Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7Aalesund-i...ter.js
windows7-x64
1Aalesund-i...ter.js
windows10-2004-x64
1Aalesund-i...nd.cmd
windows7-x64
7Aalesund-i...nd.cmd
windows10-2004-x64
7Aalesund-i...in.cmd
windows7-x64
7Aalesund-i...in.cmd
windows10-2004-x64
7Aalesund-i...er.cmd
windows7-x64
1Aalesund-i...er.cmd
windows10-2004-x64
1Aalesund-i...et.exe
windows7-x64
7Aalesund-i...et.exe
windows10-2004-x64
7Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:30
Behavioral task
behavioral1
Sample
Aalesund-issue/Models/ifc_adapter.js
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Aalesund-issue/Models/ifc_adapter.js
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Aalesund-issue/get.aalesund.cmd
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Aalesund-issue/get.aalesund.cmd
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
Aalesund-issue/ifctest-login.cmd
Resource
win7-20231025-en
Behavioral task
behavioral6
Sample
Aalesund-issue/ifctest-login.cmd
Resource
win10v2004-20231025-en
Behavioral task
behavioral7
Sample
Aalesund-issue/startEdmServer.cmd
Resource
win7-20231025-en
Behavioral task
behavioral8
Sample
Aalesund-issue/startEdmServer.cmd
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
Aalesund-issue/wget.exe
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
Aalesund-issue/wget.exe
Resource
win10v2004-20231025-en
General
-
Target
Aalesund-issue/ifctest-login.cmd
-
Size
304B
-
MD5
b7b5ee6610ebb3fb28e169aea6a52f91
-
SHA1
cf32faab3bd587deed1e1d9980c8fcabc810f400
-
SHA256
33a86cec011107e00234eee475293e25fcf0c510a5ea3e0811dee038625b9ba5
-
SHA512
94c73360e494fdc4f9115e4445f12854c515d23b303adf090b73b03282de15e4443fe849d1ad08304392678ef18f478065de8499de00b55c2b98d11831afd864
Malware Config
Signatures
-
resource yara_rule behavioral6/memory/5004-0-0x0000000000400000-0x00000000004EF000-memory.dmp upx behavioral6/memory/5004-1-0x0000000000400000-0x00000000004EF000-memory.dmp upx -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1416 wrote to memory of 5004 1416 cmd.exe 88 PID 1416 wrote to memory of 5004 1416 cmd.exe 88 PID 1416 wrote to memory of 5004 1416 cmd.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Aalesund-issue\ifctest-login.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\Aalesund-issue\wget.exewget --debug --header="Accept: text/xml" --header="Accept: multipart/*" --header="Accept: application/soap" --header="Content-Type: text/xml; charset=utf-8" --server-response --post-file=ifctest-login.request.xml http://localhost:8080/ifcquery/AccessControl --output-document=ifctest-login.response.xml2⤵PID:5004
-