Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 01:50

General

  • Target

    d0f4d74cdc462ca44ff4531749e02650785c290e669b361b537cbf33aa568ac7.exe

  • Size

    117KB

  • MD5

    81e988025a36941345afb5e8a55d2bcb

  • SHA1

    3365c32cf9db5ca54c7ab587406cca91c12d66d5

  • SHA256

    d0f4d74cdc462ca44ff4531749e02650785c290e669b361b537cbf33aa568ac7

  • SHA512

    b3635fb79cae16835d81e12fbcbada33d46bcf10744517eac893038a98f924ae2bcbdf56dc696f8d33f54ae718f153370e9d0dca18d65b05ce4318b2e5fc697a

  • SSDEEP

    3072:ubG7N2kDTHUpou7DoruORPzy5n+/mGCKXU74:ubE/HUTMFRry5nmIE

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0f4d74cdc462ca44ff4531749e02650785c290e669b361b537cbf33aa568ac7.exe
    "C:\Users\Admin\AppData\Local\Temp\d0f4d74cdc462ca44ff4531749e02650785c290e669b361b537cbf33aa568ac7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pcapp.store/installing.php?guid=4304ACB9-C3F6-452A-9860-EB4E85D38D4EX&winver=19041&version=fa.1091x&nocache=20241010015053.566&_fcid=1728315845749529
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e86746f8,0x7ff9e8674708,0x7ff9e8674718
        3⤵
          PID:3284
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
          3⤵
            PID:1432
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1356
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
            3⤵
              PID:3996
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
              3⤵
                PID:3536
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                3⤵
                  PID:2100
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:8
                  3⤵
                    PID:3544
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5032 /prefetch:8
                    3⤵
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2152
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
                    3⤵
                      PID:4608
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:960
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                      3⤵
                        PID:1812
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                        3⤵
                          PID:3868
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                          3⤵
                            PID:3960
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
                            3⤵
                              PID:2384
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,9590053492837600037,3473517338030063792,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3108 /prefetch:2
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4372
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3608
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3580

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

                              Filesize

                              471B

                              MD5

                              1a90072b07a167ca87c8df95356ef7eb

                              SHA1

                              5230fe5648ecebb595a3afb68db5f96fafc49ecd

                              SHA256

                              9486553d3e7051b1aca359461e03ca08b88f3ff40b690fd7ad4ea3824bea9670

                              SHA512

                              94634a399ac201ba4ab1a60e70317caf403ac5327dea539c7373ab6c4ab6d6120d74dcba6599137a074bb5fad2c6c15fb9644a873f8df6940161b362869ea2b2

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

                              Filesize

                              471B

                              MD5

                              6743fa83c3aa612c9b9eba73d4eaf31f

                              SHA1

                              77e4371c2376dd29460910126c18e784468fa0fd

                              SHA256

                              c13857a929cfb35ea5775ff8ce1265c7203d2e4dd058291c12d28e9f9bdb5a02

                              SHA512

                              a9177e1cd7a89edffc1fd05d8455dd22b4101fd3416d7cee16b3b8e96b9d80544eaf79e41350a26e7b3bef647201bbc0bc13a058220b0ffef0c2e61e018b6e80

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

                              Filesize

                              404B

                              MD5

                              c91b79a04c2f55babe7796789819becb

                              SHA1

                              5e11ec03bee8ff1b840954ddefbe5587da5f2a27

                              SHA256

                              31e3c2fd46b162297af6547708654cfceaebd908184647353f79afe4a08d773e

                              SHA512

                              9db32fcab38fa07211caf83123c70ff99406e6e9d162f56b8289284037abac7c3347ae5142f223e7e5325387cdd75f8bce5e6cea28dab52fde2c136aed5ce332

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

                              Filesize

                              412B

                              MD5

                              76215da3061b93efd8f8341469a7504a

                              SHA1

                              f9d1d3fdc6645a99fcbb763989a19c8b2c4640f4

                              SHA256

                              f4d701e37c2f8e0caa93566b8ab99959769bfbf44d5d2b385e47acf50846c462

                              SHA512

                              25b4b2020e60afaa372a1f5b1820e4417f9178743c13c02b03690bce4ed0d1b83228a2976288d2e0e6eb73eb353d1a16a46073b469092ef6f1b951c5b2c27951

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              61cef8e38cd95bf003f5fdd1dc37dae1

