024.eml
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ASUNTO_ Llamado urgente rendir indagatoria carácter obligatorio Bogotá 1 de octubre de 2024.eml
Resource
win10v2004-20240910-en
Behavioral task
behavioral3
Sample
email-html-2.html
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
email-html-2.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
email-plain-1.txt
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
email-plain-1.txt
Resource
win10v2004-20240802-en
General
-
Target
email-html-2.html
-
Size
11KB
-
MD5
efe53f52d42f09925b062d9e6a0fdef9
-
SHA1
98cae91a00db8473bccdf8f6e3fa0f8550092b31
-
SHA256
252a3668a218564bb69ca100e798cd9dad8e73bde737994c1d2c9325d8def8ff
-
SHA512
fea8d02a7ab2c7fde57f35a0f8233c2ddc5bbe7efd117e2aafb20467fc201d8e44428805f5684ab0a6dfe58b638b80998812abffa12d5deaf39ecc7ec1bd383f
-
SSDEEP
96:7I0WtHosKEPJNPRGxa178WnsAw57QSrE+6JFTnQTY+9MO/8yVwid1x3tnxgd:E0qH2Exj+aRsFKFAY0/8yO8x3Qd
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4704 msedge.exe 4704 msedge.exe 2840 identity_helper.exe 2840 identity_helper.exe 3244 msedge.exe 3244 msedge.exe 3244 msedge.exe 3244 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 4388 4704 msedge.exe 82 PID 4704 wrote to memory of 4388 4704 msedge.exe 82 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4616 4704 msedge.exe 83 PID 4704 wrote to memory of 4296 4704 msedge.exe 84 PID 4704 wrote to memory of 4296 4704 msedge.exe 84 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85 PID 4704 wrote to memory of 2124 4704 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffead0b46f8,0x7ffead0b4708,0x7ffead0b47182⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2576791980572979491,18001621129099363985,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
390B
MD51f83a6f221796d244b40acdeb9ad44e4
SHA105184cb167bf157791ce0fdad1fcd5afe4a8b597
SHA25636f2f4d9c762b82dfcaa5f9ec370b38e7331adde019ede094608ac37de6e4606
SHA5129159a2f669d0900977de167068d0def36e176954d27124b06c971c874992b9ebf4b10bd58275d47f658536929f4408b0b8ac73c28755186c851d98aaede13f60
-
Filesize
5KB
MD5802bb5cdbea57b9963c66d97c90962d8
SHA1a1c24ae4472ae0fd9cd40d6c2a202d2ccf7e2b90
SHA256f0b0f9738a6af21d1325102af8bb9d9e89f6f8615ea3821e576b6c8596eda96c
SHA51261d0c7fb988ad622f0b5d18fc297cd1e799c13f8b56aca0abe52e3baae7753fe28d4c5ee795880f66ba376c466ee79d723e6b1ca183ef45f0121149bca07db0f
-
Filesize
6KB
MD5518db7f59548a9c4ffe98186a2321313
SHA1d8463539d0b1bc8901b5a0c9d73b7569ea00e551
SHA256dbc3a56643aac424f64da02a480c5723a5f24616d75afe5959fcabd8983d803a
SHA512c08720c02f1e8c151cbc8922157d11dbfb08451bfab04974d57770c30039358978b175e05224e7a577fa89a2cd0002fff133da582b8bc23081623ee7eb1e3f61
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5965bd3ef99549eaf09ac26af33b2d08b
SHA1838d715c28b5417003fcede2b9f95bad9d4f8556
SHA256820460a765d6247e109ebf6e0dee30dea4be06b921505faaba3f32c4f592e35a
SHA51222e151708c4c009da286b132f381a735b12d365ef3e864801b38fb536690d1c7405266a2725de02f498d7503e976c0b6b91411d946f62f4e50f9fbe311ef8420