Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1526s -
max time network
1526s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
decode_Fakeupdate.ps1
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
decode_Fakeupdate.ps1
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
decode_Fakeupdate.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
decode_Fakeupdate.ps1
Resource
win11-20240214-en
General
-
Target
decode_Fakeupdate.ps1
-
Size
4KB
-
MD5
de20d86ec1a1e85bfbc5745a03a38e51
-
SHA1
3558b1d1c1049f8852a79162e98ad201f1ba5426
-
SHA256
ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5
-
SHA512
243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b
-
SSDEEP
96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 45 1688 CScript.exe 47 1688 CScript.exe 49 1688 CScript.exe 51 1688 CScript.exe 55 3168 WScript.exe 70 5060 WScript.exe 71 32 WScript.exe 72 1424 CScript.exe 73 4648 WScript.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 828 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5048 powershell.exe 5048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5048 powershell.exe Token: SeRestorePrivilege 3848 7zG.exe Token: 35 3848 7zG.exe Token: SeSecurityPrivilege 3848 7zG.exe Token: SeSecurityPrivilege 3848 7zG.exe Token: SeManageVolumePrivilege 2368 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3848 7zG.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2300
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\OutputFile\" -spe -an -ai#7zMap20604:78:7zEvent90671⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3848
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:1688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:3168
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:5060
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js1⤵
- Opens file in notepad (likely ransom note)
PID:828
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:32
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:1424
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:4648
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317B
MD5dd982383a2370b4ffbee127c259c9bf6
SHA132a17db6fff1558e9c58e0a0b4f9ae716739f60f
SHA256e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668
SHA512696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize1KB
MD5a99377a27910f2447a1d4c78a1d55540
SHA12d82c4bd9ef86fae0cede0bde4d85a52304c5cb2
SHA256cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48
SHA512406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19
Filesize977B
MD550cb447f2a8f99cb126cb51392696c7f
SHA180c4b991dd02b94f2d96eb07da7f197d5e3196a9
SHA2560d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059
SHA512d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908
Filesize508B
MD58e55448f570d635256231545c438ada9
SHA11ed99ca79aac6f40eaad7e4a0dfec03ed87bd2ba
SHA256b954d7091f5f67807e7e568171ab8c050516121fa7400f0c5576574447d9126a
SHA512470f5d192fae704a12d99f4ca3ab4b8a74699d214cc5942973e2a7dbee84609d53caa97f815357ab354b7c60b20cdd22587ebcb6bc5929f0257fade1e7b0de0d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize482B
MD524e0a02d614a5579136a19bbe371c708
SHA1af650c2cd3813ed3884a4e10dfc1587a3844f6f2
SHA256ec913755689c13c2be985695765d6991338c743b01a5a75f522c669ffeef0e48
SHA512e74dc13d28d44506635db3bc8d7f65469e31964fc36e3bedbc28c31c429e525b308990d22ea085a819fda45b93b5c6962ae70827dd88d423a01e792d3e83a659
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19
Filesize484B
MD514791404d201e2657135de716526ab09
SHA1f2371fb8b5821ad5eb8f382f65979a593fc4e2b6
SHA256e92b1063c111915ca4075211bdadd7839902329724103f8553f86f5e9f9ba84b
SHA512652977e5364e5cd7f7c2c67223887af35839ebfd3551bec70cdb2e9a92e89192ce024cfb863d998e2f5838da557c52bb1a569e1c843af61eb8f3296e79a99e6b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD599b9486516ec3ddab05bcfaa6324b34b
SHA1ae320bea3bfdc991dbcd08a7f66bf50c7a93d55e
SHA2563b8d115ec85816a2c145ae8a4867bdc4b0eb5dc5c685c948ae1e24bb26bf30eb
SHA512600be81c0fd78c4993e09c5bd292c1fa24738cf2b01b78c4c0f7594446176387b8d36d980bb16156a7f866aa64b2779ef02812a90887d3a9ec7b96a75f64ed50
-
Filesize
5KB
MD56a554ad7f1c931ce492818411bb3a80a
SHA153434b9ee9fb4ba0978daba61bb12342fc519c80
SHA2562e5b08a46a45f6f311e09b6b944593ab499fb581ab6c53528e777f1080ca3085
SHA512fc03ffdf63813df3c3696d8ca2d3b124834eeb9bc40608048b802ebd9d6213a365f656e94ee1d2836f71e64432554192ea1479399a0d37b88023be978c66cfe0
-
Filesize
5KB
MD5e92709125e76b1ee8ca5dab5a4ebe16c
SHA180dd791ec949e51284fc241951cd7680266e8cf1
SHA256c04e7d00dd75bf7dae1a8cd83f82ae4243a231bdc922cb71282261e3fbd26343
SHA5121f583f241d1fb45867869132db858794a30ab45c52656c1e58855554ea89177daa185e91e5631414052edb8c4f2cd70682538779e0f6e1c7eeab93b2daf3e8fb