Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

code.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    522s
  • max time network
    524s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2023, 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    code.ps1

  • Size

    14KB

  • MD5

    7a26dbf6adddc8afb923321bd84a569d

  • SHA1

    87f5469280b5bba689856e52a6fdae0be2aec941

  • SHA256

    6109ffa74f726ff62658d7ecdbc91f2bde70b0436419fda6c7f1f301a101b09a

  • SHA512

    242cd5d4627bbbd5a7dc26c09d44326aebcc5e38db3adb5c824fdb498a4881f81bd6fc3ce40cf5abf6c2517766ba7aee44c6cb4b69b21d8baabe24dfa4825dc8

  • SSDEEP

    384:dwuRGuHnyVzVT+qNNqNRea0slBoCLQIR69Y:dwuVqNNqNwa3BZXR9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/436-147-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/436-145-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4448-144-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4448-142-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4688-139-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4688-141-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-136-0x000001F1432E0000-0x000001F143456000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4984-137-0x000001F143D40000-0x000001F143F4A000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4984-135-0x000001F143810000-0x000001F143D38000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4984-132-0x000001F141590000-0x000001F1415B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4984-134-0x000001F143110000-0x000001F1432D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4984-146-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4984-133-0x00007FFE35F10000-0x00007FFE369D1000-memory.dmp

    Filesize

    10.8MB

    Download