Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

OTSLG.ps1

windows7_x64

5

OTSLG.ps1

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    03/12/2021, 13:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OTSLG.ps1

  • Size

    915KB

  • MD5

    001bfe6f72fe64660ba498107c658bdc

  • SHA1

    0946baf23e867f2564302b60f777db72a1244a30

  • SHA256

    c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

  • SHA512

    32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1408-67-0x0000000007F26000-0x0000000007F27000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1408-65-0x0000000007F15000-0x0000000007F26000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1408-66-0x0000000007F10000-0x0000000007F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1408-64-0x00000000024A0000-0x00000000030EA000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/1408-63-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1664-58-0x0000000002982000-0x0000000002984000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1664-61-0x000000000298B000-0x00000000029AA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1664-60-0x000000001B850000-0x000000001BB4F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1664-59-0x0000000002984000-0x0000000002987000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1664-55-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1664-57-0x0000000002980000-0x0000000002982000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1664-56-0x000007FEF2920000-0x000007FEF347D000-memory.dmp

    Filesize

    11.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.