Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

run.ps1

windows7-x64

1

run.ps1

windows10-2004-x64

1

Resubmissions

31/10/2023, 14:07 UTC

231031-re37labd66 1

31/10/2023, 14:02 UTC

231031-rcf92shb8s 1

31/10/2023, 13:59 UTC

231031-rahebsha3x 1

31/10/2023, 13:47 UTC

231031-q3rb9sad36 1

Analysis

  • max time kernel
    839s
  • max time network
    843s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2023, 14:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.ps1

  • Size

    351B

  • MD5

    020b64c77751bf39ac87056235310827

  • SHA1

    57fce2282987f8864085c1220094f63b1b74af2a

  • SHA256

    5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

  • SHA512

    15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score
1/10

Malware Config

Signatures

  • Runs ping.exe 1 TTPs 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2760
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2816
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.gov
      2⤵
      • Runs ping.exe
      PID:2720
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" bfo.guv
      2⤵
      • Runs ping.exe
      PID:2696
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.gov
      2⤵
      • Runs ping.exe
      PID:3028
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi gu
      2⤵
      • Runs ping.exe
      PID:2592
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2784
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:3012
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbilgiv
      2⤵
      • Runs ping.exe
      PID:2700
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.cov
      2⤵
      • Runs ping.exe
      PID:2732
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:1940
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2576
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2608
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2628
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:1088
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.giv
      2⤵
      • Runs ping.exe
      PID:2944
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2652
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2996
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbo.guv
      2⤵
      • Runs ping.exe
      PID:2968
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2952
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:3008
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2416
    • C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" fbi.guv
      2⤵
      • Runs ping.exe
      PID:2660

Network

  • flag-us
    DNS
    fbi.guv
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    fbi.guv
    IN A
    Response
  • flag-us
    DNS
    fbi.gov
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    fbi.gov
    IN A
    Response
    fbi.gov
    IN A
    104.16.149.244
    fbi.gov
    IN A
    104.16.148.244
  • flag-us
    DNS
    bfo.guv
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    bfo.guv
    IN A
    Response
  • flag-us
    DNS
    fbi.cov
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    fbi.cov
    IN A
    Response
  • flag-us
    DNS
    fbi.giv
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    fbi.giv
    IN A
    Response
  • flag-us
    DNS
    fbo.guv
    PING.EXE
    Remote address:
    8.8.8.8:53
    Request
    fbo.guv
    IN A
    Response
No results found
  • 8.8.8.8:53
    fbi.guv
    dns
    PING.EXE
    53 B
     128 B
     1
    1

    DNS Request

    fbi.guv

  • 8.8.8.8:53
    fbi.gov
    dns
    PING.EXE
    53 B
     85 B
     1
    1

    DNS Request

    fbi.gov

    DNS Response

    104.16.149.244
    104.16.148.244

  • 8.8.8.8:53
    bfo.guv
    dns
    PING.EXE
    53 B
     128 B
     1
    1

    DNS Request

    bfo.guv

  • 8.8.8.8:53
    fbi.cov
    dns
    PING.EXE
    53 B
     128 B
     1
    1

    DNS Request

    fbi.cov

  • 8.8.8.8:53
    fbi.giv
    dns
    PING.EXE
    53 B
     128 B
     1
    1

    DNS Request

    fbi.giv

  • 8.8.8.8:53
    fbo.guv
    dns
    PING.EXE
    53 B
     128 B
     1
    1

    DNS Request

    fbo.guv

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2512-4-0x000000001B140000-0x000000001B422000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2512-5-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2512-6-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2512-7-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2512-8-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-9-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-10-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-11-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2512-13-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-14-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-15-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-16-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2512-18-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.