Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/12/2023, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
0d09fe43e5f18cd6c7a38cda8fd9f2e6.ps1
Resource
win7-20231215-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d09fe43e5f18cd6c7a38cda8fd9f2e6.ps1
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
0d09fe43e5f18cd6c7a38cda8fd9f2e6.ps1
-
Size
485KB
-
MD5
0d09fe43e5f18cd6c7a38cda8fd9f2e6
-
SHA1
07baad37ee15907d9143da04abd96ee042953fc4
-
SHA256
c01d01039b836da6585e437ff3cec6dc4a0a45b362352028b48c4ff3f0ad22c8
-
SHA512
d36b73726d0cab82d4f35b0701b6a372b7999be85fe29b6e9223c48df11937b75ff74a0e159d9df22b9699bdcca6a69cd258f782375a8578852efedcb035d062
-
SSDEEP
12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64yigu:q3bu
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1732 powershell.exe 1732 powershell.exe 1732 powershell.exe 1732 powershell.exe 1732 powershell.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1996 1732 powershell.exe 29 PID 1732 wrote to memory of 1996 1732 powershell.exe 29 PID 1732 wrote to memory of 1996 1732 powershell.exe 29 PID 1732 wrote to memory of 1996 1732 powershell.exe 29 PID 1732 wrote to memory of 2132 1732 powershell.exe 30 PID 1732 wrote to memory of 2132 1732 powershell.exe 30 PID 1732 wrote to memory of 2132 1732 powershell.exe 30 PID 1732 wrote to memory of 2132 1732 powershell.exe 30 PID 1732 wrote to memory of 2704 1732 powershell.exe 31 PID 1732 wrote to memory of 2704 1732 powershell.exe 31 PID 1732 wrote to memory of 2704 1732 powershell.exe 31 PID 1732 wrote to memory of 2704 1732 powershell.exe 31 PID 1732 wrote to memory of 2668 1732 powershell.exe 32 PID 1732 wrote to memory of 2668 1732 powershell.exe 32 PID 1732 wrote to memory of 2668 1732 powershell.exe 32 PID 1732 wrote to memory of 2668 1732 powershell.exe 32 PID 1732 wrote to memory of 2716 1732 powershell.exe 33 PID 1732 wrote to memory of 2716 1732 powershell.exe 33 PID 1732 wrote to memory of 2716 1732 powershell.exe 33 PID 1732 wrote to memory of 2716 1732 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0d09fe43e5f18cd6c7a38cda8fd9f2e6.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe#cmd2⤵PID:2716
-