Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/09/2022, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
PRD.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PRD.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
lkndwsjds.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
lkndwsjds.ps1
Resource
win10v2004-20220812-en
General
-
Target
lkndwsjds.ps1
-
Size
1.6MB
-
MD5
43b8002185775160d5b83de4a210dd35
-
SHA1
62202c63aeef127ba0fb2c3ba1011d5f57b7bd61
-
SHA256
9251fb4f0360db6cd155676c3abf99a5dcfb8b2de560a43ef36d9eec7718f987
-
SHA512
f9bb592c7068e9a5f437b200548fb3edca4e889ac0eba7a9ddc9d2f1797cfa473848ddf2636f38ec205a625df40561e9998e89e6682a5abf3a6b399455186f9e
-
SSDEEP
24576:cCrxYbz4x5sfmFGtW4FnXVROmygccvaP0iP3:krUGtbXDOnB8I
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 948 powershell.exe 948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 948 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 948 wrote to memory of 936 948 powershell.exe 29 PID 948 wrote to memory of 936 948 powershell.exe 29 PID 948 wrote to memory of 936 948 powershell.exe 29 PID 936 wrote to memory of 1360 936 csc.exe 30 PID 936 wrote to memory of 1360 936 csc.exe 30 PID 936 wrote to memory of 1360 936 csc.exe 30
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\lkndwsjds.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqpmguz8.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFDEF.tmp"3⤵PID:1360
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bd650b1d04b1bf4d2b4a6e47fa4c7447
SHA1a91bbd5f6a074707493d7d2fa924b0b2cf5b47ce
SHA25689b6ec60594c7b71c770d760174df4527d5cf6ed0994b0aa2be6ad55c9ac26e0
SHA5120025a529dd958b8eafd7039861695ad1aeb4339f72e5f21f6b04018713f76b8e9321030faae66f21e3195613073d9588a398735aeb2955e2c6140c3b3be08122
-
Filesize
3KB
MD554bc1acd3f099efc609b11696202382a
SHA169f9e2492ac33fc6ab019398e94fd4a53021f9b2
SHA2568df011d25f3651bee1edc34c9d62c57d84cff537b69e6f5b93811364383f415e
SHA5122dfd804b3535ab808b6f380d56105cb0f28208e27ca8029df506b64145e7ff891caca2364c38bc287e5cb66ba7b94b5dc0005b0b2f1075fa5631d501130098ad
-
Filesize
7KB
MD5a8ed1428d777e300c0d304bf0b332d0d
SHA1db7cfe7c3eb13f8fff6eae1a7e9940a59140f6f2
SHA256e26a487070872c050e21302982968b9f5ffe54a296092b7028bdc35fb43c5e0d
SHA5123ff350bc1f5fc8879b0876994a36d38b68909117bda6f4f77ba2b2063a4a1159ec7ef75f9583aed6f41dfbf5de24805650f139e5310f155a9ec338f054f3d50b
-
Filesize
652B
MD5fa142b3e98a72d3ac179aeb8ab3af7cc
SHA16832ff6254f181fbf32a94094048e20569cca753
SHA2563fc6afca20cd39baee1e177d1c2c98e2a37b0feaacf54a10bca60be52a0264b4
SHA512fd02d69e31c063beb813ff1f6c31ea2600c311c2eb28f4266d8b19dc3109d1abe56b400c88c98e5e26ee725c7a51a9195bcac30fb15e56bf4af1d21a33e521e7
-
Filesize
203B
MD5b611be9282deb44eed731f72bcbb2b82
SHA1cc1d606d853bbabd5fef87255356a0d54381c289
SHA256ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6
SHA51263b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4
-
Filesize
309B
MD5169f9e89836ac868294d25e7bf9c4ba5
SHA161f82197c01458eae606d35a2e75b6096ec07563
SHA256ee08de46d77916f44b35445e39e51126fd9a78bda357c714b64f86556c0c846a
SHA512e99adeb63eebe075ad7b316b27359dc48657c7dd01809e10f87391ca58ac5eebaa505a0569c1572860d5a3d4e7cc36794f15e674244156f93ebf11b4b3ebf817