Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2023, 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Google1.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Google1.ps1
Resource
win10v2004-20230220-en
General
-
Target
Google1.ps1
-
Size
46KB
-
MD5
7ea235cdecfd28871729b498e48ac69f
-
SHA1
b94cc4445cc0ebaf6906d1d96115700e255e4265
-
SHA256
42b3c16e50a12f0d06292d00c93bcfbb66b6a34167720912501e68abaf4ce813
-
SHA512
29ff6cf49672cbeb68fb8b4297648bd1934af667c109a80b624f9196188c4798acb6aa89ccc308f03265c40d5ad3af33240a4af634abe0c53a85f2043de58e88
-
SSDEEP
768:XK8eLIllhBDRLLjiSHtRr+NJHhbllNllJllPpllllllTlhSnrj91lgmldllolPl+:a8eLIllhBR9tRr+NJHhbllNllJllPplY
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 15 4376 powershell.exe 33 3232 powershell.exe 59 4924 powershell.exe 60 4456 powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4376 powershell.exe 4376 powershell.exe 3232 powershell.exe 3232 powershell.exe 3908 powershell_ise.exe 3908 powershell_ise.exe 3908 powershell_ise.exe 4924 powershell.exe 4924 powershell.exe 4456 powershell.exe 4456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 3908 powershell_ise.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3232 4376 powershell.exe 83 PID 4376 wrote to memory of 3232 4376 powershell.exe 83 PID 4376 wrote to memory of 3232 4376 powershell.exe 83 PID 4924 wrote to memory of 4456 4924 powershell.exe 99 PID 4924 wrote to memory of 4456 4924 powershell.exe 99 PID 4924 wrote to memory of 4456 4924 powershell.exe 99
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Google1.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -noexit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3572
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\Google1.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\Google1.ps1'"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -noexit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
53KB
MD53337d66209faa998d52d781d0ff2d804
SHA16594b85a70f998f79f43cdf1ca56137997534156
SHA2569b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA5128bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f
-
Filesize
1KB
MD5aebac5c675b6f5e1b269cd675462053d
SHA19c507c4b088478a1630b7234fb9119fb163a6470
SHA25606522b0bb3a7721832f46a1d624fdead0dbf1c3a60af4d1b704eae56d2330a55
SHA51214ea92698ab803c4ee0895b8c5931175be4c4285d00309a524d4b360adf64e44d32b43bff58f178fa3d744979d77a5dfffade20c7d01c4ac5bbb545a4b6e6b1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16KB
MD539c10ad786dfbce05c6b0c99c42423f4
SHA1f977a6637b8b4096a94030d7690d9470e3e4514e
SHA25606aa640287cb704083a7c397ad0d40c585bc688fbbf919ea56d5e675ba0486a6
SHA512a18a25038cd7e795dd590c7001d6b13f861a5bb8404ed91538dc53174bb7c9377b3540d4d38ae8f271ea1bc4db601a51469ae53727cbcfe252befc1ca28b24ac
-
Filesize
16KB
MD539c10ad786dfbce05c6b0c99c42423f4
SHA1f977a6637b8b4096a94030d7690d9470e3e4514e
SHA25606aa640287cb704083a7c397ad0d40c585bc688fbbf919ea56d5e675ba0486a6
SHA512a18a25038cd7e795dd590c7001d6b13f861a5bb8404ed91538dc53174bb7c9377b3540d4d38ae8f271ea1bc4db601a51469ae53727cbcfe252befc1ca28b24ac