Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

8.ps1

windows7-x64

8.ps1

windows10-2004-x64

Analysis

  • max time kernel
    24s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230831-es
  • resource tags

    arch:x64arch:x86image:win7-20230831-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    20/09/2023, 22:38 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    8.ps1

  • Size

    19KB

  • MD5

    1a5c933e83fc3395e8e5f737df0be1de

  • SHA1

    c1b72ce34210b50699c729a403683e31a87970af

  • SHA256

    50fdd1a3a1fdccbe8a57ffdeed3f550398187f8de66e79d36e48dc0eb49fd2e7

  • SHA512

    698d9c0657ac978362be8c0c1aba23e72e1469073354f1e3a8b8e40fc79affc0383f4bfa4161e377d4304b314a8b03721efb9414413c13489addb7580718785c

  • SSDEEP

    384:QcyvJvDCNrr2YyHEHaeizHlf2GkxUtJNzw5ARMthKqsvvvhUvhkvkNp8mpdIc+ZW:QcyvJvDCNrr2Yyk6eizFf2GkxUtJNYtH

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 5 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8.ps1
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\system32\shutdown.exe
      "C:\Windows\system32\shutdown.exe" /r /t 10
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2628
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2312

      Network

      • flag-au
        GET
        http://20.92.164.32/20/a/m/m.zip
        powershell.exe
        Remote address:
        20.92.164.32:80
        Request
        GET /20/a/m/m.zip HTTP/1.1
        Host: 20.92.164.32
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Wed, 20 Sep 2023 22:38:31 GMT
        Server: Apache/2.4.52 (Ubuntu)
        Last-Modified: Wed, 20 Sep 2023 15:24:10 GMT
        ETag: "eb9b00-605cbf78d5a80"
        Accept-Ranges: bytes
        Content-Length: 15440640
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/zip
      • 20.92.164.32:80
        http://20.92.164.32/20/a/m/m.zip
        http
        powershell.exe
        382.8kB
         15.9MB
         6972
        11378

        HTTP Request

        GET http://20.92.164.32/20/a/m/m.zip

        HTTP Response

        200
      No results found

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2312-41-0x0000000002760000-0x0000000002761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2436-14-0x0000000002680000-0x0000000002688000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2436-5-0x0000000002440000-0x0000000002448000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2436-7-0x00000000024E0000-0x00000000024EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2436-8-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2436-11-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-10-0x000000001B640000-0x000000001B686000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2436-12-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-9-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-4-0x000000001B300000-0x000000001B5E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2436-13-0x0000000002670000-0x000000000267A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2436-17-0x0000000002730000-0x000000000273C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2436-16-0x000000001BA90000-0x000000001BADE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2436-15-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-30-0x000000001BB80000-0x000000001BB90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2436-33-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2436-34-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-35-0x00000000026A0000-0x0000000002720000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2436-39-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2436-6-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2628-40-0x00000000028C0000-0x00000000028C1000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.