                              SHA1

                              11f2f79ecb349344c143eea9a0fed41891a3467f

                              SHA256

                              ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                              SHA512

                              6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              0a9dc42e4013fc47438e96d24beb8eff

                              SHA1

                              806ab26d7eae031a58484188a7eb1adab06457fc

                              SHA256

                              58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                              SHA512

                              868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              192B

                              MD5

                              ccc775701f487e2f91f781eaf7c58352

                              SHA1

                              1596a3e623dd72b7d9f53018bb0e86dcd483b591

                              SHA256

                              b922716ae4068abe72a211b9707f85c4c5cc6efa0dd14f944bb16796c417c2ea

                              SHA512

                              e219ed965d90bc59822e2071406a6df72f9e82fe66e49b21f05ae68b4d218354fc3500eeebcb389361d1a42c7c5810374e529b52a6fb8da77db942317a84f2a5

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              2KB

                              MD5

                              271d0cf17408f75d24de77c5d9b2e1b8

                              SHA1

                              70adb9a5d982e5a68de34d4aac92df01ac5d77c5

                              SHA256

                              d3fc42d80eaa9863e0885327e0a65a038c58cfee047ac255e021176c0817c031

                              SHA512

                              2ff91d76fa5dccc67bf494cd84c519e65607e5c26dd2199b2706481b6397dac0f2304aaf48596d6acab8ba78952a08764fb7be3e12e05cf825bf7fd473f930ee

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              5a3c70be083622d8bd65346a9821663f

                              SHA1

                              8635b53dfc09a06309f0e9cf31b4e4b78ce7f150

                              SHA256

                              92921ff10c8c9971b53e329eb2685559a73a11c9cd0bebeffd21cf55e94cee70

                              SHA512

                              f16d80b787194148f4b1838ee9916ad942157cd73cdad2a8e68b32c99a3f15d40cf5468ba4e5fce450f84f8a09fdf26e77af4abb906ac1c3d0aeba715e665f91

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b98b3e49-88d7-42a7-a75e-7e032b8c32cc.tmp

                              Filesize

                              7KB

                              MD5

                              051d61df22d50a303b11bbd8753af641

                              SHA1

                              7369e584af3689b8a76cca33915cbbfddb695272

                              SHA256

                              fdf0c2cd0b573a5e1a93849d83a47a0a5320b76539a5fad3cc3bb089e5f6bc42

                              SHA512

                              688d49be9ab751fce1a1d14b8784796a61643fe73d9f9c4d5ef294f79630089002cf9b8bf1335b118e67365ba520cd7263983f0475a816562e2dc131159943c5

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              7dc0709149c0151d6ee0d220e151decb

                              SHA1

                              5ba00219397b506ce4b7e097e8ece4f0e4a73495

                              SHA256

                              308c2a69f72c6d31ccb9e911dee2a4ae23396529465adc9455d0f5923e73fc8e

                              SHA512

                              8a20b9d2f3e1a61258de8f71f51c3729bac969060b3d2fd034bdc2b5a8377c021fda08250cbd57f75fa3bce6a1ce644011776c119a9a647aad437fa0f988578f

                            • C:\Users\Admin\AppData\Local\Temp\nsaA029.tmp\System.dll

                              Filesize

                              12KB

                              MD5

                              cff85c549d536f651d4fb8387f1976f2

                              SHA1

                              d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                              SHA256

                              8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                              SHA512

                              531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                            • C:\Users\Admin\AppData\Local\Temp\nsaA029.tmp\inetc.dll

                              Filesize

                              38KB

                              MD5

                              a35cdc9cf1d17216c0ab8c5282488ead

                              SHA1

                              ed8e8091a924343ad8791d85e2733c14839f0d36

                              SHA256

                              a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

                              SHA512

                              0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

                            • C:\Users\Admin\AppData\Local\Temp\nsaA029.tmp\nsDialogs.dll

                              Filesize

                              9KB

                              MD5

                              6c3f8c94d0727894d706940a8a980543

                              SHA1

                              0d1bcad901be377f38d579aafc0c41c0ef8dcefd

                              SHA256

                              56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

                              SHA512

                              2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

                            • C:\Users\Admin\AppData\Local\Temp\nsaA029.tmp\nsJSON.dll

                              Filesize

                              23KB

                              MD5

                              f4d89d9a2a3e2f164aea3e93864905c9

                              SHA1

                              4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

                              SHA256

                              64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

                              SHA512

                              dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2